Please enable javascript in your browser to view this site

Event debrief: The 15th Annual European Data Protection and Privacy Conference

Warnings that an overhaul of the GDPR would be like opening Pandora’s box as the EC defends targeted changes to the nearly 10-year-old regime

The EC sees an opportunity to evolve data protection rules but is aware the legislative process may be tricky

On 17 March 2026, Assembly attended Forum Europe’s 15th Annual European Data Protection and Privacy Conference in Brussels. On Saint Patrick's Day, it was fitting that the event was opened by two Irish policymakers. Jim O’Callaghan TD (Minister for Justice, Home Affairs and Migration, Ireland) considered that the tenth anniversary of the adoption of the General Data Protection Regulation (GDPR) represented an important juncture for the EU given the political focus on delivering future innovation and competitiveness. He stated that data flows are crucial to both trade and investment, but stressed that they must not undermine citizens’ digital rights. Michael McGrath (Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, EC) echoed the views of his compatriot, identifying a pivotal moment for the bloc as it prioritises enabling a thriving and trustworthy digital future. He stated that the GDPR remains the global benchmark for privacy regulation and that there is no appetite within the EC to reopen the framework in its entirety despite the fact that “lots of water has flowed under the bridge” since adoption in 2016. McGrath considered that the Digital Omnibus proposal includes balanced and targeted measures to clarify GDPR provisions, upholding the regulation’s core principles while cutting red tape and accounting for technological developments as well as new legislation, opinions and case law.

The EU’s position at a “strategic crossroads” was highlighted by Martynas Dobrovolskis (Vice Minister of Justice, Lithuania), who stated that the bloc has demonstrated leadership in shaping digital norms but must equally show that it can revise regulation wisely too. He described the Omnibus as not just a legal exercise but a values-based decision about shaping the kind of digital future Europe wants to see. McGrath, however, underlined that it was now up to the co-legislators to navigate the package through the “difficult negotiations” that no doubt lie ahead. He also touched on the progress of the forthcoming Digital Fairness Act (DFA), which will aim to tackle specific gaps in consumer protection online, such as those around dark patterns, unfair influencer marketing or harmful personalisation. Similarly, the EC’s aim is not to overhaul European consumer law but to complement other pieces of legislation, including the GDPR, AI Act and Digital Services Act (DSA).

There was sharp disagreement over what the Digital Omnibus is ultimately aiming to achieve

The opening panel session of the day saw intense debate on the EC’s proposals to evolve Europe’s data protection regime, particularly on whether it is looking to change the definition of personal data under the GDPR. Karolina Mojzesowicz (Deputy Head of Unit, Data Protection, DG JUSTICE, EC) repeatedly stated that this is not the EC’s ambition and that it is instead seeking to provide much-needed clarifications in light of Court of Justice of the European Union (CJEU) rulings, such as in the Single Resolution Board (SRB) case. Mojzesowicz stated that the risk-based approach, technological neutrality and horizontal application of the GDPR should continue, but that action was required to address the different interpretations between Member States and the apparent misunderstandings that have led to litigation. Jörn Wittmann (Group Privacy Ambassador, Volkswagen Group) considered that some data protection authorities (DPAs) have the tendency to “over-enforce” the regulation, causing fragmentation across the EU. He also supported the EC’s stance that it wants to codify recent case law, rather than to effect a material change to specific definitions. Itxaso Domínguez de Olazábal (Policy Advisor, EDRi) clearly disagreed, alleging that the EC was attempting to go beyond codification and that it was using recitals from certain decisions selectively. Domínguez de Olazábal argued that she could not see the need to change the GDPR nor how proposals that might risk the fundamental right to effective data protection were being said out loud in 2026. Marina Kaljurand (MEP, S&D) was sympathetic, stating that the Omnibus should not impact “the essence of the GDPR” and that changes to the regulation itself were not required to address problems with application.

Speakers also discussed the EC’s proposals to recognise legitimate interest as a legal basis for training AI systems with personal data, which Mojzesowicz emphasised feature safeguards, including the unconditional right to object. Lorelien Hoet (Director of EU Government Affairs, Microsoft) welcomed the measures, stating that it is impractical to get consent in every occasion and so the use of legitimate interest makes sense and reflects the approach taken in online search. However, Domínguez de Olazábal and Kaljurand, both questioned whether they represented a stepping away from the GDPR’s core principle of technological neutrality, with Domínguez de Olazábal surmising that the principle aim of the proposals was to support big tech firms who would use their “thousands of lawyers” to see them adopted.

Claims were made that the EC’s proposals could undermine current levels of privacy and consumer protection

Many of the same arguments carried through to the second panel discussion, with Mojzesowicz again forced to defend the EC’s position that the Omnibus does not introduce a change to the definition of personal data or represent the codification of a singular judgment (but is instead a reflection of several rulings, e.g. Breyer, OC, SRB). However, scepticism was visible on the faces of other speakers, with Cláudio Teixeira (Head of Digital Policy, BEUC) seeing the current proposals as deregulation over simplification, threatening to harm rather than empower consumers. He argued that the EC was in fact trying to anchor changes to the GDPR in the SRB decision, considering doing so explicitly as risky given that the judgment is highly subjective. Even for those measures such as one click consent that Teixeira saw as fair or positive on the surface, he stated that diving into the detail of them uncovered “incongruences” and loopholes. Similarly, Alex Agius Saliba (MEP, S&D) stated that he was not against streamlining rules where appropriate but warned that changing the definition of personal data or enabling the use of biometrics could have profound implications for individuals’ privacy. He considered that any thorough reworking of the GDPR would be like opening Pandora’s box, agreeing with Teixeira that the net impact of the EC’s proposals as a whole could be a worse result for consumers compared to the status quo.

Victoria de Posson (Secretary General, European Tech Alliance) contended that the region needs true simplification, especially in the tech sector where an excessive share of people (30%) work in compliance as opposed to commercial or innovation-oriented functions. Whereas de Posson was pleased with EC’s proposals on consent, for example with respect to “annoying” cookie banners that “no one reads”, Anne Debet (Vice President, CNIL) cautioned that consent is not “the alpha and omega of data protection” and that other principles, e.g. transparency, are vital to an effective framework. While Debet welcomed the goal of the Omnibus package to combat consent fatigue, she considered that policymakers must avoid the illusion that this issue can be boiled down to a binary choice of agree versus reject. Debet also took aim at earlier suggestions from Hoet and Wittmann that DPAs are a key driver of fragmentation within the EU, mouthing ‘no’ to the audience when Sachiko Scheuing (Chairwoman, FEDMA) began to repeat the claim.

A tension between maintaining strong data protection rules and adapting them to the realities of AI

Subsequent conversations failed to live up to the feisty exchanges of the morning as like-minded panellists exchanged views on the nonetheless relevant and timely topics of cross-border data flows and digital sovereignty. Ilias Chantzos (Global Privacy Officer and Head of EMEA Government Affairs, Broadcom) stated that sovereignty is an issue being pushed “aggressively” as a result of the current state of geopolitics. He argued that absolute sovereignty does not exist and that it is not realistic to expect that it will as Europe’s reliance on a global supply chain will not disappear. On the future of the bloc’s data protection regime, Axel Voss (MEP, EPP) stated that legal certainty drives trustworthiness, calling for greater clarity on how the GDPR and AI Act interact to avoid overlaps. Unsurprisingly, Voss supported the EC’s proposals to allow the use of personal data for training AI models, adding that in the AI era, some prevailing principles of data protection (e.g. deletion, minimisation, use for one specific purpose) may become less relevant.