International Data Protection Day: Our Predictions For 2026

Happy International Data Protection Day 2026!

In our now traditional annual set of data protection predictions, we note that the wheels of data protection development perhaps move slowly. Readers will note a number of predictions this year that also featured last year, and possibly the year before that! It appears that certain themes, such as international data transfers, and cookies, are not just annual, but also perennial issues in the data privacy world.

However, no matter how predictable certain themes may be, it is undoubtable that 2026 will be another year of key privacy regulation and developments. Our predictions for it all are set out below and we look forward to updating you this year on HSF Kramer Data Notes.

Back in our 2025 data protection predictions, we were discussing the proposed UK reform of data protection legislation under the Data (Use and Access) Bill. Last year saw that bill become law, but the UK's data protection "reform" was perhaps not as revolutionary as it could have been. Concerns about the impact of reform on the UK's adequacy decision (which was due to expire in 2025) perhaps prevented the Government from executing the comprehensive amendments that were originally suggested back in 2021.

Then, towards the end of 2025, the European Commission published its Digital Omnibus Package, including its own proposals to amend and reform the GDPR in Europe. Although no official timeline has been published for implementation of these proposals, we know from experience that the process can take a long time (the GDPR took years to get to an agreed position). However, given that the proposals include amendments to the EU AI Act, we can perhaps assume that there will be pressure to reach agreement before the high-risk requirements to which those proposals relate begin to apply (i.e. August 2026).

The European proposals are perhaps surprising in the obvious influence of AI and other technologies such as biometrics. Some might argue that this results in a more commercial approach, reflecting the reality of data processing in the 21st Century. Others will likely be concerned about the possible erosion of fundamental rights and freedoms. Either way, the UK Government and ICO might be justified in feeling a sense of missed opportunity for UK reform. For further details on the Omnibus Package proposals, please see our blog post here.

Way way way back in 2011/2012, the so-called "cookie law" came into force and made headlines about its rules requiring user consent for the use of cookies and similar technologies on websites. People in Europe adjusted to the new normal of cookie walls and banners starting to appear on every website they visited. Fourteen years on and the world has changed; the use of cookies on websites has become fundamental to the development of AdTech and execution of targeted advertising – the life blood of many businesses; mobile apps have soared, along with use of SDKs built into those apps; and users have divided into two (possibly frustrated) camps – those that "accept all" and those that "reject all".

What hasn't changed in those 14 years is the regulatory focus on the use of cookies and similar technologies. Where supervisory authorities have struggled to enforce the GDPR, they don't seem to have had the same issue with the cookie rules. And the focus looks set to continue in 2026. Both the UK (under the Data (Use and Access) Act) and Europe (under the Omnibus Package proposals) are set to potentially relax some of the cookie rules, particularly around use of analytical cookies. In addition, the ICO announced its online tracking strategy last year, including ensuring that people have meaningful control over tracking on mobile apps. Watch out for cookies (and similar technologies!) in 2026.

With more than a touch of deja vue, Standard Contractual Clauses (or "SCCs") appear again in this year's data protection predictions. Readers may remember from our 2025 predictions that the European Commission had been due to launch a public consultation on a(nother) new set of SCCs at the end of 2024, with the aim of adoption in Q2 2025.

By way of explanation as to why we might need such a development, when the "new" EU SCCs were first released in June 2021, the accompanying FAQs flagged a gap in the suite of documentation; namely, where the data importer is located in a third country but is directly subject to the EU GDPR under Article 3(2). This gap gave rise to uncertainty, regulatory scrutiny and even enforcement action (think back to the €290 million fine against Uber back in 2024). The European Commission committed to plugging this gap in 2025 but the promised consultation for this new set of SCCs never appeared and the Commission's webpage has now been updated to reflect a planned consultation in Q1 2026 for implementation later in the year. Will 2026 become the year when organisations have to endure yet another international transfer/SCC repapering exercise?

Children's privacy and online safety is likely to be an extremely hot topic in 2026 with a number of consultations and regulatory actions aimed at ensuring the safety of children and their data online.

In December 2025, the ICO announced that it will be scrutinising how popular mobile games played by children in the UK protect their online privacy. The ICO has said that it will launch a monitoring programme targeting 10 popular mobile games. The review will assess the games' compliance with default privacy settings, their geolocation controls, and their targeted advertising practices. It will also consider any other privacy issues identified during the review process. The results of the review are likely to be published in 2026.

At the same time, the UK Government are now actively consulting on a series of possible measures in the digital sector which will have implications for children's privacy, including a social media ban for children under a certain age; raising the digital age of consent; and improving age assurance measures.

Transparency and information obligations are core principles under the GDPR but to date there has been very little guidance around precisely what a privacy notice should look like. There has been lots of criticism: about notices that are too long or too complex; about linking lawful bases to purposes. But privacy notices have nonetheless remained one of those areas where organisations have perhaps found it difficult to get a comprehensive understanding of what "good" looks like.

However, in October 2025, the European Data Protection Board ("EDPB") picked the topic for its fifth coordinated enforcement action, and it picked transparency and the information obligations under GDPR (i.e. privacy notices). The "coordinated action" means that the EDPB prioritises the topic for Data Protection Authorities ("DPAs") to work on at national level. The results of the national actions are then aggregated and analysed to generate deeper insight into the topic and allowing for targeted follow-up at both national and European level if needed. Controller organisations should therefore expect to potentially receive questionnaires from their DPA in 2026 and be prepared to explain and justify their transparency processes. And 2026 could even potentially be the year when the EDPB and/or the DPAs finally tell us all what good privacy notices should look like.

Will 2026 become the year of the data class action in the UK? The spectre of data class actions has haunted European business since the EU GDPR came into force. Within the EU, recent collective action mechanisms – most notably the Representative Actions Directive - have led the way for "qualified entities" to bring data-related collective actions on behalf of individuals. In contrast, the UK landscape has been more restrained. Cases such as Lloyd v Google made it more challenging to bring a successful data class action – closing the floodgates to so-called "opt-out" claims for loss of control of personal data, and limiting the prospects for large-scale compensation actions brought without identifying individual class members.

However, the scope of class actions remains an active area of legal development and debate in the UK. 2025 saw the Court of Appeal ruling in Farley and Others v Paymaster (1836) Limited establish a lower bar for what constitutes actionable harm - there is no minimum "threshold of seriousness" for non-material damage, and damages may be recoverable for distress caused by an "objectively well-founded" fear of potential consequences (e.g. identity theft) rather than purely speculative. Whilst the Supreme Court has granted permission to appeal, could this broader concept of damage make it easier to pursue litigation for minor, technical or low-impact data breaches? Twinned with growing public awareness of data rights, could this mark the moment when UK's collective action door begins to edge open?

We are not sure that there has been a year of HSF Kramer data protection predictions that hasn't featured a prediction on international transfers! And 2026 is no different. The shifting political and regulatory sands continue to make cross-border data transfers one of the most complex areas of data protection compliance for organisations. In Europe, 2025 saw the General Court dismiss the latest challenge to EU-US data transfers with the EU-US Data Privacy Framework ("DPF") being upheld. However, an appeal to the Court of Justice of the European Union is possible and so this may not be the last we have heard of any challenge to the DPF. In addition, Max Schrems has also indicated that he is preparing new, separate litigation, meaning the DPF could face further challenge beyond any appeal of last year's General Court decision.

Elsewhere in the international data transfer world, 2026 should be the year that sees the outcome of Tik Tok's appeal against its €530 million fine issued by the Irish Data Protection Commission over the alleged transfer of European users' personal data to China. Tik Tok was granted a stay in 2025, meaning the immediate suspension of its data transfers is paused, subject to certain conditions, including that it would ensure, insofar as it was within TikTok's power to do so, that its appeal is heard no later than March 2026.

Complying with data subject access requests has long been acknowledged as a burden upon organisations in the UK. And the original UK data protection reform proposals sought to relieve some of that burden. The original draft bill amended the provisions for data subject access requests ("DSARs")to allow controllers to refuse "vexatious" requests, potentially as a result of the perceived abuse of DSARs for reasons other than genuine concern regarding data processing. Those amendments didn't make it through to the final text of the Data Use and Access Act 2025 and were criticised at the time as an attempt to fetter the fundamental rights of data subjects. However, the legislation did finally codify previous ICO guidance that only reasonable and proportionate searches need to be carried out in response to a DSAR.

The proposed amendments to DSARs under the European Omnibus Package go further than this and could mean a significant shift in DSAR responses, particularly, for example, where the data subject right is perhaps being exercised as a "fishing expedition" in the context of broader litigation. Under the Omnibus Package are proposed amendments to Article 12 GDPR to enable controllers to either charge a reasonable fee or alternatively outright refuse a request where the data subject "abuses the rights conferred by [the GDPR] for purposes other than the protection of their data". There is obviously a lot of scope for interpretation of what is intended by the phrase "abuses the rights" and the burden of proof will rest with the controller. But nonetheless, this amendment will undoubtedly be welcomed by controllers who have experienced the significant time and resource required to respond to DSARs where it appears that the purpose behind the request is something other than concern about data processing. If the amendments get through, could 2026 spell the end of the DSAR fishing expedition?

2026 is likely to see further scrutiny of so-called consent or pay models. Whilst the models currently being used by platforms largely came about as a result of regulatory scrutiny under the GDPR, 2025 saw the turn of the Digital Markets Act ("DMA") in Europe to scrutinise such models, and Meta was issued with a fine over the binary choice it was giving to users. The likely result of this will be to include an additional 'less data' option for users. Although it remains to be seen whether or not the regulatory authorities consider this more nuanced version of: (i) consent; or (ii) pay, to be acceptable in either a GDPR or DMA world.

In the meantime, in the UK, the ICO welcomed Meta's revised consent or pay model, enabling people to choose between consenting to personalised ads or paying a monthly subscription for an ad-free service. In particular, the ICO focussed on the price point for the "pay" option, noting that "during the course of our engagement with Meta, it significantly lowered the starting price point at which users would be offered a subscription. As a result, users in the UK will be able to subscribe at a price point close to half that of EU users."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.