Looking ahead to 2026, data protection laws in the UK and other jurisdictions will continue to evolve to meet novel challenges. What that evolution will look like is unclear, but past precedent and recent trends can help us make some predictions.
With that in mind, three themes should be on everyone’s radar.
1. The EU’s Digital Omnibus says a lot, but how much will it do?
In November 2025, the European Commission published its ‘Digital Omnibus’, a package of proposed reforms to EU laws including the EU’s GDPR. Critics immediately warned that the proposals would water down data protection standards for individuals. The Commission was accused of selling out to the US tech giants.
Here in the UK, we’ve seen this before – the Conservatives proposed what were described as radical changes to data protection laws back in 2021. It took nearly half a decade and a change of government to bring only the modest reforms contained in the Data (Use and Access) Act 2025. Those reforms will come into effect in 2026 and are likely to go ahead largely unnoticed. What started with a fanfare will end with barely a whimper thanks partly to the difficulty in making significant changes to data protection laws – and that’s in the UK, where the legislative process is much more straightforward than in the notoriously labyrinthine EU.
Expect the EU’s Digital Omnibus to generate plenty of debate and extensive lobbying from all sides in 2026, but don’t expect any radical reforms at an EU level for a while yet, if at all.
2. Individuals will look to the courts rather than the regulator to uphold their rights
In November 2025, a group of over 70 civil society organisations, academics and legal practitioners signed an open letter criticising the Information Commissioner’s Office for its lack of enforcement of the UK’s data protection laws. The trigger for the letter was the ICO’s decision not to investigate the Ministry of Defence over the massive Afghan data breach that came to light earlier in 2025, but speaks to much wider concerns.
Under its current leadership, the ICO has mainly avoided formal enforcement action against organisations that do not comply with data protection law. The regulator even has a policy, recently renewed, not to fine public sector bodies for breaches. Both the government and the ICO itself appear content to continue the current approach.
Some of this is merely pragmatic: robust enforcement is open to challenge, and the ICO appears to lack confidence. For instance, in October the professional services firm Capita paid out £14m in what was described as a ‘voluntary settlement’, rather than receive the £45m fine the ICO originally intended to impose.
Meanwhile, the UK courts continue to deal with a steady stream of individual claims relating to data breaches. Decisions have been closely watched to see if the courts find in favour of data controllers or data subjects. The latest, the Court of Appeal’s decision in the ongoing Farley v Equinity litigation, seems to have swung the pendulum a little more towards the latter, ruling that there is no minimum threshold for seriousness in order to pursue a claim for damages. Keep an eye on the courts in 2026 to see whether this trend continues.
3. We’ll all still be talking endlessly about AI
Whether you’re a sceptic or an enthusiast, arguments about how best to regulate AI are only going to grow as more and more use cases are found and the technology moves on. It seems inevitable that governments around the world will choose to introduce more legislation to regulate AI at some point in the future.
For now, data protection advisers such as myself can only counsel clients on how best to grapple with AI’s use of personal data. The current rumours swirling of popular large language models introducing adverts show the potential dangers of oversharing personal information on these platforms. So adopt a cautious approach, find out how AI will use – and potentially reuse – your personal data, and carry out appropriate risk assessments before diving in.
Jon Belcher is data protection and information governance partner at Excello Law
No comments yet