ePrivacy Regulation Finally Adopted
The long-delayed ePrivacy Regulation — stalled since 2017 — may finally reach agreement in 2025–2026. It would replace the Cookie Directive with stricter rules on electronic communications metadata, replacing the fragmented national cookie laws currently in force. The regulation has been blocked primarily by disagreements over metadata retention and the legitimate interests basis for communications data.
Expanded Rights Over AI-Processed Personal Data
As the EU AI Act takes full effect through 2026, regulators are expected to issue joint guidance clarifying how GDPR rights — particularly Article 22 on automated decision-making — apply to high-risk AI systems. Individuals may gain stronger rights to contest algorithmic decisions in employment, credit, and healthcare contexts. The EDPB and EU AI Office are both working on coordinated guidance.
DPA Cross-Border Enforcement Overhaul
The one-stop-shop mechanism has drawn sustained criticism — particularly the Irish DPC's handling of Big Tech cases. The European Commission published its GDPR evaluation in 2023, and is expected to propose procedural reforms in 2025 to accelerate cross-border enforcement and reduce the bottleneck at lead supervisory authorities. Potential changes include stricter timelines and stronger EDPB override powers.
Schrems III: New Challenge to EU–US Data Flows
The EU–US Data Privacy Framework adopted in July 2023 already faces scrutiny from privacy advocates including Max Schrems and NOYB. A formal CJEU challenge is widely anticipated. If the court finds the framework inadequate — as it did with Safe Harbour (Schrems I, 2015) and Privacy Shield (Schrems II, 2020) — it would again disrupt cloud services and transatlantic business operations.
Stricter Age Verification Requirements EU-Wide
Following Ireland's major fine against Meta over children's data (Instagram, 2022), and broader DSA enforcement, expect new EU-wide standards for age verification and parental consent mechanisms. The EDPB has signalled children's data as a top enforcement priority for 2025. Coordinated enforcement actions across multiple DPAs are expected, potentially targeting social media platforms and gaming companies.
First €2 Billion+ GDPR Fine
With Meta's €1.2B fine setting a record in 2023, and multiple open investigations into Big Tech advertising ecosystems, a fine crossing the €2 billion threshold is plausible before 2027. This would require a proven Article 83(5) violation — systematic and intentional processing in breach of fundamental GDPR principles — with a company large enough to support a fine of 4% of global annual turnover at this level.