Monthly Update – February 2026

February came in fast - and brought some important developments in EU privacy law worth breaking down.

On the EU side, three updates stood out this month: a court decision that could affect how early big GDPR cases can end up in court, regulator feedback on the Commission's Digital Omnibus simplification plans, and a reminder that the right to delete data only works if your systems can actually do it.

Here is our February snapshot.

⚖️ CJEU: You can challenge an EDPB binding decision (earlier than you thought)

What happened:

The Irish data protection authority (the DPC) led an investigation into WhatsApp Ireland, focusing on transparency. The DPC shared its draft decision with other EU data protection authorities (DPAs), which objected to it. Since the DPAs could not agree, the dispute was escalated to the European Data Protection Board (the EDPB), which issued a binding decision instructing the DPC to change parts of its draft. The DPC then adopted its final decision, taking the EDPB's feedback into account.

And next?

WhatsApp challenged the EDPB's binding decision directly before the Court of Justice of the European Union (the CJEU). The Court ruled that this challenge is admissible, opening the door to earlier court scrutiny of EDPB decisions in certain cases.

What this means for you:

If you are a business with a meaningful EU presence:

• Plan for disputes earlier. In some cases, companies may be able to challenge key decisions before the lead regulator issues its final decision.

• Higher stakes for documentation. The arguments you make during an investigation - and how you evidence them - may be tested in court sooner than expected.

• More complexity, more time. Large cases could take longer and cost more if early challenges become a standard move.

🧩 Digital Omnibus: Joint Opinion from the EDPB and the EDPS

The EDPB and the European Data Protection Supervisor (EDPS) published a Joint Opinion on the Commission's Digital Omnibus package.

Areas they support:

• Data breaches: raising the threshold for notifying a breach to the relevant DPA and extending the deadline to submit such a notification.

• Scientific research: greater harmonisation and clarity around what counts as scientific research.

• Consent and cookie banners: finding solutions to address "consent fatigue."

Topics where they raised concerns:

• Definition of personal data: the proposal could narrow the GDPR's scope by changing how "identifiable" data is assessed in practice.

• The interaction between the GDPR and the AI Act: the proposal includes specific rules for AI development; the EDPB and EDPS recommend several improvements and clearer safeguards.

What this means for you:

• Do not count on the Digital Omnibus creating a "light version" of the GDPR. Regulators are signalling that the goal is to simplify processes, not lower safeguards.

• If you rely heavily on cookie or marketing mechanics, keep an eye on these developments: changes to the ePrivacy Directive could affect consent flows and banners.

• If you are building or using AI systems, assume privacy expectations remain high even if some obligations get repackaged.

🧽 EDPB 2025 Coordinated Enforcement: The right to erasure is still harder than it looks

The EDPB published the results of its 2025 Coordinated Enforcement Framework action on the right to be forgotten. Identified pain points included a lack of internal deletion processes, limited information provided to individuals, the use of weak anonymisation as a substitute for deletion, and difficulties in setting and enforcing retention policies.

What this means for you:

• Pressure-test your data deletion process across systems:

  • Can you recognise a deletion request when it comes in?

  • Do you know who owns it internally - and who else needs to be involved?

  • Do you know how to act once you receive a deletion request (for example, whether to respond directly or to carry out internal checks first)?

• If you rely on anonymisation instead of deletion, make sure it is genuinely effective.

• Review your retention schedules. Make sure they are defensible - and that they are actually enforced within your organisation.

That's a wrap!

From the CJEU opening the door to challenges against EDPB binding decisions, to regulators putting guardrails around the Digital Omnibus "simplification" push, to a practical reality check on the right to erasure it is clear: EU privacy is getting more operational and more enforceable.

Need help translating these developments into practical next steps? We track key updates from EU institutions and DPAs and break them down into clear actions. Book a free introduction call if you want tailored advice on what to prioritise - and what can wait.

See you next month, The Privacy Power Team