Newsletter (118)

Mar

2026

Newsletter (118)

We have a bumper newsletter this time around, full of all sorts of goings-on in the world of data protection and the EDPS.

The start to 2026 has been very busy indeed.

We've issued joint opinions with the European Data Protection Board on both the Digital Omnibus and the AI Act. We've established rules to protect data protection officer independence within European institutions.

The Supervisor has penned blogposts on EDPS audits, the AI Act Correspondents Network, and the future of regulatory cooperation.

And we've even thrown in a few marquee events for good measure (not least Data Protection Day!).

Read on for of all this and more.

In this issue

New TechDispatch Talks podcast on digital identity wallets

EDPS joins a statement on AI-generated imagery and privacy

Trainees’ conference explores your data and air travel

AI Act: moving into practice

EDPS calls for stronger safeguards for interim CSAM rules

EDPS bolsters the DPO role in EU institutions

EDPS-EDPB on the Digital Omnibus: simplification must be balanced with fundamental rights

Looking back on Data Protection Day 2026

The future of cross-regulatory cooperation

EDPS and EDPB call for stronger safeguards in AI Act

Listen in: the TechSonar episodes

5 (good) reasons for an EDPS audit

EDPS supports measures against cross-border fraud, warns against boundary blurring in VAT access

Speeches of the EDPS

New TechDispatch Talks episode on digital identity wallets

In 2026, each EU Member State will offer citizens an official European Digital Identity Wallet (EUDIW). Our TechDispatch from December explored this topic in detail and our latest TechDispatch Talks episode looks again at this topic.

These podcasts explore the intersection of technology, data protection and privacy. Digital identity wallets could transform the way we prove who we are online and offline. Could it reduce data oversharing and profiling? Can we foresee the privacy and security risks?

Listen to it here

Revisit the TechDispatch here

EDPS joins a statement on AI-generated imagery and privacy

The EDPS joined 60 other data protection authorities from the Global Privacy Assembly in signing a joint statement on AI-generated imagery.

The signatories represent a united position around serious concerns about AI systems that generate realistic images and videos that depict identifiable individuals without their knowledge and consent. Of most concern are the potential harms to children.

Find the statement here

Trainees’ conference explores your data and air travel

On 12 February 2026, EDPS and European Data Protection Board (EDPB) trainees organised a conference exploring a very specific but important area of data privacy.

‘Data Takes Flight: Navigating privacy at the airport’ raised awareness about what happens to personal data when we travel by air. Participants were encouraged by the critical and informed discussion around data protection issues, security, and the usage of personal data in this context.

Listen to the podcast

Watch the full recording

Find out more about this event

AI Act: moving into practice

On 10 February, representatives from EU institutions, bodies, offices and agencies (EUIs) gathered in Brussels for the third meeting of the AI Act Correspondents Network (AIACN). 2026 marks a decisive year for the AI Act and the network’s focus has shifted from anticipation to concrete action. Indeed, this year transparency obligations will become applicable, and the EDPS will assume its role as market surveillance authority.

The meeting featured a hands-on workshop led by the EDPS AI Unit, where participants navigated a case study on high-risk AI in recruitment, exploring the practicalities of human oversight and bias prevention. Discussions also tackled the legal and infrastructure challenges of generative AI, including an update on the European Commission’s own tool, GPT@EC.

Looking ahead, the EDPS will soon publish the EDPS AI Compass, a guiding document setting out the AI Unit’s operational priorities for the next two years. In the meantime, the AI regulatory sandbox pilot project is developing and will serve as a shared learning space to ensure that EUIs' innovation remains grounded in fundamental rights.

Read the blogpost from the Supervisor

EDPS calls for stronger safeguards for interim CSAM rules

The EDPS issued an opinion regarding the European Commission’s proposal to extend interim rules for combatting child sexual abuse material (CSAM) online.

The proposal seeks to extend the current framework, which allows providers to take voluntary measures, until 3 April 2028. This is to avoid a legal vacuum while negotiations for a long-term solution continue.

While the EDPS recognises that protecting children from abuse is a vital duty of general interest, temporary measures must not bypass fundamental rights. The Supervisor calls for specific improvements to address existing shortcomings, including:

Ensuring greater legal certainty regarding the lawfulness of processing under the GDPR
Implementing effective safeguards against general and indiscriminate scanning
Maintaining strict adherence to the principles of necessity and proportionality

Any detection solution must be targeted and carefully balanced and respect the privacy rights of all users.

Read the press release

Read the opinion

EDPS bolsters the DPO role in EU institutions

Data protection officers (DPOs) are a cornerstone of data protection governance among the European Union institutions, offices, bodies and agencies (EUIs). Recently, the EDPS took action to help ensure this remains the case, adopting two key documents designed to strengthen their effectiveness and independence.

On 18 December 2025, the EDPS issued supervisory guidance clarifying the interpretation of the DPO role and the institutional guarantees required for their function.

Building on this, the organisation adopted a decision on 16 January 2026 which establishes binding rules requiring EUIs to obtain the prior consent of the EDPS before dismissing a DPO prior to the end of their term.

These measures, which apply immediately, reinforce the DPO position as a critical internal safeguard and ensure the consistent, independent application of EU data protection law.

Read the press release

Read the supervisory guidance

Read the decision

EDPS-EDPB on the Digital Omnibus: simplification must be balanced with fundamental rights

In February, the EDPB and the EDPS adopted a joint opinion on the Digital Omnibus Regulation proposal, which aims to simplify the EU’s digital regulatory framework and enhance competitiveness.

The message is clear: simplification must not come at the expense of fundamental rights.

A primary concern are the proposed changes to the definition of personal data, which the joint opinion strongly urges co-legislators to reject. Such amendments would narrow the concept of personal data beyond established case law, potentially creating legal uncertainty and weakening the protection individuals currently enjoy.

However, the joint opinion also highlights several steps in the right direction, including:

Increased thresholds and extended deadlines for data breach notifications
The introduction of common templates for breach reports and Data Protection Impact Assessments (DPIAs)
New regulatory solutions to address consent fatigue and the proliferation of cookie banners

The joint advice also supports the integration of the ‘Data Acquis’ into the Data Act to foster responsible innovation while maintaining clear safeguards for data re-use by public bodies.

Read the press release

Read the joint opinion

Looking back on Data Protection Day 2026

Every year on 28 January, we celebrate Data Protection Day. This date marks the anniversary of the Council of Europe’s Convention 108, the first binding international law securing individuals’ rights to protection of their personal data. This year, it also coincided with the 20th anniversary of Data Protection Day, the 10th anniversary of the GDPR’s adoption, and the introduction of the European Commission's Digital Omnibus proposal.

To mark the occasion, the EDPS and the Council of Europe (CoE) co-hosted a conference in Brussels. The discussions brought together experts and policymakers, including keynote speakers Beatriz de Anchorena (Chair of the Committee of Convention 108), Jelena Virant Burnik (Deputy Chair of the EDPB), and Professor Anu Bradford, to explore the future of Europe's digital legal order.

A central theme was that simplification should not be a euphemism for deregulation. Meaningful simplification must enhance legal certainty without eroding fundamental rights.

Highlights from the day included a deep dive into the outcome of the EDPS v SRB (Single Resolution Board) judgment, reinforcing that personal data must be assessed contextually rather than in the abstract, and a reflection on how the law can remain conceptually robust enough to match rapidly evolving tracking technologies without the need for constant reinvention.

Catch up with the event here

Read the Supervisor’s speech

Read the speech of the EDPS Secretary General

Watch the highlights

Listen to it

The future of cross-regulatory cooperation

At a major event on 27 January, just before Data Protection Day, the EDPS brought together stakeholders to discuss whether an EU-level forum where competent authorities from different fields can discuss issues of common interest is needed. ‘Towards a Digital Clearinghouse 2.0’ explored the future of cross-regulatory cooperation in response to rapid technological change and regulatory proliferation.

Effective cross-regulatory cooperation is necessary to ensure consistent application of recent laws such as the Digital Markets Act, Digital Services Act, Data Act, and Artificial Intelligence Act - each of which highlight the critical role of personal data in the digital economy and the need to protect individuals. The EDPS proposes paving the way for a Digital Clearinghouse 2.0 to provide competent authorities with a forum to exchange and coordinate on issues of common interest.

Read the speech by Supervisor

Re-watch it here

Blogpost

EDPS and EDPB call for stronger safeguards in AI Act

In a joint opinion, the EDPS and the EDPB voiced their support for streamlining the implementation of the AI Act but called for stronger safeguards to protect fundamental rights.

While supporting the Commission’s goal to simplify the implementation of the AI Act and welcoming initiatives like EU-level regulatory sandboxes to foster innovation, the two organisations stress that data protection authorities must maintain a central role in supervising data processing within these environments.

Specific concerns were raised regarding several proposed changes that could undermine accountability:

The use of special categories of personal data (such as health or ethnicity) for bias correction should be strictly limited to situations where the risk of adverse effects is serious.
The requirement to register high-risk AI systems should remain, because without it, providers could unduly claim exemptions to avoid public scrutiny.
Providers and deployers must retain their primary responsibility to ensure their staff are AI-literate.
Core provisions for high-risk systems should not be postponed.

Read the joint opinion

Read the joint press release

Listen in: the TechSonar episodes

If you missed our TechSonar report in December, you’re in luck, as the content is now also available in podcast form. We spoke to six of our subject matter experts on 6 emerging technological trends in data protection – agentic AI, AI companions, automated proctoring, AI-driven personalised learning, coding assistants, and confidential computing.

Find the podcasts here

Read the TechSonar 2025–2026

5 (good) reasons for an EDPS audit

In a recent blogpost, Supervisor Wojciech Wiewiórowski explains why an EDPS audit of a European Union institution, body, office or agency (EUI) can be a timely ‘health check’ that identifies data protection risks before they escalate. What is a legal necessity can also be foundational to institutional trust.

Read the blogpost

EDPS supports measures against cross-border fraud, warns against boundary blurring in VAT access

In an opinion released in January, the EDPS voiced its support for targeted VAT data access to fight fraud at EU level, but warned against blurring administrative and criminal boundaries.

Granting the European Public Prosecutor’s Office (EPPO) and the European Anti-Fraud Office (OLAF) access to VAT information to combat large-scale cross-border fraud will help protect public revenues. However, there must be robust legal, organisational and technical safeguards to ensure this does not become a ‘backdoor precedent’ for routine law enforcement access to administrative databases.

Read the press release

Speeches of the EDPS

4 March 2026 – Governance and Enforcement structure of the AI Act
Speech by the European Data Protection Supervisor Wojciech Wiewiórowski at the IMCO-LIBE AI Act Working Group, Brussels, Belgium.

4 February 2026 – 18th Joint Parliamentary Scrutiny Group on Europol (JPSG)
Speech by the Supervisor at the 18th meeting of the Joint Parliamentary Scrutiny Group on Europol (JPSG), Brussels, Belgium.

28 January 2026 – Data Protection Day 2026: Reset or Refine? – Opening remarks
Opening remarks by the Supervisor on Data Protection Day 2026, Brussels, Belgium.

28 January 2026 – Data Protection Day 2026: Reset of Refine? – Closing remarks
Closing Remarks by EDPS Acting Secretary-General Thomas Zerdick on Data Protection Day 2026, Brussels, Belgium.

27 January 2026 – Towards a Digital Clearinghouse 2.0
Opening remarks by the Supervisor at the ‘Towards a Digital Clearinghouse 2.0’ event, Brussels, Belgium.

AI Supervision by EDPS

Public Events

Supervision by EDPS

Délégué à la protection des données

Convention 108

Digital Clearinghouse 2.0

Evasion fiscale

Coopération policière

Technologies