dpas bulletin - January 2026
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
New year, new bulletin! How has the ICO resolved to start the new year? How is the European push for digital sovereignty going? Will Microsoft stop tracking children at school? What are the data protection trends from 2025? Should Chinese electric vehicles face restrictions around where they can and cannot go?
Read about all this and more in our latest DPAS Data Protection Bulletin.
ICO updates international transfer guidance
The ICO has published its updated guidance on international transfers of personal data. The new guidance is intended to make it easier for businesses to understand what they need to do to comply with the UK GDPR transfer rules.
The latest refresh to their guidance follows previous updates to existing guidance that the ICO has been rolling out as part of their winter plans. Of particular help in this updated guidance is the ICO’s guidance on roles and responsibilities, which is designed to help organisations navigate the more complex scenarios.
Read more about this here.
US companies digital Olympus set to fall
In last month’s edition we highlighted how the EU was striving to reclaim its digital sovereignty. The European Commission is set to continue that by releasing the Digital Networks Act, the Cloud and AI Development Act, as well as revision of the Chips Act and the Quantum Act. All of which will strengthen European control over its digital infrastructure.
The US is taking the view that these measures are protectionist, with Daniel Friedlaender, head of office at CCIA Europe warning that if Europe’s “protectionist push” goes too far, it would risk “provoking countermeasures”. Despite the volatility of the US administration when imposing punitive measures, the EU remains keen on shoring up digital sovereignty.
Read more about this here.
ICO releases a new report on AI
With a headline that would make me blush, the ICO has released their report: AI’ll get that! Agentic commerce could signal the dawn of personal shopping ‘AI-gents’. Agentic AI is an AI system that does more than respond to prompts, with the report focusing on the system’s ability to act on people’s behalf.
The report states that within 5 years agentic commerce could be a mainstay in our lives as it anticipates our shopping needs and makes proactive purchases. The ICO reaffirms its stance that AI innovations such as this need to have data protection considered from the beginning. Even as AI becomes more autonomous, it must still comply with data protection law.
Read more about this here.
AI companies slow to comply with EU AI Act
In a move that few could have predicted, AI companies are taking a leisurely pace when it comes to disclosing their training data as part of the new EU AI regulations. Though the Act will not be enforced until later this year, companies that release large foundation AI models must disclose information on their training data.
Publishers are among the loudest complainants, as companies refusing to publish the training data prevents rightsholders from being paid and enforcing their rights if any of the AI models have been trained using their data. This follows previous scepticism from the European Grouping of Societies of Authors and Composers around the transparency requirements being far from sufficient.
Read more about this here.
noyb 2-0 Microsoft
Those with a particularly good memory may recall that noyb brought two complaints against Microsoft with the Austrian DSB. The first of those was decided in October, where the DSB ruled that Microsoft had violated Article 15 of the GDPR. In the second leg, the DSB also officiated over a finding of Microsoft unlawfully placing tracking cookies.
These cookies in question were placed on the device of a minor using Microsoft 365 Education.The cookies in question analysed behaviour, collected browser data and were used for advertising.This was also notable for the DSB rejecting Microsoft’s argument that the EU subsidiary, under the Irish Data Protection Commission, was in charge of Microsoft 365 products across Europe.
Read more about this here.
Brazil deemed adequate by EU
Brazil and the EU have adopted a mutual adequacy decision to allow the free flow of personal data. EU businesses operating in both territories will enjoy greater legal certainty and reduced compliance costs when transferring personal data.
The Constitution of Brazil and its General Data Protection Law were praised as equivalent to the EU Charter of Fundamental Rights and the GDPR respectively. Brazil also has its own independent data protection authority, the snappily named National Data Protection Authority, which helps align the Brazilian data protection framework closely with the EU’s.
Read the decision here.
“Spy cars” present cybersecurity threat
The European Parliament’s defence committee received a warning that modern cars represent a major risk as they are perfect vehicles for spying. The sensors and cameras on modern vehicles, along with their connection to the internet, collect vast amounts of data around the vehicle, its driver and their surroundings.
Paulina Uznańska, of the Centre for Eastern Studies, noted the potential for cars to gather data about military zones whenever they pass by them as one example. Poland is already considering banning the movement of Chinese cars around military sites, in a move similar to the restrictions Tesla cars faced when they were distributed in China.
Read more about this here.
Rise in data breach notifications across Europe
The average number of breach notifications to data protection authorities went from 363 to 443 from January 2025 to January 2026. This is the first time since May 2018 that notifications have reached over 400. DLA Piper, who published the report, suggests that this is a result of the abundance of cyber-attacks and new technologies.
Enforcement activity has also been sustained across 2024 and into 2025, with £1.06 billion in fines across Europe’s data protection supervisory bodies. Supply chain security and compliance is attracting increased protection against the supervisory authorities, with processors receiving several fines directly from the authorities.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
