Data Privacy Frontline Report

Here are key highlights from February 2026 detailing global news and regulatory updates.

US & Canada

• California’s attorney general announces a record USD 2.75 million settlement and corrective measures against a media company over failures to properly implement opt‑out requirements across certain streaming services.
• Canada is poised to revisit federal privacy reform in 2026, with the government expected to reintroduce comprehensive legislation after earlier efforts stalled, amid growing emphasis on data sovereignty.
• Connecticut’s attorney general releases a memorandum explaining how existing state laws—including civil rights, privacy, consumer protection, and antitrust statutes—apply to the development and use of artificial intelligence to protect residents from harm.
• US Federal Trade Commission (FTC) issues a warning letter reminding data brokers that the Protecting Americans’ Data from Foreign Adversaries Act prohibits transferring sensitive U.S. personal data to foreign adversary countries, and that violations may be treated as unfair or deceptive practices subject to civil penalties.
• US and Argentina agree to a framework on reciprocal trade and investment that includes Argentina’s recognition of the United States as an adequate jurisdiction for cross-border data transfers (also in LATAM).
• US National Institute of Standards and Technology (NIST) launches the AI Agent Standards Initiative to promote industry‑led standards and protocols enabling autonomous AI agents to operate securely, with interoperability, and with public trust.
• US president’s administration directs U.S. diplomats to actively oppose foreign data sovereignty and localization initiatives, arguing that such regulations could disrupt global data flows and hinder artificial intelligence and cloud services.  

EMEA

• EU member states circulate a leaked Digital Omnibus compromise proposal that would drop the European Commission’s planned revision to the GDPR definition of “personal data,” effectively preserving the existing definition amid concerns about legal uncertainty and treatment of pseudonymized data.
• EU‑Singapore Digital Trade Agreement (DTA) enters into force, creating the EU’s first standalone digital trade framework to enable cross‑border digital transactions, protect personal data and consumers, and ban unjustified data localization (also in APAC).
• EU European Commission confirms it will again delay publishing guidance on which AI systems qualify as high risk under the EU AI Act, missing a revised deadline as it continues integrating stakeholder feedback.
• Ireland publishes the General Scheme of the Regulation of Artificial Intelligence Bill 2026 to implement and enforce the EU AI Act nationally and create a new central AI Office of Ireland.
• Luxembourg’s data protection authority announces that it now has the legal power under recently implemented EU representative actions rules to bring class actions against organizations that violate the GDPR (article in French).
• Saudi Arabia’s data protection authority intensifies enforcement of the Personal Data Protection Law by issuing dozens of decisions against noncompliant organizations, marking the first substantive wave of adjudications since the law became enforceable.
• Spain’s data protection authority publishes guidance on the use of agentic AI, outlining data protection compliance considerations, risks, and safeguards to help organizations ensure lawful and use of autonomous AI systems when processing personal data (article in Spanish).
• UK court of appeal rules that a controller’s GDPR security obligations apply based on whether data is personal from the controller’s perspective, even if the data would be anonymous in the hands of an attacker who unlawfully accessed it.