Data Economy, Privacy and Cybersecurity Newsletter - February 2026

EU pushes for a profound reshaping of the digital economy in 2026 with proposed changes to legislation governing AI, data and platforms

Alejandro Padín

2026 brings a raft of reforms that will redefine AI, privacy and digital markets in the EU. The regulatory agenda is shifting towards greater transparency, greater oversight and new obligations for platforms, technology providers and companies that process data or rely on digital services. It will be a pivotal year in terms of anticipating risks, adapting processes and strengthening corporate digital strategies.

KEEP READING >

News update

• The European Commission imposes the first fine on a VLOP under the Digital Services Act (DSA) on X
• The EDPB opens public consultation on Recommendations 2/2025
• Chile's National Cybersecurity Agency approves the first definitive list of Operators of Vital Importance (OVI)
• AESIA publishes practical guides to facilitate compliance with the European Artificial Intelligence Act
• ISO 27701:2025 update on privacy information management systems published
• AEPD blog post: balancing fundamental rights when child protection is at stake
• The European Data Protection Board (EDPB) and the European Commission jointly endorse guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR)
• The EU Entry/Exit System (EES) goes live
• European Data Protection Board to focus its fifth coordinated action on compliance with transparency obligations
• EU UK data transfers may be maintained without additional safeguards, although with monitoring for possible future risks
• Corrective measures imposed on Microsoft due to the processing of personal data of minors in Austria
• The Global Privacy Assembly approves three new resolutions centering on artificial intelligence and digital education
• The AEPD launches Privacy, Innovation and Technology journal and calls for articles for its first issue

KEEP READING >

Decisions 

• The AEPD fines AENA in relation to a biometric recognition system
• Two million-plus fines for mobile operator following security incident
• Financial institution fined for failing to guarantee the traceability and security of personal data when sending documents by courier
• University fined for use of biometrics in proctoring systems
• €200,000 fine imposed on energy supplier for canceling the wrong customer's contract
• Irish Data Protection Commission (DPC) fines TikTok €530 million and suspends data transfers to China
• Publication of numerous penalties imposed on various Catalan pharmacies due to irregularities in the processing of personal data
• AEPD dismisses appeal filed by a telecommunications company to stay the application of corrective measures until the conclusion of the judicial review
• ICO issues £14 million fine due to a serious security breach that compromised the data of 6.6 million people
• Operator fined for failing to verify the identity in the change of ownership and duplication of a SIM card, facilitating fraud involving personal data
• Security of processing breach declared following theft of non-password-protected IT equipment containing police information on missing persons and convictions
• Car rental company fined €100,000 for refusing to hire vehicles to customers that appeared on its exclusion list
• Access to a worker's medical records for internal organizational purposes of the health center constitutes an infringement of the principle of integrity and confidentiality
• A company was fined for a data breach in a user directory that allowed the publication of more than 2,600 telephone numbers and aliases
• €150,000 fine for fraudulent online procurement of electronic communications services
• Fine for sharing AI-manipulated images
• The AEPD fines a data processor for chain subcontracting without the data controller's authorization
• Financial institution fined for security breach that exposed millions of customers' data
• Fine imposed on residential community for capturing images of residents when they collected parcels
• The AEPD appreciates speed in correcting breaches of data protection regulations
• A beauty clinic creates a WhatsApp group with several of its clients without their consent to provide its services
• The AEPD states that placing warning notices on the outside of an envelope such as "attachment order" or "enforced collection notice" violates the principle of confidentiality
• Penalty for non-compliance with the principle of data protection by design and by default 

KEEP READING >

Judgements 

• Meta ordered to pay more than €500 million for unfair competition and breach of the GDPR
• CJEU opinion regarding whether or not prior judicial authorization is needed to seize emails in competition inspections
• The CJEU denies exemption from liability to platforms that disseminate personal data and considers them to be controllers
• National Appellate Court judgment in relation to infringement of article 6 of the GDPR in video surveillance activities with voice recording
• New clarifications from the CJEU on the interpretation of the ePrivacy Directive regarding the sending of commercial communications by email
• The CJEU rules on limits to the collection and storage of biometric and genetic data by the police
• The CJEU requires passengers to be informed immediately about the use of body cameras and the processing of their personal data

KEEP READING >