Latest GDPR Updates: Regulatory Compliance Update

ON THIS PAGE

This article highlights the most recent GDPR developments and regulatory compliance updates in February 2026.

Read about the clarification of the Court of Justice of the EU (CJEU) about pseudonymized data, the CJEU decision on the EU–US bank data transfers under FATCA, the State Data Protection Inspectorate of Lithuania (VDAI)’s decision on soft opt-in, and other regulatory news that took place in January 2026.

Ruling of the CJEU on Pseudonymized Data

In 2017, the EU Single Resolution Board (SRB) shared pseudonymized stakeholder comments with Deloitte during the resolution of a Spanish bank. According to the SRB, the data was pseudonymized and thus was not personal data.

However, the European Data Protection Supervisor (EDPS) had concerns that this pseudonymized data could be considered as personal data, as it could be used to re-identify persons.

The long-running dispute between the SRB and EDPS ended without a final General Court ruling. However, the Court of Justice of the EU clarified that:

  • Personal opinions may qualify as personal data if identification is realistically possible.
  • Re-identification risk must be assessed case-by-case.
  • Pseudonymized data are not automatically anonymous if identification remains possible.

Practical takeaway: document your re-identification risk assessment. If linkage with real persons is possible, treat pseudonymized data as personal data.

Cross-border data transfers: FATCA Data Transfers Under Review

Court of Justice of the European Union is set to examine whether EU residents’ banking data transfers to the US under FATCA arrangements comply with GDPR.

FATCA requires non-US financial institutions (FFIs) to report information about accounts held by US persons for US tax purposes, including US citizens, to the US Internal Revenue Service to combat US tax evasion.

The Belgian court has made a request for a preliminary ruling on whether data transfers required under FATCA comply with the EU’s GDPR requirements, including questions around mass transfer proportionality, data minimization, and interaction with the 2023 EU–US data framework.

The CJEU will assess whether EU–US bank data transfers under FATCA comply with GDPR, particularly the mass transfer proportionality and the data minimization principle.

Note: The decision may impact international tax data exchanges. Financial institutions should re-check international transfer practices and safeguards for any automated tax-information exchange flows into the US.

Direct Marketing: Incorrect Use of “Soft Opt-In”

State Data Protection Inspectorate of Lithuania (VDAI) found that a Lithuanian company UAB Topo grupė unlawfully relied on the “soft opt-in” exception.

VDAI concluded that “soft opt-in” and opt-out-by-silence is not consent for email marketing; consent must be freely given, specific, informed, unambiguous, and expressed by a clear affirmative action.

The company treated a “didn’t tick ‘I disagree’” checkbox as consent. However, this was concluded to be invalid consent.

The company also couldn’t provide evidence that the promoted offers were truly “similar products/services” to what the customer bought.

Note: Silence or failure to opt out does not constitute valid GDPR consent. Retailers should also implement provable products/services similarity rules to avoid breaching the GDPR.

Personal Data Breaches in Lithuania (2025 Overview)

In 2025, the State Data Protection Inspectorate (VDAI) received 223 personal data breach notifications, affecting over 1.24 million individuals.

Confidentiality violations were prevalent, accounting for 83% of total incidents. 58% of data breaches were caused by human error, and 29% resulted from cyber incidents. Five fines were imposed.

In the case of a data breach that may result in a risk to the rights and freedoms of natural persons, the data controller should notify the VDAI without delay, but no later than 72 hours after becoming aware of the personal data security breaches.

In 2025, 63% of data controllers notified the VDAI about the personal data security breaches within 72 hours.

EU AI Act: Safeguards Must Remain Strong

The European Data Protection Board and the European Data Protection Supervisor acknowledged that implementing the EU AI Act will be complex and should be simplified, especially for SMEs and cross-border operators.

They expressed openness to practical simplification, but stressed that simplification must not weaken fundamental human rights protections or deteriorate core business obligations around accountability, transparency, and oversight of high-risk AI systems.

EDPB: Updated Guidance on Processor Binding Corporate Rules

In January 2026, the European Data Protection Board (EDPB) released Recommendations 1/2026 on Processor Binding Corporate Rules (BCR-P).

The 2026 recommendations include:

  • Standardized application form.
  • Clarified scope and use cases.
  • Alignment with Article 28(4) GDPR.
  • Enforceable rights and commitments.
  • Application guidance mirrors controller BCR recommendations.
  • Public consultation phase.

 

Public consultation is open until 2 March 2026.

How Can CMP Help Stay GDPR Compliant

As regulators narrow their focus on Cookie Consent and safety of personal data, Consent Management Platforms (CMPs) have become central to reach compliance. CMPs are used to provide pop-up banners, record consent, control tracking, and help prove that an organization meets GDPR standards.

CMPs help to comply with regional rules by determining the user’s location and providing the correct Cookie Banner.

CMPs also automate consent handling and updates, so you don’t need to check for updates to privacy laws manually.

 

CookieScript CMP has the following features:

In spring 2025, CookieScript received its fourth consecutive G2 badge, recognizing it as the Best Consent Management Platform.

Register for free Show pricing plans

Frequently Asked Questions

What happened in the SRB–EDPS dispute?

In 2017, the Single Resolution Board shared pseudonymized stakeholder comments with Deloitte during the resolution of a bank in Spain. The SRB argued the data wasn’t personal because it was pseudonymized. The European Data Protection Supervisor disagreed, saying people might still be re-identified. The dispute between the SRB and EDPS ended without a final General Court ruling, but the Court of Justice of the EU clarified that personal opinions may qualify as personal data if identification is possible, and re-identification risk must be assessed case-by-case.

What does the Court of Justice of the EU say about pseudonymized data?

In the SRB–EDPS dispute, the Court of Justice of the EU concluded that pseudonymization reduces risk, but it doesn’t automatically render personal data anonymous if identification is possible. Re-identification risk must be assessed case-by-case. Use CookieScript CMP to collect user consent and comply with privacy laws.

Can opinions or comments count as personal data?

Yes, if the person behind the opinion or comment can realistically be identified (directly or indirectly). Personal data isn’t just names and emails. It can include comments, views, and other text responses when a person can be identified. Use CookieScript CMP to collect user consent to use their data.

What is “soft opt-in” supposed to allow?

It’s a narrow exception that you can email marketing to existing customers without fresh consent, only when strict conditions are met. Vendors can promote offers with “similar products/services” without separate consent, provided they offer a clear opt-out. CookieScript CMP can be used to provide a cookie banner and obtain user consent.

What evidence should you keep to defend soft opt-in?

If you want to rely on soft opt-in during email marketing, be ready to provide proof of purchase, the product/service marketed, and why it’s similar (category rules, tags, mapping), where and when the opt-out was offered, and logs showing opt-out was honored fast and consistently. CookieScript CMP can be used to provide a Cookie Banner and obtain user consent.