Data law | UK Regulatory Outlook January 2026

A busy year ahead: what will this mean for business?

Businesses can expect significant developments to data law (including data protection) in 2026, as set out in this bumper edition of the Regulatory Outlook. Ten years after the text of the General Data Protection Regulation (GDPR) was finalised, the European Commission is now proposing changes that follow (some) of the similar revisions made to the UK GDPR in 2025. In both the UK and the EU, these changes are more about evolution than revolution; for some businesses, they will have very little impact; for others, the impact will be significant (for better or worse). All businesses will be looking to keep on top of developments and continually assess their specific impact.

Increased legislative divergence between the UK and the EU poses practical challenges for businesses operating across both jurisdictions (and more widely). Will they continue to take a uniform approach to data protection across the UK and the EU (for example, in the context of cookies) for practical simplicity? Or will they change their approach in the UK or the EU (as applicable) to take advantage of business-friendly changes in law?

Data protection regulators in the UK and the EU will continue to actively enforce data protection laws, focusing on where they see the most potential for harm. In practice, that means continued focus on online advertising practices, unlawful direct marketing, processing of children's data, artificial intelligence (AI) (particularly where it is used to make decisions about people) and data security. Businesses engaged in areas of focus for regulators can expect further developments in the form of guidelines, codes of practice and enforcement.

Beyond data protection, there is plenty going on. Whether it is smart data schemes in the UK, the European Health Data Space, a focus on digital identities or data and digital sovereignty, there will be no shortage of data-related news in 2026.

Legislative changes – UK and EU

UK Data (Use and Access) Act 2025

The main changes to data protection and privacy law introduced by part 5 of the Data (Use and Access) (DUA) Act 2025 are expected to come into effect this January.

They include amendments to the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) concerning the lawfulness of processing (including the introduction of a new "recognised legitimate interest" lawful basis and the addition of certain processing purposes more likely to amount to "legitimate interests"), an easing of the current restrictions on automated decision-making, an extension of the soft opt-in for charities, and new exemptions relating to the use of cookies and other tracking technologies. Maximum fines for breaches of PECR will also increase to UK GDPR levels (the higher of £17.5 million or 4% of global annual turnover), up from the current £500,000 limit.

The changes requiring controllers to implement formal processes for handling data protection complaints will not take effect until the summer, giving organisations more time to prepare. Organisations will be required to provide individuals with a way to raise data protection complaints, acknowledge receipt of those complaints within 30 days, and investigate them without undue delay.

Further Information Commissioner's Office (ICO) guidance on the changes is expected through 2026, such as final guidance on handling data protection complaints and on recognised legitimate interest and an updated guidance on direct marketing and privacy and electronic communications to reflect changes in relation to charitable purpose soft opt-in. The ICO has set out its plans for new and updated guidance.

The DUA Act is about more than just data protection, though, and further legislation and developments is expected this year relating to digital identities and smart data schemes.

UK Cyber Security and Resilience (Network and Information Systems) Bill

See Cyber security section.

EU Digital Omnibus: proposals for simplification of EU data laws

As part of its simplification drive, the European Commission has released its proposal to make significant changes to the EU GDPR and other data legislation. This is part of a wider proposed "Digital Omnibus Regulation" package, which also includes (among others) proposals for changes to the EU AI Act (see AI section).

As reported in our November edition, key proposals include:

EU GDPR

The definition of "personal data" is to be amended to make clear that information is not to be considered personal data in respect of a particular entity:

• merely because a potential subsequent recipient has the means reasonably likely to be used to identify the data subject, nor
• when it does not have the means reasonably likely to be used to identify the data subject.

There is also provision for the Commission and the European Data Protection Board (EDPB) to help controllers assess the position by specifying means and criteria relevant for an assessment, including the state of the art of available techniques and criteria to assess the risk of reidentification of pseudonymised data.

Additional exemptions from the prohibition on processing special category data in the following cases:

• Processing of biometric data, when it is necessary for confirming the identity of the data subject and when the data and means for such verification are under the sole control of that data subject.
• Residual processing of special categories of personal data for development and operation of AI, subject to conditions, including appropriate organisational and technical measures to avoid collecting such data, and removing it after use.

Related to this, but included in the separate AI Omnibus, there would be an extension to the situations in which special category data can be processed for the purposes of detecting and correcting bias in AI systems (subject to strict safeguards). This is currently limited to providers of high-risk AI systems, but would also cover deployers of high-risk systems, and providers and deployers of non-high-risk systems and models where "reasonable and proportionate".

An amendment to make clear that organisations can rely on the EU GDPR's "legitimate interest" legal basis to use personal data for training or operating AI systems and models.

Clarification of the requirements for automated decision-making in the context of entering into, or performance of, a contract between the data subject and a controller, in particular that the requirement of "necessity" applies regardless of whether the decision could be taken otherwise than by solely automated means.

A controller will not have to notify a data breach to the competent supervisory authority unless the breach is likely to result in a high risk to the data subject's rights, aligning this threshold with that for notification to affected data subjects. In addition, the notification deadline for breach reporting would be extended from 72 to 96 hours. It is also proposed that controllers use a new "single-entry point" when they notify data breaches to the supervisory authority.

Cookies

• It is proposed that processing personal data via cookies and other tracking techniques would fall entirely under the EU GDPR, rather than the ePrivacy Directive.
• Consent will no longer be needed for some low-risk cookie uses including when providing services explicitly requested by the data subject, when creating aggregated audience measurements for the provider's own online service, and certain security functions. 

Other data laws

• Abolition of the Data Governance Act 2022, the Open Data Directive 2019 and the Free Flow of Non-Personal Data Regulation 2018. The Data Act would remain as the central law and would include essential elements retained from the other three acts, which would be repealed.
• Changes to definitions currently used in the Data Act. For example, the terms "data user", "data holder" and "public emergency" are to be harmonised and clarified.
• Protection of trade secrets will be further strengthened by allowing data owners to refuse disclosure under the Data Act if this could result in sensitive information being transferred to third countries with an inadequate level of protection or which could compromise the EU's security interests.
• Switching obligations under the Data Act will be amended. For example, customised services will be exempt from the interoperability requirements in existing contracts and small and mid-cap companies (up to 750 employees) will be exempt from additional obligations.

The legislative process is now under way, with trilogue negotiations among the EU institutions expected in mid-2026. For more details see Osborne Clarke's Digital Omnibus microsite.

EU regulation on cross-border EU GDPR enforcement in force

The regulation laying down additional procedural rules on the enforcement of the EU GDPR came into force on 1 January. It does not introduce new procedures but clarifies the existing EU GDPR framework and harmonises rules on certain elements of cross-border enforcement of the EU GDPR. It will apply from 2 April 2027. See our Digital Regulation Timeline for more information on the regulation.

UK adequacy decisions

In late December 2025, the European Commission renewed two 2021 UK adequacy decisions, permitting the continued free flow of personal data between the European Economic Area and the UK, under the EU GDPR and the Law Enforcement Directive. The renewed decisions will remain in effect until 27 December 2031 and may be further extended. The Commission, in conjunction with representatives of the EDPB, will conduct a review of the decisions after four years.

ICO priorities

In 2025's edition of our Regulatory Outlook, we highlighted artificial intelligence, online advertising and children's data as the ICO's key priorities. Those will continue to be key focus areas for the ICO through 2026, developing and delivering on the work the ICO has done to date, as summarised below.

More generally on the ICO's approach, ICO fines in 2025 were predominantly limited to personal data breaches and unlawful direct marketing (particularly cold calls and spam texts) and we expect more of the same in 2026. However, the ICO increasingly prioritises proactive engagement, education and systemic change over punitive fines, as evidenced by the ICO's work on websites' use of cookies and the implementation of its Children's Code strategy in the context of social media and video sharing platforms.

The ICO, like other UK regulators, has a duty when exercising its functions, to consider the desirability of promoting economic growth and ensuring regulation isn't unnecessarily burdensome (the Growth Duty). In March 2025, the ICO summarised how its approach to regulation is supporting economic growth and we expect this to be a continuing theme in 2026.

ICO and AI

Aligned with the Growth Duty, the ICO's AI and biometric strategy, launched in June 2025, is as much about supporting innovation and economic growth as it is about regulating AI.

The ICO is focusing on uses of AI and biometrics that cause the most concern and potential for harm if misused; including, continued review of the use of automated decision-making in recruitment, use of facial recognition technology by police forces and looking at how personal data is used to train generative-AI foundation models.

In 2026, updates are expected to the ICO's guidance on automated decision-making and profiling, a statutory code of practice on AI and automated decision-making and a horizon scanning report on the data protection implications of agentic AI.

ICO's approach to regulating online advertising

As part of its online tracking strategy, launched in 2025, and following a consultation on the topic, the ICO is expected to publish a statement identifying advertising activities that are unlikely to trigger enforcement action under the PECR. The ICO is working with stakeholders and the government to explore how it could amend legislation to reinforce this, with a further update expected in 2026.

In the ICO's December 2025 update on its efforts to ensure cookie compliance across the top 1,000 websites in the UK, the ICO confirmed its intention to "periodically test" those websites. It said that most of these websites now meet the rules on the use of advertising cookies, with only 21 websites identified as still non-compliant with the ICO's testing criteria. The ICO will continue to take action in relation to those websites. As well as engaging with the top websites, it has also been engaging with trade bodies representing industries appearing in the top 1,000 websites and the consent management platforms (CMPs) providing consent management solutions to nearly 80% of the top 500 websites. Those CMPs have made significant changes to the options they provide to their customers to ensure compliance by default.

The ICO's focus on ensuring websites' cookie compliance is ongoing, and the regulator has indicated that it will continue its monitoring and engagement with industry.

ICO's focus on children's online privacy in mobile games

Having previously focused on the implementation of its Children's Code strategy in the context of social media and video sharing platforms, the ICO has recently turned its attention to online privacy in the most popular mobile games played by children in the UK. The ICO is launching a monitoring programme into 10 popular online games to assess their compliance with default privacy settings, geolocation controls and targeted advertising practices. The regulator will also consider any other privacy issues identified during the review process. The ICO's early review suggests that many mobile games' design features can be intrusive, which raises concerns about their compliance with the ICO's Children's Code standards.

The ICO has stated that its focus in 2024/25 on children's privacy on social media and video-sharing platforms resulted in significant improvements. In March 2025, it published an update on its strategy. Since then, the ICO says that it has secured improvements to the approach to children's privacy settings by 10 platforms, including setting private profiles by default, just-in-time privacy notices and restricted visibility of child users. The regulator will also start a monitoring programme to drive the adoption of more robust and proportionate age assurance methods on high-risk platforms.

Priorities for EU data protection authorities

The EDPB's priorities for 2025 included guidance on the interplay between EU data protection law and other digital regulation. The EDPB published draft guidelines addressing the interplay between the Digital Markets Act and the Digital Services Act with the EU GDPR; with final versions of the guidelines awaited. The interplay between data laws and other digital regulation as well as simplification of digital regulation (see above) will continue to be a focus area this year.

Last year also brought significant case law from the Court of Justice of the EU (CJEU) interpreting the EU GDPR; such as, the responsibilities of online marketplaces for processing of personal data contained in ads (Russmedia Digital and Inform Media Press), on whether pseudonymised data is necessarily personal data when shared with third parties (European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB)), and the decision of the General Court of the EU dismissing an action for annulment of the EU-US personal data transfer framework (Latombe v Commission).

EDPB 2026 coordinated enforcement action

For 2026, the EDPB has chosen "compliance with the obligations of transparency and information" under the EU GDPR (in other words, compliance with GDPR articles 12-14) as the topic for its  coordinated enforcement action. This means that the EDPB will prioritise it as an area for national data protection authorities to work on at Member State level. The results of these national actions will then be aggregated and analysed to generate deeper insight into the topic. If warranted, this might lead to targeted follow-up at both national and EU level.

This follows the EDPB's focus in 2025 on the right to erasure (right to be forgotten) by controllers (see this Regulatory Outlook). The report on the outcome of that action is expected to be adopted in the coming months.

AI compliance and interplay between EU AI Act and GDPR

The core framework of the EU AI Act is set to become fully operational in 2026. The provisions on general-purpose AI under the legislation have been effective since 2 August 2025, and the rules governing high-risk AI systems as well as transparency obligations, requiring providers and deployers of generative AI systems to label AI-generated content including deepfakes, are currently scheduled to take effect from 2 August this year (subject to proposed delays under the AI Omnibus – see AI section ). This makes AI compliance one of the primary focuses for 2026. However, organisations will also need to navigate interplay of the EU AI Act with other legislation, such as the GDPR, including areas where laws overlap creating compliance difficulties. To provide clarity for businesses in this area, the Commission is working on joint guidelines with the EDPB on the interplay between the AI Act and EU data protection laws.

See our Digital Regulation timeline for more information on the EU AI Act.

Sectoral focus

• Children's online safety remains high on the regulatory agenda. See Digital Regulation section for more information.
• The European Health Data Space Regulation, which aims to establish a common framework for the use and exchange of electronic health data across the EU, is in a transitional phase throughout 2026, with the regulation set to apply from 26 March 2027. We should see further consultations on guidelines in 2026.