European data protection authorities and institutions are intensifying activity across international data transfers, cybersecurity and enforcement. The European Commission has adopted an adequacy decision under Article 45 GDPR for Brazil, confirming that Brazil’s General Personal Data Protection Law offers protection essentially equivalent to the European Union framework and allowing personal data to flow from the European Union to Brazil without additional transfer mechanisms. Brazil has in turn adopted its own adequacy decision for transfers from Brazil to the European Union, setting up reciprocal data flows. The European Data Protection Board has also updated its Data Protection Framework FAQs, stressing that exporters must first verify a United States recipient’s self certification status and its scope, particularly for subsidiaries and HR data, and underlining that participation in the framework does not replace other GDPR duties.
Alongside cross border transfer developments, the European Commission has updated FAQs on the Data Act to clarify issues such as unfair terms in business to business data sharing, switching data processing services and interoperability, and has launched a new cybersecurity package including a proposal to revise the Cybersecurity Act. The revised act is intended to simplify certification schemes within 12 months and strengthen ENISA’s standard setting role, while targeted amendments to the NIS 2 directive aim to improve jurisdictional clarity, ransomware reporting and cross border supervision. At the same time, the European Data Protection Board and the European Data Protection Supervisor have issued a joint opinion on the proposal for the Digital Omnibus on Artificial Intelligence, warning that administrative simplification must not weaken fundamental rights, calling for strict limits on the expanded use of special category data for bias detection, and urging clarity on the role of market surveillance authorities while preserving the independence and powers of data protection authorities.
National regulators are complementing these policy moves with aggressive enforcement and new guidance, including around Artificial Intelligence. In France, the CNIL has issued multiple enforcement actions, including a €5 million fine against a governmental agency for a breach exposing jobseeker data over 20 years, a €3.5 million fine for unlawful sharing of loyalty program data for ad targeting without valid consent, and a combined €42 million penalty against a telecom operator after attackers accessed personal data linked to around 24 million subscriber contracts, coupled with remediation orders and deadlines. Germany’s authorities report that the authority of Lower Saxony received 4,022 complaints in 2025, which is a 70% increase from 2,361 the previous year, while the federal regulator has launched a “ReguLab” sandbox to de risk innovation and an appellate court has confirmed that third party analytics and ad providers can be liable for cookies set without valid consent. Sweden’s IMY has fined a digital sports platform SEK 6 million (approximately €520,000) after a breach affecting over 2.1 million individuals, and Spain’s AEPD has published a generative Artificial Intelligence governance framework and warned about sexualized and other high risk uses of third party images in Artificial Intelligence systems, including hidden risks from simple uploads. In the United Kingdom, the government has opened a three month consultation on children’s social media use alongside a contested proposal to raise the minimum social media age to 16, has formalized cooperation with the ICO through a memorandum of understanding, and the ICO has updated international transfer guidance, issued a report on agentic Artificial Intelligence with a statutory code on Artificial Intelligence and automated decision making in development and further guidance expected Q1 2026, and opened a formal investigation into a major social media and Artificial Intelligence provider over personal data processing and alleged harmful sexualized content, while Ofcom and the European Commission pursue parallel probes.
