Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
2026 has just started, but it has been anything but slow when it comes to developments in the digital field in the EU.
New Year's morning was met with an important EU General Data Protection Regulation-related milestone. Two and a half years after the European Commission's proposal, the GDPR Procedural Regulation entered into force 1 Jan. With this piece of legislation, the EU is hoping to resolve issues related to the GDPR's cross-border enforcement.
The law harmonizes conditions for admissibility of complaints, introduces a simple cooperation procedure for data protection authorities dealing with uncomplicated cases, sets a 15-month timeframe for resolving cases — with the possibility to extend by 12 months for highly complex cases — and clarifies procedural rights of both the complainant and the party under the investigation. These changes will take effect 2 April 2027.
Also 1 Jan., Cyprus kicked off its six-month presidency of the Council of the European Union. The digital priorities of the current presidency remain similar to those of its predecessor, Denmark, with digital and technological sovereignty at the core, a strong focus on artificial intelligence, infrastructure and cybersecurity, as well as protection of children online.
There has also been progress with the EU's Digital Omnibus package, which was tabled 19 Nov. 2025. This is not surprising as it was included in the Joint Declaration on EU legislative priorities for 2026, which lists 13 legislative proposals that will be at the core of the EU institutions' focus this year.
The timing is evident, as the European Parliament's appointment of rapporteurs for both the Digital Omnibus on AI and the Digital Legislation Omnibus has accelerated. The European Data Protection Board and European Data Protection Supervisor also recently issued a joint opinion on the AI-focused proposal, welcoming the initiative with warning that it may weaken the protection of individuals. While they support EU-level AI sandboxes, the authorities' view on delaying certain obligations for high-risk systems, such as those on transparency, is critical. They also caution not to weaken AI literacy obligations for providers and deployers and to add specific limits on using sensitive data for bias correction.
The joint opinion on the digital laws proposal is currently in the making and is expected in February. Time is really of the essence when it comes to this legislative project, especially the Digital Omnibus on AI, as it proposes delays to certain obligations that would otherwise kick in this August.
Most of the EU Data Act's obligations have been applicable for a few months now. Last year, the Commission released an FAQ and launched the Data Act Legal Helpdesk to aid with its implementation, but ambiguities persist. To help with further clarification, the Commission will publish guidance on the Data Act's definitions in the first quarter of 2026, for which it organized a virtual stakeholder workshop this January to identify the biggest confusion points.
The workshop focused on the six most ambiguous Chapter II definitions as identified by the Commission — data holder, user, product data, related service data, metadata and readily available data. Stakeholders also highlighted other definitions and concepts they find unclear, including data processing services and minimal management effort. Even with the upcoming guidance, the question remains of how much clarity can be expected before negotiations conclude on the Digital Omnibus proposal, which also includes amendments to the Data Act.
Not to forget another important occasion, the annual Data Protection Day celebration took place 28 Jan. This year, the EDPB dedicated the day to highlighting the importance of children's privacy.
A coincidence or a psychic prediction, to commemorate Data Protection Day and bring awareness to the topic of privacy, the IAPP gifted a privacy costume to possibly the most famous child in Belgium — Manneken-Pis. In reality, the choice to focus on the privacy of minors is less mysterious. It has been a key topic over the past few years, with many ongoing and upcoming initiatives on improving the protection of children online, including the Digital Services Act guidelines, the regulation to prevent child sexual abuse material and the Digital Fairness Act.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
