European and UK data protection regimes are entering a period of incremental but significant change, led by the implementation of the UK’s Data (Use and Access) Act 2025 and the European Commission’s Digital Omnibus Package. Three new statutory instruments made on 15 December 2025, 15 January and 29 January have brought into force nearly all remaining provisions of the Data (Use and Access) Act 2025, including relaxations around automated decision making and cookies and expanded enforcement powers for the Information Commissioner’s Office, while the new requirement for controllers to introduce a complaints procedure is expected to take effect in June 2026. In parallel, the Digital Omnibus Package launched on 19 November 2025 proposes targeted amendments to the EU General Data Protection Regulation, including changes to the data breach notification regime, the definition of personal data, a new exemption to data subject access requests and explicit reliance on legitimate interest for personal data processing in the context of Artificial Intelligence development and operation, alongside a GDPR Procedural Regulation set to apply from 2 April 2027.
Cross-border data flows remain a central focus, with the European Commission in December 2025 renewing the two EU adequacy decisions for the UK under the GDPR and the Law Enforcement Directive, which will now run until 27 December 2031 with the possibility for further renewal, and also adopting mutual adequacy decisions with Brazil to allow the free exchange of data between those jurisdictions. At the same time, the EU’s adequacy finding for the US faces renewed legal scrutiny as the Court of Justice of the European Union has accepted French MP Philippe Latombe’s appeal against the dismissal of his challenge to the EU-US Data Privacy Framework, while case law such as Russmedia C-492/23 tightens joint controller obligations on platforms hosting third-party adverts, requiring pre-publication checks on sensitive data and robust security to prevent unlawful copying. The European Data Protection Board and European Data Protection Supervisor broadly support the Omnibus simplification goals but warn that narrowing the definition of personal data would go “far beyond a technical modification” and raise concerns about new exceptions for special category data, including in relation to Artificial Intelligence and biometric authentication.
Regulatory enforcement and guidance activity is intensifying, particularly around cyber security and children’s data. Password manager LastPass UK Ltd has been fined £1.2 million following a breach impacting the personal data of up to 1.6 million UK users, Post Office Limited received a reprimand after a breach involving 502 litigants’ details with an indicated fine of £1.094 million absent the public sector approach, and the ICO has launched a cross-border investigation into a Prospect trade union breach affecting 160,000 members, while recent EU fines include €10,043,00 against Spanish airport operator Aena, €42 million against Free Mobile and Free, €3.5 million against an unnamed French company, €1.7 million against Nexpublica France, €5 million against Travail and €4.5 million against a Croatian telecommunications operator. Children’s privacy enforcement has escalated with a formal investigation into X Internet Unlimited Company and X.AI LLC over use of the Grok artificial intelligence system, a £247,590 fine against MediaLab.AI Inc and a £14.47 million fine against Reddit, Inc, alongside updated ICO guidance on international transfers, data subject access requests and agentic Artificial Intelligence. Beyond Europe, Vietnam’s new Personal Data Protection Law No. 91/2025/QH15 and Decree 356/2025/ND-CP, effective from 1 January 2026, consolidate fragmented rules, introduce concepts such as de-identification and encryption of personal data, tighten consent and lawful bases, formalise cross-border transfer impact assessments within 60 days of transfer initiation and define permitted transfers while leaving some ambiguity that will require further governmental clarification.
