INSIGHT: Reworking Data Protection and Data Retention – Back to the Future? 

With the sun setting on 2025, the political focus of the European Commission and the Council is shifting towards simplification and harmonization of the existing regulatory framework, including the rules for Data Protection under the GDPR within the envisioned Digital Omnibus. The Commission, it seems, is finally addressing the lingering question on how to tackle – among other topics – cookie rules and provisions. These were initially intended to be covered within the confines of the ePrivacy Regulation, which was retracted by the Commission approximately eight years after its first presentation and after roughly four years in trilogue. 

It remains to be seen whether this new approach for regulating online tracking of users will prove to strike a balance between respecting and safeguarding users’ rights and avoiding overly complex provisions requiring consent forms, which diminish the online experience of users. Additionally, the topic and further elaboration of the term personal data is central to the future of data protection. Here, the ongoing debate will show whether Commission, Parliament and Council will be able to find an accessible and workable definition for personal data and link it to the legal forms for data processing. 

While data protection rules are experiencing a fresh approach, another topic is emerging. Data retention has been a recurring concern for European and national lawmakers. The Danish Presidency of the Council has proposed “Future Rules on Data Retention” and consulted them with the Member States, leading to an outcome paper presented in November 2025. The foreseen retention durations in the conclusive document of the Danish presidency range from six months to one year. 

These requirements cannot be reconciled with the decisions of the Court of Justice of the EU, which has clearly stated that access to data cannot be pursued through unsolicited, encompassing data storage. And its 2024 decision did not change anything in this respect, but rather specified the conditions under which access is possible. 

Politically, 2026 is likely to see recurring cycles of discussions on online tracking and surveillance, with uncertain outcomes for the Internet industry. The Digital Omnibus has yet to pass the European Parliament and the demand for new data retention rules has yet to be put into a Commission draft. However, discussing the streamlining and simplification of rules for online tracking against the backdrop of seamless online surveillance may prove harmful and fuel criticisms, which deride the necessary clarifications in the data protection framework as unsolicited. Navigating this environment will be a priority challenge for the Internet industry in 2026.