This month, we highlight key developments in data protection, AI, and tech regulation, including updates on the European Commission GDPR and AI Act amendment proposal, a potential new GDPR adequacy decision, and important news for LinkedIn users regarding AI training.
Whether you are managing compliance or simply aiming to stay safer and better informed online, this newsletter is for you.
As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.
European Commission’s Proposal for a regulation amending GDPR
On 19 November 2025, the European Commission (EU Commission) published a proposal for a regulation of the European Parliament and Council of amending a series of EU digital legislations (also known as “Digital Omnibus”), including the GDPR and the AI Act.
Key takeaway
The Commission has proposed a series of amendments. Below we outline the key changes from this Proposal.
Redefinition of “personal data” scope: the Proposal clarifies that data does not count as “personal” if that organisation cannot reasonably identify the individual. Even if another entity elsewhere could identify them, that doesn’t automatically make it personal data for the first organisation.
Eased information obligations: Organisations may no longer need to provide the usual GDPR transparency notices, where it can reasonably be assumed that individuals already have the necessary information. This is unless data are shared with new recipients, transferred abroad, used for profiling/automated decision-making, or involve high-risk processing.
Data breach reporting requirements: Only high-risk incidents would need to be notified to the competent supervisory authority, and the notification deadline would be extended from 72 to 96 hours. The Commission also proposed to introduce a single EU-level “entry point” for submitting data breach notifications.
Cookie & tracking rules: Cookie and device-tracking regulations (from the ePrivacy framework) would be directly covered by the GDPR. Proposed changes include simpler consent management (e.g. “one-click” consent/refusal obligation), and that controllers would not be allowed to request the same consent again for a period of six months following the user’s refusal.
Artificial Intelligence / data processing: The proposal would clarify how certain personal data (even including some special categories or pseudonymised data) may be processed for AI development or training under “legitimate interests”, provided safeguards are implemented.
Why is it important?
It is significant that the Commission has now issued this Proposal, given that the GDPR has not been subject to any substantial amendments to its core provisions since its entry into application in 2018.
The Commission’s stated objective is to simplify and clarify the GDPR framework, which may lead to a modest reduction in compliance burdens.
EDPB adopts its opinion on the EU Commission’s draft Brazil adequacy decisions
On 4 November 2025, the European Data Protection Board (EDPB) adopted its positive opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.
Key takeaway
On 5 September 2025, the European Commission started the process towards the adoption of its draft decision on the adequate protection of personal data by Brazil and asked for the opinion of the EDPB.
In its opinion, the EDPB positively noted that the Brazil data protection framework establish requirements that are closely aligned with the GDPR and case law of the Court of Justice of EU. It also urged the Commission to closely monitor and clarify several issues, especially including:
- the accountability principle and the data protection impact assessment requirements;
- limitation on the information provided to data subjects or the supervisory authority in certain cases based on “commercial and industrial secrecy”;
- international personal data transfer rules in the absence of an adequacy decision or of appropriate safeguards;
- personal data processing for criminal law enforcement purposes.
Why is it important?
This development is important because Brazil is not yet recognized by the EU as providing an adequate level of data protection, and the Commission’s draft adequacy decision represents a major step toward that status.
If adopted, an adequacy decision would allow personal data to flow from the EU to Brazil without the need for additional transfer safeguards.
LinkedIn, by default, uses the personal data and content created by its users to train its AI system
From November 3, 2025, LinkedIn is using the personal data and content created by its users (with the exception of private messages) to train its artificial intelligence (AI) system. This change is set out in LinkedIn’s updated privacy policy.
Key takeaway
In accordance with Article 21 of the GDPR, users have the right to object to their data being used for AI training purpose. LinkedIn has provided such option in the user's account privacy settings.
This right to object can be exercised at any time.
Why is it important?
It is increasingly common for AI developers to train systems using personal data that is publicly accessible or scraped from online platforms. For major platforms such as LinkedIn and Meta, the volume of user-generated content makes integration into AI training particularly straightforward.
Users should therefore remain vigilant; ensure they understand the scope of such processing and exercise their right to object where appropriate.
Implementation of an AI Act Whistleblower tool
The European Commission has launched a whistleblower tool that lets people report suspected breaches of the AI Act.
Key takeaway
This tool, accessible from August 2026, gives the European Union (EU) a practical way to hear directly about potential non-compliance with the AI Act, especially issues that might affect fundamental rights or safety. Reports remain confidential, anonymous, and full protection against retaliation under the Whistleblower Directive is offered.
Anyone with knowledge, from employees, contractors to partners, can file a report anonymously and upload supporting documents. The system includes a secure inbox so the EU can follow up without revealing the whistleblower’s identity.
Why is it important?
For organisations working or using AI tools, this raises the bar on accountability. Internal practices that might not respect the AI Act requirements including those with links to data protection can now be reported externally and anonymously. It also signals that the EU is gearing up for active enforcement.
Contact
Need advice on Data Protection, AI, or Whistleblowing compliance?
Our Data Protection team is ready to help. Contact us to explore how we can assist you : Dara Kelly, Co-Lead Advisory Partner, or Pasquale Esposito, Data Protection Officer.