ePrivacy Regulation Could Finally Be Adopted
The long-delayed ePrivacy Regulation — stalled since 2017 — may finally reach agreement in 2025–2026. It would replace the Cookie Directive with stricter rules on electronic communications metadata, replacing the fragmented national cookie laws currently in force. The regulation has been blocked primarily by disagreements over metadata retention and the legitimate interests basis for communications data.
How GDPR May Tighten Rules for AI Agents
As the EU AI Act rolls out, regulators are likely to clarify how GDPR applies to AI agents that profile people or make decisions. The focus will be legal basis, data minimization, transparency, and Article 22 safeguards for significant automated decisions. Expect stronger requirements for human review, clear user rights, and DPIAs before high-risk deployments.
DPA Cross-Border Enforcement Overhaul
The one-stop-shop mechanism has drawn sustained criticism — particularly the Irish DPC's handling of Big Tech cases. The European Commission published its GDPR evaluation in 2023, and a political agreement on additional procedural rules was reached in June 2025. The next phase is practical implementation, with likely follow-up guidance to accelerate cross-border enforcement and reduce bottlenecks at lead supervisory authorities.
Schrems III: New Challenge to EU–US Data Flows
The EU–US Data Privacy Framework adopted in July 2023 already faces scrutiny from privacy advocates including Max Schrems and NOYB. A formal CJEU challenge is widely anticipated. If the court finds the framework inadequate — as it did with Safe Harbour (Schrems I, 2015) and Privacy Shield (Schrems II, 2020) — it would again disrupt cloud services and transatlantic business operations.
Stricter Age Verification Requirements EU-Wide
Following Ireland's major fine against Meta over children's data (Instagram, 2022), and broader DSA enforcement, expect new EU-wide standards for age verification and parental consent mechanisms. The EDPB has signalled children's data as a top enforcement priority for 2025–2026. Coordinated enforcement actions across multiple DPAs are expected, potentially targeting social media platforms and gaming companies.
First €2 Billion+ GDPR Fine
With Meta's €1.2B fine setting a record in 2023, and multiple open investigations into Big Tech advertising ecosystems, a fine crossing the €2 billion threshold is plausible before 2027. This would require a proven Article 83(5) violation — systematic and intentional processing in breach of fundamental GDPR principles — with a company large enough to support a fine of 4% of global annual turnover at this level.