New responsibilities increase DPA workloads

The EU Member States are currently busy organising national supervision of the EU AI Act. National level approaches vary considerably, and several authorities will work in tandem to enforce compliance. In Ireland, the data protection regulator, the DPC, has been designated both as the market surveillance authority and the fundamental rights agency.

The PL&B Conference in Ireland last month gave an interesting insight into the work of the DPC and its supervision. The Supervision team operates independently from other units in the DPC such as those involved in handling complaints or conducting inquiries. It engages with companies prior to them launching new products and allows them to mitigate harms to individuals. Ultimately, the DPC’s message is that innovation and data protection are not mutually exclusive.

Children’s privacy is very much on the agenda worldwide – read about risks and benefits of GenAI to children’s privacy, and about a new international standard for age assurance systems. The EU has now reached a political agreement on the AI Omnibus, giving organisations until 2 December 2027 to adapt to the rules on high-risk AI systems. On 19 May, the European Commission published its long-awaited Draft Guidelines on the classification of high-risk AI systems for stakeholder consultation.

The Digital Omnibus and its impact on the GDPR and the AI Act was one of the themes at the CPDP conference which I attended in Brussels last month. The calls for “simplification” are not the same as deregulation, but everyone agrees the underlying reason is not just competitiveness but pressure from across the Atlantic.

This is a discussion we wish to continue at our 39th International Conference in July with stakeholders from industry, academia and regulators. I hope to meet you there. 

Laura Linkomies
Editor, Privacy Laws & Business

June 2026