Notes from the IAPP Europe: GDPR anniversary, 2025 annual reports and looking ahead

May 2026 marks a special occasion for data protection. Ten years ago, 24 May 2016, the EU General Data Protection Regulation entered into force. 

The world's most comprehensive data protection law has served as a foundation for national privacy laws in many countries over the past 10 years. Free flows of personal data have been established, challenged and re-established. Various GDPR concepts and obligations have been, and continue to be, clarified and once again questioned. 

For instance, the discussion over the key concept of the law — personal data — carries on even today. It was addressed in last year's judgment from the Court of Justice of the European Union in the European Data Protection Supervisor v. the Single Resolution Board and is at the center of the debate concerning the Digital Omnibus Regulation proposal, which is currently moving through the EU's legislative process.

A decade later, some questions about the GDPR remain the same, but many new points of contention continue to emerge, as the digital sector touches upon more and more aspects of life, and digital policies and laws become more complex and interconnected than anyone could have imagined 10 years ago. 

Many significant developments took place since the beginning of the GDPR's existence. With the EU's ever-growing digital rulebook, it remains to be seen how the area of data protection will evolve not only in Europe but around the globe throughout the next 10 years.   

2025 annual reports

Over the past month, European data protection authorities published annual reports overviewing their 2025 activities. 

At the EU level, the EDPS highlighted its focus on artificial intelligence, with the establishment of a specialized unit and the AI regulatory sandbox pilot project for testing AI systems by EU institutions, as well as preparations for its role as a market surveillance authority under the EU AI Act. 

The EDPS's increasing involvement in cybersecurity-related issues is also noted due to its membership in the Inter-Institutional Cybersecurity Board. 2025 was a record-breaking year for the EDPS, as it produced advice on 145 legislative consultations. In addition, the EDPS also organized events focused on topics such as enhancing cross-regulatory coherence.

In the 2025 report from Norway's data protection authority, the Datatilsynet, the implications of AI are seen not only from its activities, such as its guidance on opting out of personal data processing for AI training, but also from the increasing use of AI tools in complaints, resulting in their complexity. 

The report by Spain's data protection authority, the Agencia Española de Protección de Datos, also showcases a record, as the DPA received the most complaints in its history throughout 2025 — over 30,000. The AEPD notes its workload is increasing not only due to the number of cases but also their growing complexity. The AEPD has also issued more fines and warnings issued than in the year before, especially in the area concerning health, with an increase of 278 percent.  

In its 2025 report, the Czech Republic's DPA, Úřad pro ochranu osobních údajů, also notes the growing strain on its workforce due to the increasing complexity of cases. 

The 2025 report by France's DPA, the Commission nationale de l'informatique et des libertés, provides an overview of the regulator's activities. It saw the same trends as other European DPAs —  a rise in complex complaints and fines issued, both being record high. Last year, the CNIL also received the highest amount of personal data breach notifications in its history.

On the horizon

The future of Europe's digital policy world looks busy. After a few delays, the European Commission is expected to publish its tech sovereignty package 3 June, which will include the EU Cloud and AI Development Act proposal aiming to strengthen Europe's digital infrastructure by increasing its data center capacity. 

On 10 June, Ireland is scheduled to publish the official priorities during its six-month long presidency of the Council of the EU. Starting 1 July, Ireland will be chairing Council meetings and coordinating its work. The Irish Presidency will also kick off a new presidency trio period with Lithuania and Greece covering 2027. 

European Commission President Ursula von der Leyen recently hinted that a proposal for an EU-wide social media restriction or ban for children may be coming this summer.

As the review period of the 2019 Copyright Directive approaches, the European Commission is asking stakeholders to submit feedback in connection to a proposal that may be coming early next year. This legislative initiative will concern creative content licensing for AI training to ensure proper remuneration for creators in today's digital age. 

The U.K.'s Data (Use and Access) Act is coming into force 19 June. To help companies prepare for the new law, the U.K.'s Information Commissioner published a reminder urging them to establish a new data protection complaints process on time.