Seven years after the GDPR reshaped global data governance, Europe has entered a new phase of regulatory refinement in privacy. The publication of the Digital Omnibus Package and the agreement on the GDPR Procedural Regulation mark pivotal moments as the EU seeks to reduce red tape, strengthen cross-border enforcement, and bolster the continent’s competitiveness in the data-driven economy by addressing a complex constellation of overlapping laws, all while safeguarding individuals’ fundamental rights. With the proposed targeted amendments to the GDPR, which aim to clarify the definition of personal data, streamline certain transparency obligations, improve conditions for scientific research, and recognise legitimate interests in AI system development, the European Commission aims to bring much-needed legal certainty. Yet these efforts have sparked intense debate, with some stakeholders welcoming simplification to unlock innovation and level the playing field with global competitors, while others warn of a potential erosion of safeguards at the heart of the GDPR, particularly around accountability, transparency and data subject rights.

Meanwhile, the GDPR Procedural Regulation seeks to resolve long-standing bottlenecks within the One-Stop-Shop mechanism by harmonising admissibility criteria, strengthening cooperation between national supervisory authorities, and introducing binding deadlines for investigations. But questions remain about whether these new procedures will truly accelerate cross-border cases or introduce new layers of administrative complexity.

Against this backdrop, this session will unpack what these reforms mean for the future of European data privacy. Panellists will assess whether they meaningfully reduce compliance burdens, foster responsible digital tech development and support a harmonised Digital Single Market or whether further work is needed to reconcile innovation, legal certainty and fundamental rights protection.

Possible questions:

• To what extent do the measures included in the Digital Omnibus package represent a necessary evolution to support the data economy and SME growth?
• How can it be ensured that the proposed changes to the definition of “personal data”, transparency exemptions and legitimate interest provisions do not erode the accountability principle of the GDPR? Will clarifications around anonymisation, pseudonymisation, and a more subjective definition of personal data provide sufficient legal certainty or risk fragmentation and litigation?
• How will the proposal to recognise AI model training as a “legitimate interest” influence the European innovation landscape? Does this provide the necessary legal certainty for developers, or does it conflict with the risk-based approach of the AI Act and the protection of sensitive data?
• To what extent will the GDPR Procedural Regulation’s strict deadlines (such as the 15-month limit for complex cases) and harmonised admissibility standards truly resolve the deadlock in cross-border investigations? How can authorities balance the demand for speed with the rights of defence and due process?
• Will the proposed measures help Europe maintain its position as the world’s most trusted digital jurisdiction while ensuring its market remains attractive to investors, researchers, and emerging technology providers?

In an era defined by hyper-personalisation and AI-driven services, where nearly every digital interaction can be tracked, analysed and monetised, the tension between seamless user experiences and meaningful individual control has intensified. In Europe, the regulatory response spans multiple frameworks, such as the GDPR, ePrivacy reforms, the Digital Services Act, and the anticipated Digital Fairness Act, each addressing distinct yet interconnected dimensions of the digital economy. Recent EDPB guidelines on the DSA-GDPR interplay, along with proposed measures in the Digital Simplification Package around automated consent mechanisms, new tracking technology rules, and the Digital Fairness Act’s anticipated provisions on manipulative design, collectively signal Europe’s determination to shield users from dark patterns, unfair personalisation and opaque data practices. 

This session will examine whether Europe’s evolving digital rulebook can successfully anchor innovation in a framework of fairness, trust and user empowerment. Panellists will explore the EDPB’s latest guidance on GDPR–DSA interplay, the implications of automated consent mechanisms and browser-based signals, the DFA’s forthcoming impact on advertising models, persuasive vs. manipulative design, and the future of AdTech. Against the backdrop of widespread consent fatigue and declining public trust, the discussion will ask whether simplification will truly deliver user empowerment or risks undermining the very individuals these reforms aim to protect. Speakers will assess what coherent, future-proof enforcement looks like, how organisations can provide meaningful transparency, and how placing individuals at the centre can become a competitive advantage in Europe’s digital economy.

Possible questions:

• In an environment of sophisticated behavioural targeting and AI-powered prediction, how can individuals maintain genuine control over how their data shapes their online experience?
• What practical challenges emerge from the EDPB’s guidance on GDPR–DSA interplay, particularly around risk assessments, automated moderation and data minimisation? How can companies ensure that content moderation and recommender system transparency obligations don’t inadvertently violate data minimisation or automated decision-making principles?
• To what extent will the proposed simplification reforms successfully balance individual autonomy, innovation and effective enforcement, and is further intervention inevitable?
• To what extent will the proposed introduction of automated, machine-readable browser signals and “one-click refusal” mechanisms genuinely resolve consent fatigue, or do they risk oversimplifying complex data processing that individuals should genuinely understand? 
• How will the DFA’s provisions on manipulative interfaces, targeting restrictions and unfair personalisation reshape business models?
• How can advertisers pivot toward first-party data and contextual targeting while maintaining competitiveness? Will audience-measurement exemptions and clarified lawful bases under the Omnibus offer meaningful operational flexibility?
• Are current reforms sufficiently future-proofed to address algorithmic decision-making, AI-powered targeting, and the next generation of behavioural personalisation techniques?

The digital economy has fundamentally altered the regulatory landscape, forcing a convergence of two regimes that once operated in silos: Competition Law and Data Protection. The implementation of the DMA, together with the ongoing application of the GDPR, has transformed Europe’s regulatory ecosystem, forcing regulators, gatekeepers, and business users alike to confront how these frameworks intersect, complement, and challenge one another. As the European Commission and European Data Protection Board have issued joint guidance on the interplay between the DMA and GDPR clarifying how gatekeepers should navigate DMA obligations (such as real-time data portability, data access for business users, and interoperability) while remaining fully compliant with GDPR principles on consent, minimisation, anonymisation, and purpose limitation, critical questions have emerged: Can privacy enforcement unlock competition by reducing data-driven market power? Or will the compliance burden disproportionately advantage large incumbents? Do interoperability and data-sharing obligations risk conflicting with GDPR provisions? What does this regulatory convergence mean for innovation, AI development, and the competitiveness of the EU’s digital sector?

In an increasingly connected world, the smooth and secure flow of personal data across borders is the lifeblood of the global digital economy. However, as geopolitical shifts influence policy and countries adopt unique national approaches to data protection and digital sovereignty strategies, international organizations are left to navigate a maze of divergent regulatory frameworks. Policymakers, regulators, and industry actors worldwide are increasingly focusing on interoperability and on practical ways for data protection frameworks to work together without lowering standards. 

This session will explore how to strengthen high-level data protection while enabling the secure and seamless transfer of personal information worldwide. Speakers will examine progress to date, including progress toward adequacy decisions, mutual recognition and shared standards, and discuss the further steps needed to reduce complexity for organisations, enhance legal certainty, and deliver stronger protections for individuals, regardless of where their data travels. 

Possible questions:

• How can regulators balance the imperative for high protection standards with the reality of differing national approaches? What role should international agreements play in creating a unified framework rather than adding further complexity? 
• As geopolitical tensions increasingly influence data governance and sovereignty ambitions, how can stakeholders maintain trust while ensuring data moves securely across borders?
• What role do international agreements and multilateral frameworks, such as the Global CBPR Forum, OECD initiatives, ASEAN mechanisms or Convention 108+, play in shaping a more unified global approach to data protection? What mechanisms are most effective in building trust between regulators, businesses, and consumers in cross-border data transfers?
• How do we move from the theoretical concept of “Data Free Flow with Trust” to practical implementation? 
• What are the limits and opportunities of mutual recognition, adequacy, and shared principles? As adequacy decisions expand, what lessons can be learned from recent EU recognitions of South Korea and Brazil?
• With organisations facing an expanding array of transfer tools and requirements, what new approaches can help reduce uncertainty and complexity while maintaining robust safeguards? How can companies future-proof their international data transfer strategies amid shifting global regulatory landscapes and geopolitical uncertainties?

As governments accelerate the digitisation of public services, they face a critical dual imperative: leveraging innovation to enhance service delivery while strictly safeguarding citizen privacy. Public agencies are the custodians of society’s most sensitive assets, from healthcare records to national security data, while navigating an increasingly complex landscape of cyber threats, legacy systems, data silos and growing public expectations for transparency and trust. How can Public Authorities harness the power of digital innovation while maintaining the trust that underpins democratic governance?

This session will examine the complex intersection of data sovereignty, cybersecurity, and privacy rights in the public sector. The discussion will address how modern regulatory frameworks, including the EU Digital Identity Wallet and evolving data protection standards, are shaping the landscape of digital public services. Participants will explore the opportunities and risks associated with cloud computing, AI deployment, and data retention practices in government contexts. The session will also explore how innovation, modern governance, and privacy-by-design principles can enable governments to manage, share, and protect data responsibly and effectively. It will address the persistent structural challenges facing the public sector, from data silos to outdated infrastructure and high-velocity data streams, and discuss what is needed to build secure, future-ready public services that enhance public trust.

Possible questions:

• What specific challenges arise when enforcing EU data protection rules in the public sector, and how can oversight authorities strengthen compliance? Does the current framework provide sufficient “teeth” to ensure public-sector accountability and enforcement?
• How are cloud solutions deployed in government without compromising compliance, accountability, or national security?
• How can governments break down data silos to improve efficiency while avoiding new vulnerabilities or single points of failure? What governance models best support secure and ethical data sharing across agencies without creating new risks or dependencies?
• How can privacy-by-design be made a technical reality in legacy-heavy public-sector environments? What strategies and tools can help governments modernise legacy systems while ensuring continuity, security, and resilience for essential public services?
• How will the EU Digital Identity Wallet reshape interactions between citizens and public administrations? What safeguards, consent mechanisms, and transparency measures must accompany its rollout?

The rapid ascent of generative and agentic AI has intensified long-standing questions around data collection, training practices, transparency, and the rights of individuals whose personal data fuels these technologies. Indeed, from training data to automated decision-making outputs, personal data can be implicated at every stage of the AI lifecycle, and ensuring coordinated, complementary rules between AI and data protection regimes is therefore essential to providing legal certainty, preserving cross-border data flows, and enabling responsible AI deployment.

This session will explore how privacy-by-design, data minimisation, PETs, and emerging governance frameworks can enable responsible, trustworthy high-impact AI innovation without compromising data protection. Speakers will also examine how the GDPR, the EU AI Act, and international regulatory initiatives interact, discuss the evolving role of Data Protection Authorities in AI oversight, and examine emerging operational models for assessing risks associated with large language models and agentic AI. This session offers a roadmap for building trust-based, compliant AI ecosystems that protect privacy, support digital sovereignty, unlock data value, and deliver social and economic benefits for the greater good.

Possible questions:

• What is the practical interplay between the EU AI Act and GDPR, and how should businesses prepare for dual compliance while navigating complementary yet distinct requirements? To what extent do the proposed measures included in the Digital Omnibus package address this? How can the proposed reliance on “Legitimate Interests” for AI model training function in practice, particularly regarding opt-out mechanisms and safeguards?
• Do current privacy principles and toolkits adequately address the risks of generative and agentic AI, including data scraping, autonomous decision-making, and rights to rectification or deletion when LLMs hallucinate personal data?
• How can organisations embed privacy-by-design across the entire AI lifecycle and shift toward converged data-risk governance that unifies legal, IT, security, and business functions?
• How can Privacy-Enhancing Technologies reconcile AI’s demand for large, diverse training datasets with GDPR requirements for minimisation, purpose limitation, and user rights? What are the practical challenges, limitations, and trade-offs of deploying PETs at scale?
• How can PETs and trusted data intermediaries support secure data sharing, data spaces, and digital sovereignty while empowering individuals to manage access to their personal data? What steps are needed to establish international PET standards, strengthen interoperability, and accelerate regulatory incentives—such as guidance, sandboxes, or safe harbours—to support responsible AI innovation and protect individuals’ rights?