Blog Post: GDPR Anniversary – 10 Key Developments

GDPR at Eight: Then, Now and What’s Coming Next

Introduction

Eight years ago, on 25 May 2018, the General Data Protection Regulation (GDPR) became applicable across the European Union (EU). Organisations scrambled to update their privacy notices and data mapping exercises, and regulators sharpened their pencils. But the GDPR was never going to stand still.

The GDPR is no longer new, but it is very much still evolving. The intention of the EU Commission, working through a new legislative proposal, the Digital Omnibus, has been to soften some of its rules to make them more business friendly. Meanwhile, enforcement is intensifying. 2025 was, from a fines perspective, a record year with 400+ fines being issued during the year. In this article, we will work through the ten most important GDPR developments from the past year and what organisations need to watch in the months ahead.

1. The Digital Omnibus

Over the last decade, in addition to the GDPR, the EU has launched an unprecedented constellation of digital laws such as the AI Act, the Data Act, the NIS2 Directive, the Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Digital Services Act (DSA), the Digital Markets Act (DMA) and more, which together, aim to form a framework to protect fundamental rights, promote trustworthy technology and level the playing field. However, in practice, the cumulative effect has been one of regulatory blur with overlapping scopes, inconsistent definitions, parallel reporting channels, fragmented enforcement and difficult interfaces between regimes.

The EU Commission proposed the Digital Omnibus in November 2025 to reduce, deconflict and streamline the regulatory burden. The result was an ambitious legislative proposal seeking to simplify and modernise several digital regulations simultaneously – including the GDPR itself.

What to watch: The proposal is still under negotiation in the EU legislative process. The most recent version of the Presidency compromise text is dated 21 May 2026, though it had not yet been officially published at the time of this blog post. The Digital Omnibus proposal cuts across multiple GDPR obligations as explained below – from the definition of personal data to legal basis, automated decision-making, cookies and data breach notifications.

2. The definition of personal data

The definition of personal data sits at the very heart of the GDPR: if data is not personal, the GDPR does not apply. The baseline position is that personal data is information related to an identified or identifiable natural person.

The EU Commission’s Digital Omnibus proposal intervened in this foundational question in a way that generated immediate and significant controversy. The EU Commission’s proposal intended to narrow that definition, claiming to translate Court of Justice of the EU (CJEU) case law into the letter of the law. This would have shifted the test from a risk-based to a capability-based approach, focused on the specific controller’s means rather than what any third party could do.

The European Data Protection Board (EDPB) and European Data Protection Supervisor, in their Joint Opinion, argued that the proposal misstates CJEU case law and risks “architecture gaming” to escape the GDPR’s scope. The pushback worked. The May 2026 Presidency proposal deleted the proposed redefinition entirely.

What to watch: The definition of personal data has not changed yet. For now, organisations should continue to apply the existing risk-based, context-sensitive framework. Any future change would need to be monitored closely, as it would have cascading effects on data mapping and compliance program scope.

3. Legal basis

Selecting and documenting the correct legal basis has always been a cornerstone of GDPR compliance. The Digital Omnibus proposal has focused particular attention on a long-standing challenge under  the GDPR: the use of personal data for AI and machine learning model training, an area in which the GDPR provides no explicit legal basis.

The EU Commission’s proposal would explicitly recognise legitimate interest as a lawful basis for AI development and operations. However, this recognition comes with meaningful guardrails: a balancing test, Legitimate Interest Assessment (LIA), would still be required and an unconditional right for individuals to object. The proposal would also add a new Article 9 condition permitting residual special category data processing, where removing that data would be unreasonably burdensome, provided appropriate safeguards are in place.

What to watch: Organisations using AI in their processing should conduct a rigorous LIA, under the existing framework. A statutory recognition of legitimate interest for AI training would represent useful certainty, but only if the final text preserves the safeguards proposed alongside it.

4. Automated decision-making

The entire structure of Article 22 has been proposed for reformulation – moving away from a “right not to be subject to automated decision-making”, toward a permission-based framework, where automated decision-making would be permissible under stated conditions.

More specifically, the proposed Digital Omnibus text directly states when automated decisions may occur. When evaluating whether an automated decision is “necessary” for a contract, controllers would not need to show that only an automated process could make the decision – the fact that a human could make the same decision would not, by itself, prevent use of an automated process.

Previously, authorities had been historically restrictive in interpreting the necessity requirement, in some cases requiring organisations to prove there could be no reasonable conduct of that decision process by a human. The proposed changes would have softened this considerably.

However, the latest Presidency draft is moving back toward a more restrictive approach, not following the initial EU Commission proposal that many had hoped would make it easier to implement AI-powered solutions.

What to watch: Organisations deploying AI in contexts that affect individuals – credit scoring, hiring, personalised content, medical triage – should ensure that their Article 22 analysis is current and that governance frameworks are fully documented. The final Digital Omnibus text will be critical here.

5. Cookies

For more than a decade, the European legislator has been trying to reform the ePrivacy Directive, a legal instrument that complements the GDPR by establishing specific rules for the confidentiality of electronic communications, governing issues such as tracking, monitoring and the use of cookies.

Successive legislative proposals to amend the ePrivacy Directive have always been withdrawn. The Digital Omnibus now proposes that certain activities that would involve access to the user’s terminal equipment or the processing of data through cookies would be integrated directly into the GDPR. The aim is to bring the same rules applicable throughout the EU in a harmonised, directly applicable regulation rather than a patchwork of differently transposed national laws.

The EU Commission’s proposal would create new consent exemptions for low-risk purposes and introduce standards for interpreting machine-readable signals expressing users’ choices, with the stated goal of reducing dependence on cookie banners and tackling consent fatigue.

One particularly significant proposed change concerns analytics. The processing of personal data for analytics or statistical purposes could be exempt from users’ consent requirements if certain conditions are met. One of the conditions would be that the data is directly collected by the controller itself or by a third party acting as a processor.

The Digital Omnibus proposal also codifies a number of consent rules that previously existed only as regulatory interpretation: withdrawing consent must be as easy as giving it; users must be given the opportunity to refuse; and controllers cannot immediately re-request consent after a user has declined. These rules, now being written into statute, will bring greater legal certainty to the industry.

What to watch: Cookie rules will not disappear – they will be much more harmonised and made more practical, but organisations should not wait for the final Digital Omnibus text. Audit your consent mechanisms against both the current law and the proposed new standards now.

6. EDPB guidelines

The EDPB is the EU’s overarching data protection body, comprised of representatives from each Member State’s national supervisory authority. Its core function is to foster consistency in the application of the GDPR across the EU. It also convenes to address areas requiring further clarity and issues guidelines, recommendations and opinions that help organisations understand how to interpret and comply with the Regulation in practice.

One might reasonably ask why organisations should pay attention to guidance that does not carry the force of statutory law. The answer is straightforward: EDPB guidelines are issued by the very same regulators that enforce the GDPR. They offer a direct window into how supervisory authorities read and apply the Regulation and when a data protection authority conducts an audit or brings an enforcement action, it will measure compliance against the standards it has itself publicly articulated. Ignoring EDPB guidance is, in practical terms, a significant compliance risk.

The pipeline of recent and upcoming EDPB guidance is substantial and covers a broad range of sectors and issues including:

• Anonymisation: Guidelines on anonymisation have been announced, with further details expected in due course.
• Scientific research (Guidelines 1/2026): Currently open for public consultation until 25 June 2026, these guidelines address the processing of personal data for scientific research purposes. They are particularly relevant for the pharmaceutical and life sciences sectors, providing welcome clarity on consent requirements and the conditions under which personal data may be used for secondary research purposes.
• User accounts in ecommerce (Recommendations 2/2025): Public consultation closed on 12 February 2025. A key finding is that ecommerce operators must offer a guest checkout option alongside any account-based purchase flow – a practical compliance point for any business operating an online retail presence.
• DMA and GDPR interplay (Joint Guidelines): Public consultation closed on 4 December 2025, addressing the intersection between the DMA and the GDPR – an increasingly important interface as gatekeepers navigate dual regulatory obligations.
• DSA and GDPR interplay (Guidelines 3/2025): Public consultation closed on 31 October 2025, clarifying how the DSA and the GDPR interact for online platform operators.

What to watch: This body of guidance reflects the EDPB’s growing ambition to provide sector-specific and cross-regulatory clarity. Organisations would be well-advised to monitor, and where appropriate, engage with the consultation processes as they arise.

7. International data transfers

Under the GDPR, transfers of personal data to third countries outside the EU and international organisations are restricted unless specific conditions have been met. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. The adoption of an adequacy decision follows a structured process:

• The European Commission tables a proposal
• The EDPB issues an opinion
• Representatives of EU Member States give their approval
• The European Commission formally adopts the decision

Where an adequacy decision is in place, the effect is that personal data can flow from the EU to that third country without any further safeguards being necessary. The EU essentially treats transfers to those jurisdictions as equivalent to intra-EU transmissions of personal data.

Without an adequacy decision, organisations transferring personal data outside of the EU must enact alternative transfer mechanisms, most commonly Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), each of which carries its own negotiation, implementation and ongoing compliance costs. An adequacy decision eliminates that burden entirely, simplifying cross-border data flows and reducing legal and regulatory risk.

Adequacy decisions are not permanent. The European Commission is required to periodically review them, and the EU Parliament and Council may at any time request the European Commission to maintain, amend or withdraw a decision on the grounds that it exceeds the implementing powers provided for in the GDPR.

Below, we outline the key developments relating to the renewal and adoption of new adequacy decisions, reflecting the European Commission’s continued efforts to expand and maintain the network of jurisdictions from which personal data may flow freely from the EU:

• UK: The UK’s adequacy status under both the GDPR and the Law Enforcement Directive was renewed in December 2025, ensuring continued free data flows and reflected in the EU Commission’s updated list of recognised jurisdictions.
• Brazil received an adequacy decision on 26 January 2026. The decision comes with mutual recognition. Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) adopted a resolution simultaneously enabling free data flows in both directions. The decision covers both public and private sector transfers – making it broader in sectoral scope than Canada’s commercial-organisations-only adequacy finding and broader than the US approach, which is limited to Data Privacy Framework-certified organisations. A carve-out applies for transfers relating to national defense, state security or criminal investigation, and the decision will be reviewed every four years.
• European Patent Organisation: The European Patent Organisation (EPO) received an adequacy decision on 15 July 2025 – the first adequacy decision ever granted to an international organisation. This means that personal data can be transferred from the EU to the EPO without additional safeguards such as standard contractual clauses. As the EPO is not subject to the GDPR itself, adequacy was assessed on the basis of the EPO’s own data protection rules, adopted in June 2021, which were found to offer protection comparable to GDPR safeguards. The EPO is an intergovernmental organisation headquartered in Munich, Germany with 39 contracting states, and the adequacy decision is scoped specifically to transfers in the context of patent-related processing.

The European Commission has to date recognised adequacy for (as of May 2026): Andorra, Argentina, Brazil, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, the US (EU-US Data Privacy Framework), Uruguay and the EPO.

What to watch: For transfers to countries or international organisations not on the list, the standard contractual clauses remain to be the most widely-used mechanism. There has been a peak of enforcement in this area, with the Irish Data Protection Commissioner scrutinising companies that transfer data to countries like China on a regular basis.

8. GDPR fines

Recent GDPR enforcement in Europe has entered an era of landmark penalties against major technology companies, with European supervisory authorities levying an estimated €1.2 billion in fines during 2025 alone. Cumulative sanctions since the GDPR came into force in 2018 now stand at approximately €7.1 billion, with individual penalties against leading platforms now routinely exceeding the €200 million threshold for infringements ranging from unlawful international transfers of user data to third countries offering inadequate protections, to the absence of a valid lawful basis for processing personal data for behavioural analysis and targeted advertising, to the placement of advertising cookies and display of personalised advertising without valid user consent. This shows a pattern that reflects sustained and escalating regulatory vigilance, with big technology firms accounting for the largest GDPR fines ever issued.

We see more coordinated action by the European supervisory authorities, a more streamlined approach to ensuring that fines stand up and data protection authorities (DPAs) increasingly staffed with technical experts who can conduct granular reviews of processing activities. Enforcement is no longer simply reactive – triggered by a data subject complaint – but structural, with supervisory authorities proactively examining whether specific GDPR obligations are being met across sectors. One critically important and often overlooked point: fines are issued by supervisory authorities, not by judges. If an organisation receives a supervisory authority sanction decision, it has the right to appeal. Organisations are strongly recommended to, at least, seriously review whether an appeal is warranted.

What to watch: Take enforcement seriously, but also take your appellate rights seriously. A supervisory authority decision is not necessarily the final word.

9. Children’s privacy

Children’s privacy is arguably the defining topic of 2026 – and it is not a conversation happening only in the EU. In the UK, the US, and many other parts of the world, there is an intense focus on children’s privacy and the protection of children online.

In the EU, the primary legislative vehicle is the DSA. The UK equivalent is the Online Safety Act (OSA). Regulators are scrutinising online platforms used by minors with increasing rigor. Where regulators previously focused primarily on the removal of illegal content, the lens has now shifted significantly. Regulators are examining platform design and recommender systems, assessing whether platforms are addictive to children, checking whether age assurance or age verification mechanisms have been implemented, and reviewing whether platforms have incorporated dark patterns.  

The EU Commission published guidelines on the protection of minors in July 2025. These guidelines are intended to serve as a key benchmark for the EU Commission when applying Article 28(1) of the DSA, particularly in supervisory actions involving very large online platforms (VLOPs) and very large online search engines (VLOSEs).

The guidelines require online platforms to conduct a risk assessment when determining the appropriate mechanisms for protecting minors and clarify that a self-declaration of age by users will not be sufficient enough to comply with the DSA. The EU Commission reiterated in 2026 stakeholder discussions that self-declaration is insufficient for online platforms hosting adult content.

The EU has also developed a transitional age-verification app, made available in late 2025, as an interim solution until the EU Digital Identity Wallet becomes operational in 2026 – though use of that app remains optional. Online platforms may use other age-assurance mechanisms, provided those mechanisms do not require collecting or processing more personal data than is already processed to determine whether a user is under 18, as referenced in Recital 71 of the DSA.

Companies are implementing more robust age verification solutions, typically provided by third-party specialists. But these mechanisms often collect biometric data, such as photographs or copies of identity cards or passports, raising significant GDPR concerns that organisations must address alongside their DSA obligations.

What to watch: For any organisation whose services may be accessed by minors, children’s privacy is now a priority compliance issue. Age assurance strategies must be designed with the GDPR’s obligations built in from the outset, not added as an afterthought.

10. Data breach notifications

The threat environment is deteriorating. Ransomware-driven breaches are surging, especially in healthcare, finance and public services. Supply chain compromises through third-party vendors are rising and AI-powered intrusion techniques are becoming more common.

The GDPR’s 72-hour notification requirement for personal data breaches has always been one of its most operationally demanding provisions. Determining whether a breach crosses the threshold for notification – to the supervisory authority, to affected individuals, or both – requires rapid assessment under significant time pressure. The picture has now become more complex with the introduction of the NIS2 Directive, DORA and the Cyber Resilience Act, which impose parallel notification obligations that do not always align neatly with the GDPR’s requirements.

For organisations subject to the NIS2 Directive, the Cyber Resilience Act or DORA, on top of the GDPR, the notification requirements get even stricter: typically, a 24-hour early notice requirement, followed by a proper notification within 72 hours, with additional requirements kicking in later.

The Digital Omnibus may bring four meaningful changes under the GDPR:

• Raising the notification threshold so that only breaches likely to result in a high risk to individuals trigger notification
• Extending the notification deadline
• Channelling notifications through a single point of contact
• Introducing a harmonised notification template aimed at better aligning the GDPR with the NIS2 Directive, the Cyber Resilience Act and DORA

What to watch: Update your incident response plan under the law as it stands today. Plan for the overlapping requirements of the GDPR, the NIS2 Directive, DORA and the Cyber Resilience Act. Monitor the Digital Omnibus closely. If the notification threshold and single-reporting-point changes survive the legislative process, it would meaningfully reduce the operational burden of breach response.

Conclusion

The GDPR is not standing still; neither should your compliance program.Eight years in, the GDPR continues to reshape itself through enforcement, judicial decisions, regulatory guidance and legislative reform. The Digital Omnibus has the potential to be the most significant rewrite of the GDPR framework since it came into force – but political dynamics in Brussels remain fluid and the final outcome is genuinely uncertain.

For privacy and compliance professionals, this is demanding terrain. But understanding where the landscape is moving, and building the agility to respond, is precisely what allows you to move beyond simply reacting to enforcement.

This blog post is based on the Cooley DataWise webinar “GDPR Anniversary – 10 Things You Should Know About Last Year and What’s Coming Up This Year”, presented on 28 May 2026, by Patrick Van Eecke, Enrique Gallego Capdevila and Bartholomäus Regenhardt.