Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
Artificial intelligence has been a well-established discussion point for a while. Within the field of AI, recent attention has been centered on AI agents.
The importance of this subject from the lens of privacy is clear as national data protection authorities are starting to issue their advice on agentic AI. After last month's concise commentary on this topic from the U.K. Information Commissioner's Office, Spain's data protection authority, the Agencia Española de Protección de Datos, is the next privacy regulator to address agentic AI in its 18 Feb. guidelines.
The AEPD, the first European DPA to put out such elaborate guidance on the topic, aims to clarify the intersection of this continuously evolving technology and data protection rules. It explains the concept of agentic AI and its vulnerabilities in relation to processing personal data. Risks include inadequate management of user data access and human oversight or prompt injection related threats. The guidance also provides advice on measures data controllers and processors can adopt to mitigate risks, including robust, organization-specific and privacy-embedded governance and management processes.
Priorities for the year ahead, beyond
A common topic across outputs from several European DPAs this month is priorities for 2026 and beyond. The Netherlands' data protection authority, Autoriteit Persoonsgegevens, is planning to focus on three key themes in the coming two years: mass surveillance, AI and digital resilience. In 2026, the AP will publish guidance on the responsible use of AI, fighting mass surveillance through discouraging excessive tracking technology use and, if needed, enforcement action and work on enhancing its cooperation with other Dutch regulators.
Sweden's DPA, the Integritetsskyddsmyndigheten, has also identified three topics to focus its supervision and guidance on this year: law enforcement, minors and youth, and the use of AI in the public sector. The Czech Republic's DPA, Úřad pro ochranu osobních údajů, will be focusing on many issues, including the role of data protection officers in the public sector and personal data processing in debtor registers, in relation to sending evaluation surveys and processes concerning the Schengen Information System.
The European Data Protection Board has also provided an overview of its priorities in its 2026-27 Work Programme released earlier this month, which reflects last summer's Helsinki Statement commitments, such as improving dialogue with stakeholders and facilitating compliance with the EU General Data Protection Regulation. The EDPB will develop various tools, including templates for data breach notifications, data protection impact assessments, legitimate interest assessments, opinions on codes of conduct and certification criteria, as well as guidance on anonymization, pseudonymization, pay-or-consent models, legitimate interest, children's data and more.
Due to last year's adoption of the GDPR Procedural Rules Regulation, certain guidance is planned to be updated, including on preliminary steps to handle a complaint, mutual assistance under Article 61 of the GDPR and the urgency procedure under Article 66. In addition, the EDPB plans to work on eliminating inconsistencies between national and EDPB guidance as well as provide advice on cross-regulatory cooperation and the intersection between data protection and other EU laws.
EDPB Coordinated Enforcement Action report, EDPS opinions
The EDPB also published a report on the results of its 2025 Coordinated Enforcement Action, during which 32 European privacy regulators inspected the effectiveness of the right to be forgotten under the GDPR. The report identified issues with adequacy related to information notices and internal procedures concerning the handling of erasure requests. DPAs noted some controllers turn to inadequate anonymization techniques instead of deleting data and that they struggle with determining when to fulfill the right to be forgotten requests.
The report also highlighted best practices for each issue identified and provided certain recommendations for controllers to tackle them. This year, for its fifth Coordinated Enforcement Framework action, the EDPB chose to focus on the obligations of transparency and information under the GDPR.
The European Data Protection Supervisor published two opinions in February. One focused on the Digital Omnibus proposal and was widely discussed. The other concerned the proposal to extend application of the interim child sexual abuse material detection regulation and it did not receive as much attention online. This is significant as the current interim regulation is set to expire in April and the CSAM regulation that sets out more permanent rules on detecting, reporting and removing CSAM material and preventing grooming of children online has been stuck in the EU's legislative process since 2022.
In its opinion, the EDPS recognizes the gravity of the issue, but also provides advice on aligning the processing of personal data under the proposed instrument with the GDPR, highlighting the need to establish a clear legal basis for such processing and ensure robust protections against general and indiscriminate scanning.
The importance of this topic is also highlighted by the recent public disturbance concerning AI-generated deepfakes, as it was revealed some inappropriate imagery generated through the X platform's Grok chatbot included minors. Ireland's Data Protection Commission launched an investigation into the matter, which is also being looked into at the EU level.
Laura Pliauškaitė is European operations coordinator for the IAPP.
