Digital Privacy
For full-text versions and detailed information on key legislations, please see the menu above
About Digital Privacy
The Digital Privacy Strategy, rooted in the General Data Protection Regulation (GDPR), is designed to protect individuals’ privacy and personal data in an increasing digital world. Despite the continued relevance of the 2002 ePrivacy Directive, the prolonged negotiations on the proposed ePrivacy Regulation—culminating in its withdrawal in February 2025—have led to legal uncertainty and inconsistencies in its implementation across EU member states
In addition to these legislations, the EU data protection framework has been further shaped by numerous rulings from the European Court of Justice, guidance issued by the European Data Protection Board (EDPB), and decisions and interpretations provided by local supervisory authorities.
A series of legislative initiatives under the EU’s Digital Decade agenda have also played, or are expected to play, an important role in shaping the framework. Below is an overview of these initiatives:
Digital Omnibus
In November 2025, the European Commission published a proposal for a Regulation as regards the simplification of the digital legislative framework (the “Digital Omnibus”).
The proposed Regulation amends several existing EU legislative acts, including the GDPR and ePrivacy Directive. The changes target the following:
- Key definitions, including narrowing the scope of “personal data” and specifying when pseudonymised data is no longer personal data. The proposal’s approach is that identifiability is assessed from the controller’s perspective (i.e., an entity relative approach).
- Processing of special categories of personal data is, subject to certain conditions, allowed for development and operation of an AI system or an AI model, including, but not limited to, for the purposes of bias detection and mitigation.
- Legitimate interest as a legal basis introduced for the development and operation of AI systems.
- Amendments via GDPR to e-privacy directive in such way that tracking technologies (e.g., cookies), processing or leading to processing of personal data, can be used without the data subject’s consent to the extent necessary for:
- transmission purposes;
- provision of services requested by the data subject;
- aggregated usage measurement; and
- maintaining of service/device security;
- The possibility for the controller to charge for or refuse “unfounded or excessive” data access requests, together with the concept of “abuse of the rights” by data subject “for purposes other than the protection of their data”.
- Use by the controller of automated decision-making for entering into or performance of a contract, in particular regardless of whether the decision could be taken otherwise than by solely automated means.
- For notification a personal data breach, change of the threshold from “a risk” to “high risk” and extension of the deadline for notifying the authority from 72 hours to 96 hours.
Read more about EU data protection and privacy legislations
Snellman Digital Compliance Tracker
- General Data Protection Regulation (GDPR)
- Proposal to a new regulation laying down additional procedural rules related to the enforcement of the GDPR
- ePrivacy Directive
- ePrivacy Regulation proposal (withdrawn)
External links
EUR-Lex links to legislation not yet commented/included in the Snellman Digital Compliance Tracker can be found below:
- Regulation to protect personal data processed by EU institutions, bodies, offices and agencies (2018/1725), essentially applies the principles of the GDPR to the EU’s own institutions and aligns with the GDPR for consistency (see EUR-Lex-link).
Recent News
April 28, 2026
When AI Transcription Is “Necessary” Under GDPR: Insights from IMY’s Latest Sandbox Project
- 5 min
April 20, 2026
EDPB approves Europrivacy certification criteria for use in international data transfers
- 1 min
February 25, 2026
IMY Annual Report 2025: Complaint and Supervision Statistics
- 1 min
