International Data Protection Authorities Issue Joint Statement on Privacy Risks of AI-Generated Imagery

 

23 February 2026

Data protection authorities from across the globe have today published a Joint Statement on AI-Generated Imagery (the “Statement”).

The Statement represents the united position of 61 authorities and has been issued in response to serious concerns about artificial intelligence (AI) systems that generate realistic images and videos depicting identifiable individuals without their knowledge and consent. The signatories are especially concerned about potential harms to children.

The Statement outlines key expectations and fundamental principles for all organisations developing and using AI content generation systems including:

• Implement robust safeguards to prevent the misuse of personal information and generation of non-consensual intimate imagery and other harmful materials, particularly where children are depicted.
• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse.
• Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests.
• Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators.

The co-signatories aim to share information on their approaches to addressing these concerns including in the areas of enforcement, policy and education.

The Joint Statement has been coordinated by the Global Privacy Assembly's (GPA) International Enforcement Cooperation Working Group (IEWG).

Read the joint statement here

EDPS Opinion 7/2026 on the Proposal for a Regulation extending the application of Regulation (EU) 2021/1232

 

20 February 2026

The European Data Protection Supervisor (EDPS) issued an opinion on the proposal for a regulation extending the application of Regulation (EU) 2021/1232 on combatting child sexual abuse online.

On 19 December 2025, the European Commission issued the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2021/1232 as regards the extension of its period of application.

The objective of the Proposal is to ensure that child sexual abuse online can be effectively and lawfully combated on the basis of Regulation (EU) 2021/1232 (the Interim Regulation) without interruptions until a longer-term legal framework, to be created by the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse, is agreed. The inter-institutional negotiations on the proposed long-term Regulation have not concluded and, despite the previous extension of the application period of the temporary regime by Regulation (EU) 2024/1307, it is uncertain that they will conclude in time for the long-term Regulation to enter into force and to apply before the Interim Regulation is set to expire. Against this background, the Proposal aims to further extend the period of application of the Interim Regulation until 3 April 2028.

The EDPS recognises that child sexual abuse is a particularly serious and heinous crime and that the objective of enabling effective action to combat it amounts to an objective of general interest recognised by the Union. The EDPS recalls his previous Opinions on the Interim Regulation as well as the EDPS-EDPB Joint Opinion on the matter and provides additional recommendations on how to ensure greater legal certainty, in particular on how to ensure lawfulness of processing within the meaning of Regulation 2016/679.

The EDPS considers that the Proposal presents the right time and opportunity for the co-legislators to address some of the key shortcomings of the Interim Regulation, namely the lack of a clear legal basis for the processing of personal data and the need of effective safeguards against general and indiscriminate scanning, in line with the principles of necessity and proportionality.

Read the full opinion here

Information and Data Protection Commissioner 
welcomes publication of the European Data Protection Board’s report on the Right to Erasure

 

18 February 2026

The Information and Data Protection Commissioner (IDPC) welcomes the publication of the European Data Protection Board’s (EDPB) report on the right to erasure, the fourth edition of the Coordinated Enforcement Action (CEF) coordinated by the EDPB to streamline enforcement and cooperation amongst supervisory authorities, as its main objective. The report highlights actions taken throughout 2025 involving 32 supervisory authorities (including Malta) and a total of 764 controllers across Europe. In its findings it summarises the outcome of a series of coordinated national actions and investigations carried out in 2025. The results indicate a number of main implementation problems or challenges that were observed in respect of some controllers thus hindering the full implementation of the right to erasure. This leads the overall level of compliance to be identified as “average”. 

However, a number of best practices have also been identified. In this context this report is presented with a series of recommendations to effectively implement the right to erasure. The report includes an annex with the national reports of all the supervisory authorities that took part in the CEF, including IDPC. 

In this context, concurrently with the other 31 supervisory authorities, the IDPC launched an exercise whereby it sent out questionnaires to 100 data controllers across the private sector within the gaming, insurance, health, finance and banking sectors established in Malta as a fact-finding exercise. This was particularly sent out with the aim of analysing how data controllers handle and respond to requests for erasure they receive and how the conditions and exceptions for the exercise of this right are applied. Its overall assessment is encouraging particularly to some best practices observed. The responses received were used to draft the national report now included in the annex attached to the EDPB report. 

The positive references the EDPB report makes to enforcement actions taken by the IDPC are very much welcomed. The same applies to the positive references given to guidance also issued by the IDPC on the right to erasure, particularly a fact sheet available on its website (Your Rights - IDPC) containing a description of data subject rights, including the right to erasure, together with the means and requirements for exercising such rights. 

The right to erasure is considered as one of the most frequently exercised GDPR rights and ultimately one about which Data Protection Authorities (DPAs) frequently receive queries or complaints from affected data subjects. 

As a way forward the IDPC will strive to participate actively in the EDPB’s series of coordinated enforcement actions. In 2026, the CEF will focus on the ‘Compliance with the Obligations of Transparency and Information under the GDPR’ - articles 12, 13 and 14.  

 The full report is available here

Irish Data Protection Commission opens investigation into X

 

17 February 2026

The Data Protection Commission (DPC) has today announced that it has opened an inquiry into X Internet Unlimited Company (XIUC) under section 110 of the Data Protection Act 2018.

The inquiry concerns the apparent creation, and publication on the X platform, of potentially harmful, non-consensual intimate and/or sexualised images, containing or otherwise involving the processing of personal data of EU/EEA data subjects, including children, using generative artificial intelligence functionality associated with the Grok large language model via the @Grok account within the X platform.

The decision to commence the inquiry was notified to XIUC on Monday 16 February. The purpose of the inquiry is to determine whether XIUC has complied with its obligations under the GDPR, including its obligations under Article 5 (principles of processing), Article 6 (lawfulness of processing), Article 25 (Data Protection by Design and by Default) and Article 35 (requirement to carry out a Data Protection Impact Assessment) with regard to the personal data processed of EU/EEA data subjects.

On announcing the commencement of the inquiry, Deputy Commissioner Graham Doyle said: “The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children. As the Lead Supervisory Authority for XIUC across the EU/EEA, the DPC has commenced a large-scale inquiry which will examine XIUC’s compliance with some of their fundamental obligations under the GDPR in relation to the matters at hand.”

EDPS strengthens DPO role: new guidance and binding rules to protect DPO independence across EU institutions

 

16 February 2026

Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the European Data Protection Supervisor (EDPS) has adopted two key documents clarifying the role and protection of DPOs within EUIs.

On 18 December 2025, the EDPS issued a Supervisory Guidance on the role of DPOs in EUIs. The Guidance clarifies the EDPS’s interpretation of the DPO’s role, position and tasks in EUIs. It provides practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Building on this Guidance, the EDPS adopted Decision 01/2026 on 16 January 2026, establishing binding Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs.  These Rules set out a clear and uniform procedural framework that EUIs must follow when seeking the EDPS’s prior consent before dismissing a DPO prior to the end of their designation term. 

To read more and download the DPO guidance click here.

 

 

EDPB work programme 2026-2027: easing compliance and strengthening cooperation across the evolving digital landscape

 

13 February 2026

During its latest plenary, the European Data Protection Board (EDPB) adopted its work programme for 2026-2027.  This is the second work programme to support the implementation of the EDPB strategy 2024-2027.

The work programme is based on the priorities set out in the EDPB strategy and the needs identified as most critical for stakeholders. It also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation.

Built on the four pillars of the EDPB strategy, the work programme focuses on 1) enhancing harmonisation and promoting compliance, 2) reinforcing a common enforcement culture and effective cooperation, 3) safeguarding data protection in the developing digital and cross-regulatory landscape, and 4) contributing to the global dialogue on data protection.

Read more here.

 

 

Digital Omnibus: EDPB and EDPS support simplification and competitiveness while raising key concerns

 

11 February 2026

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal. This proposal aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations.

The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis. More specifically, they assess whether the proposal 1) leads to real simplification and facilitates compliance, 2) brings more legal certainty and 3) affects individuals’ fundamental rights.

Changes to the GDPR and the EUDPR

Changes raising significant concerns

Some proposed changes raise significant concerns as they can adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply.

The EDPB and the EDPS strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data as they go far beyond a targeted or technical amendment of the GDPR. In addition, they do not accurately reflect and clearly go beyond the CJEU jurisprudence, and they would result in significantly narrowing the concept of personal data.

The European Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law. 

“Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights. We welcome the Commission’s steps toward greater harmonisation, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection,” said EDPB Chair, Anu Talus

“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data.  We must make sure that any changes to the GDPR and EUDPR actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms," said European Data Protection Supervisor, Wojciech Wiewiórowski.

Read more here