Dispatch from Brussels: Updates on EU Tech Policy

EU at the AI Impact Summit 2026 in India: From 16 to 20 February, Executive Vice-President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, represented the EU at the AI Impact Summit 2026 in New Delhi. The EU endorsed the Leaders' Declaration, which recognises that "AI's promise is best realised only when its benefits are shared by humanity." During the summit, EVP Virkkunen launched several initiatives:

Simplification

EDPB and EDPS issue joint opinion opposing key GDPR changes in the Digital Omnibus: On 11 February, the EDPB and EDPS published a joint opinion expressing serious concerns about the Commission's proposed GDPR amendments under the Digital Omnibus. The authorities strongly opposed the proposed narrowing of the definition of personal data, arguing it goes far beyond simplification and is not in line with CJEU case law. They also challenged the new legitimate interest basis for AI training under a proposed Article 88c, noting it offers little practical clarification, and warned that restricting the right of access to "data protection purposes" only would conflict with established case law. The authorities were more supportive of raising the breach notification threshold to "high risk" incidents, extending reporting deadlines from 72 to 96 hours, and creating a single EEA-wide entry point for breach notifications. The opinion is not binding but is expected to carry weight as the Parliament and Council develop their positions as seen below.

Council deletes revised definition of personal data from GDPR omnibus: According to an article by Euractiv, a leaked Council compromise text, circulated by the Cypriot Presidency on 20 February, reveals that EU Member States have removed the Commission's proposed revision to the definition of "personal data" under the GDPR from the Digital Omnibus package. The Commission's original November 2025 proposal sought to narrow the definition by adding a new paragraph to Article 4(1), clarifying that information should not be considered personal data for an entity that cannot identify the individual using reasonably available means. The removal follows a joint opinion issued on 11 February by the EDPB and EDPS, which strongly opposed the change, arguing it went far beyond simplification and would significantly narrow the scope of EU data protection law. The authorities also rejected granting the Commission power to determine via implementing acts when pseudonymised data no longer qualifies as personal data. The Council's text removes this implementing act power and instead defers to the EDPB's ongoing work on pseudonymisation guidelines. This signals a clear preference among Member States for preserving the GDPR's existing definitions.

Online platforms

Two years of the Digital Services Act: On 17 February, the Commission marked the second anniversary of the DSA entering into force. The Commission highlighted that in just two years, online platforms have reversed almost 50 million decisions affecting users' content or accounts, helping users exercise their DSA rights online in the EU. It also used this two year anniversary to highlight developments in two big DSA application cases which you can read more about below.

Commission preliminarily finds TikTok's addictive design in breach of the DSA: On 6 February, the European Commission issued preliminary findings that TikTok has breached the Digital Services Act due to the "addictive design" of its platform. The Commission identified features such as infinite scroll, autoplay, push notifications, and a highly personalised recommender system as elements that reduce users' ability to disengage and may worsen risks for minors and vulnerable adults. According to the Commission, TikTok failed to adequately assess how these features could harm the physical and mental wellbeing of its users. The Commission indicated that TikTok will need to change the basic design of its service, including potentially disabling key addictive features, implementing effective screen-time breaks (including at night), and adapting its recommender system. This marks the first time the EU has treated platform "addictiveness" as a systemic risk under the DSA. TikTok has denied the findings, calling them "categorically false", and has the right to review the Commission's file and submit a written defence. If the Commission ultimately confirms non-compliance, TikTok could face fines of up to 6% of its global annual turnover.

Commission opens formal proceedings against Shein: On 17 February, the Commission opened formal proceedings against Shein under the Digital Services Act. The investigation focuses on three areas: the systems Shein has in place to limit the sale of illegal products in the EU (including content that could constitute child sexual abuse material, such as child-like sex dolls); the risks linked to the addictive design of the service, including giving consumers points or rewards for engagement; and the transparency of the recommender systems Shein uses to propose content and products to users. The Commission noted that Shein only explained its recommender system "in a very general manner." Ireland's Digital Services Coordinator, Coimisiún na Meán, will be associated with the investigation as Shein has its European headquarters in Ireland. The proceedings follow preliminary analyses of risk assessment reports and responses to three formal information requests sent between June 2024 and November 2025.

Commission launches Action Plan Against Cyberbullying: On 10 February, coinciding with Safer Internet Day, the European Commission adopted an EU Action Plan Against Cyberbullying, aimed at protecting the mental health of children and teens online. The plan is built around three pillars:

techUK International Policy and Trade Programme activities

techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.