Privacy regulators in Europe, the UK and Canada are applying existing data protection rules to a broader set of AI-related outputs, including behavioural profiles, algorithmic scores, biometric identifiers and emerging neuro-derived data. Greece, Belgium, France and Italy are treating reidentification risk and inferred attributes as central tests, while the UK is moving toward a more contextual assessment of identifiability.
Enforcement is becoming more operational and cross-disciplinary. Authorities are using audits, breach notifications and follow-up investigations to test whether organisations can show working governance, not just policies. France reported 83 sanctions totalling €486.8m in 2025, while Belgium and Greece have seen sharper scrutiny of data brokers, ransomware incidents, direct marketing and security failures.
Cross-border transfers remain unsettled as organisations combine the EU-US Data Privacy Framework, standard contractual clauses, transfer impact assessments, EU-based hosting and stronger vendor oversight. Privacy, cyber security and resilience regimes are also converging through GDPR, NIS2 and DORA, putting boards under greater pressure to approve controls, document decisions, rehearse incident response and manage supply chain risk before failures occur.
