Data Protection & Privacy 2026

Introduction to the Data Protection & Privacy Guide

Legal and regulatory framework

As we head into 2026, data privacy continues to be an important compliance topic, a fundamental concern for individuals, businesses and governments worldwide, as digital technologies and the increasing reliance on data-driven services, such as in the context of AI, have transformed how personal data is collected, processed and shared. This has brought about significant benefits, including enhanced connectivity, personalised services and economic growth. However, it has also raised critical questions about the protection of personal data and individual privacy rights.

In many jurisdictions, data privacy laws are built on the same core principles, such as transparency, accountability and lawfulness. These principles are designed to ensure that individuals have control over their personal data and that the organisations processing this data do so responsibly. Key elements of data privacy regulation include requirements for data security and data transfers, and the rights of individuals to access, correct and delete their data.

Apart from this, a key aspect of this dynamic field of privacy protection is the constantly evolving legal landscape of data protection-related laws. The developments in 2025 brought some consolidation in Europe, acceleration in the United States and Asia, and a steady rise in complex litigation.

In the EU for instance, the AI Act and the EU Data Act (DA) moved from text to practice. In the United States, several new state privacy laws and amendments took effect on 1 January 2026, including the introduction of privacy requirements in Indiana and Kentucky. The Personal Data Protection Law (PDPL) of Vietnam came into force the same day, following its approval by the National Assembly. India’s privacy law, the Digital Personal Data Protection Act (DPDPA) which finally became effective in late 2025, governs the handling of digital personal data and sets out a comprehensive framework for its collection, processing and transfer.

In many jurisdictions, existing regulations are being amended more frequently. In the EU, the draft EU Omnibus regulation aims to simplify rules on data, AI and cybersecurity. Proposed amendments include the introduction of rules clarifying the use of personal data for AI training, a single EU entry point for incident reporting across the EU GDPR, NIS 2, DORA, and an extension of the notification time for data breaches. Meanwhile in the UK, the new Data Use and Access Act (DUAA) amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). Similar developments can be observed in other jurisdictions as well, such as the amendments to Malaysia’s Personal Data Protection Act (PDPA) in 2024.

Requirements for the use of and access to non-personal data

In 2025, it became clear that data-related compliance programs can no longer ignore non-personal data. In order to enable data access and sharing, jurisdictions are increasingly enacting laws to ensure that non-personal data is more accessible and usable, and that data-driven innovation is promoted.

The DA establishes new rules in the EU for how users of connected products and related services can utilise the data they generate and how data holders can derive economic value from it. In order to address the key challenges in the digital economy, the DA aims to foster a competitive data market and promote data-driven innovation, introducing premature termination rights and the right to request support when switching to similar data processing services.

With the DUAA, the UK has also started to manage non-personal data, aiming to unlock the effective use of such data. The DUAA establishes a structure for data-sharing arrangements like Open Banking (enabling third-party providers to access customer data at financial entities through application programming interfaces or APIs), which applies to both consumer and business data. This approach is comparable to the EU’s DA and Data Governance Act, although the DUAA does not exactly replicate the corresponding EU regulations.

International data transfers

One of the most significant challenges in data privacy is the issue of cross-border data transfers. As data transfers are part of everyday business, regulators must address the complexities of ensuring that personal data transferred to other jurisdictions remains adequately protected. This has led to the development of various mechanisms such as standard contractual clauses (SCCs), binding corporate rules (BCRs) and adequacy decisions, which enable the international transfer of personal data in compliance with the respective data protection principles.

Many jurisdictions, particularly in the MENA region, have recently adopted this approach and published data transfer regulations that in some instances require specific approval by state authorities. For example, in 2024, Saudi Arabia published four different forms of SCCs and issued new guidelines on the use of BCRs.

In the United States, national‑security‑driven controls have been tightened. New federal rules constrain certain transfers of bulk sensitive US personal data to countries of concern, and the Protecting Americans’ Data from Foreign Adversaries Act limits sales by data brokers to designated countries or controlled entities. These regimes sit alongside sectoral rules and state privacy laws, expanding diligence and contractual controls for global vendor chains.

China has completed the tri‑path outbound data transfer framework under the Personal Information Protection Law (PIPL). Following the easing of thresholds and exemptions in 2024, 2025 saw further guidelines and, crucially, the Measures for Certification of Cross‑Border Personal Information Transfers (effective since January 2026). Companies now have a choice of security assessment, standard contracts, or certification.

The UK’s new DUAA establishes a new data protection standard for transfers, mandating the secretary of state to carry out a data protection test in relation to transfers of personal data to a third country or international organisation.

In the EU, international data transfers are an endless story. In 2025, the European Commission renewed the two adequacy decisions for the United Kingdom. An adequacy decision for data transfers to Brazil is expected soon.

Due to political developments and increasing tensions with the US, doubts have been raised in Europe about the continued validity of the EU–US Data Privacy Framework (DPF) for the transfer of personal data between the EU and the US.

In September 2025, the EU General Court (EGC; Case T-553/23) dismissed an action for annulment of the DPF for the transfer of personal data between the EU and the US, thereby confirming the DPF. An appeal is pending before the European Court of Justice (CJEU).

The current situation in the EU is precarious for many companies relying on SCCs, and particularly for small and medium-sized enterprises with international ties, as an annulment of the DPF would necessitate relying on SCCs for data transfers to the US. According to the Schrems II decision of the CJEU and based on the recommendations 01/2020 of the European Data Protection Board (EDPB), the use of SCCs necessitates an assessment of the data protection level of the respective third country (a transfer impact assessment or TIA). According to the EDPB, such TIAs require a six-step review process, including a detailed examination of the legal enforcement system and surveillance laws of the recipient country. This necessitates the help of local experts and leads to increasing costs for companies, which for SMEs leads to enormous challenges.

Enforcement

In the EU, regulators continued to focus on adtech, dark patterns, the processing of sensitive data in advertising, and the processing of children’s data. One particular focus of European data protection authorities has always been international data transfers. Examples are the EUR530 million fine imposed by the Irish Data Protection Commissioner against a social media platform provider for unlawful data transfers to China, and the European Data Protection Supervisor’s decision to refuse a request by the European Investment Bank to transfer data to a number of non-EU/EEA countries, including Brazil, Turkey, India and Fiji.

Earlier in 2025, the EGC made a significant ruling, awarding damages for the transfer of an IP address to the United States prior to the approval of the DPF and in the absence of an adequacy decision. The court held that the website operator was liable for data transfers made through a third-party API embedded in the website, even though the transfer was not conducted by the website operator. Such decisions may have future implications for companies operating in both low-risk and high-risk contexts, as they could face mass tort litigation for using third-party services that transfer non-sensitive and device-related data to third countries.

In other jurisdictions, state privacy enforcement has also matured. In the US, the Attorneys General and the California Privacy Protection Agency pressed actions on data brokers, misconfigured consent tools, and sensitive health data in digital advertising. The development of new data localisation requirements is another important area to monitor.

Privacy litigation

Recent decisions illustrate that data privacy litigation is on the rise, with individuals and organisations increasingly seeking redress for privacy violations. In many jurisdictions, data privacy laws provide a basis for claims for immaterial damages, although the determination of such damages remains a contentious issue. Recent court decisions in the EU have clarified some aspects of compensation, emphasising that it should correspond to actual harm rather than serve as a punitive measure. However, courts tend to interpret relevant statutes broadly to ensure the efficient and continued protection of user privacy rights, which could potentially lead to more waves of mass claim litigation.

The introduction of collective redress mechanisms, such as the Representative Actions Directive in the EU, has fuelled this trend and expanded legal protection for consumers, enabling them to file collective actions for data protection violations. This current development increases liability risks for companies, particularly with cross-border implications, and highlights the importance of robust compliance programmes.

Sectoral developments

The bar is rising fast in specific sectors such as health and advertising as many regulators are increasingly focusing on these critical issues. For instance, new state health privacy laws in the US focus on purpose limitation and expectation management, demanding data minimisation and vendor oversight. With the EU Health Data Space Regulation, the EU is setting new rules for the primary and secondary use of health data and the international transfer of such data to other jurisdictions.

Enforcement remains strict, particularly regarding online marketing practices and the use of cookies. In the US, further action on deceptive design and misuse of sensitive data is expected. In France, at the end of 2025, the supervisory authority, the National Commission for Information Technology and Civil Liberties (Commission Nationale de l'Informatique et des Libertés or CNIL) imposed significant fines for alleged cookie violations under the French Data Protection Act, whereby a publisher was fined EUR750,000, and a financial services provider received a penalty of EUR1.5 million.

It is also notable that the DUAA is introducing changes to existing cookie regulations. Similarly, the EDPB guidelines on cookies continue to shape EU cookie laws under the ePrivacy Directive. While some jurisdictions do not have specific regulations on cookies, it is important to note that other data protection laws may still apply and set cookie requirements, particularly when cookies are related to personal data.

Conclusion

The landscape of data privacy law is complex and constantly evolving, reflecting the rapid pace of technological changes and the growing importance of data in the digital economy. The year 2026 will bring several challenges and, considering recent international developments discussed above, organisations would be well advised to start prioritising their compliance aims. They can do this by observing new incident response and reporting rules, still treating international data transfers as an evergreen risk; operationalising AI governance and expanding privacy programs to cover AI; focusing on the use and access to non-personal data (under the EU Data Act); implementing fair-terms reviews for B2B data contracts and cloud switching; and anticipating litigation and sectoral enforcement.