Are you tired of generic newsletters that skim over your real challenges? Dastra offers you Dastra Insights, a legal and regulatory watch specially designed for DPOs, in-house counsel, and Privacy and AI professionals.
🎯 Targeted, useful monitoring grounded in the day-to-day reality of data protection and AI.
Here is our selection for April 2026:
AI Act Omnibus: stalled negotiations & uncertainty over the timeline
Date: 28 April 2026
Source: Reuters link
The trilogue on 28 April 2026 on the AI Act Omnibus package, introduced by the Commission in November 2025 to simplify certain aspects of the implementation of the AI Regulation, ended in failure.
The institutions appeared to be converging on several points, notably a postponement to 2 December 2027 for high-risk systems under Annex III and to 2 August 2028 for AI embedded in already regulated products.
However, disagreement concerned a structural point: the place of AI systems embedded in products covered by existing sector-specific legislation, such as medical devices, machinery, toys, or connected vehicles.
The issue is whether these systems should remain fully within the scope of the AI Regulation or be governed primarily by sectoral rules.
In the absence of an agreement, the currently applicable timeline remains in force, meaning that the 2 August 2026 deadline for certain obligations on high-risk systems remains, at this stage, the legal reference point.
Even if discussions are to continue (new negotiations around May 13th), companies cannot assume that a postponement will be adopted in time. Some obligations outside the Omnibus, notably the transparency requirements for certain generative AI systems under Article 50, remain immediate compliance priorities.
The EDPB adopts a Data Protection Impact Assessment (DPIA) template
Date: 14 April 2026
Source: Official link
The EDPB has adopted a Data Protection Impact Assessment (DPIA) template to help organizations structure and document their assessments more consistently across the EU.
The Board specifies that a DPIA is required where processing is likely to result in a high risk to rights and freedoms, and that the template was designed to guide controllers step by step.
The template comes with an explanatory document intended to make it easier to use and to address possible issues of interpretation.
Use of the template is not mandatory, but the EDPB highlights its practical value: predefined fields, better completeness, reduced risk of error, and time savings.
The text is open for public consultation until 9 June 2026; after this phase, national authorities will need to take the necessary steps to adopt it either as a single standard or as a “meta-model” aligning national templates.
EDPB consultation on guidelines on scientific research
Date: 16 April 2026
Source: Official link
The EDPB has launched a public consultation on its Guidelines 1/2026 concerning the processing of personal data for scientific research purposes.
The consultation page clearly identifies the topics covered: health, controller and processor roles, legal basis, consent, and data subject rights.
The timeline is also important: the consultation is open from 16 April to 25 June 2026. For lawyers and DPOs, this text deserves particular attention because it is likely to influence how legal basis, information notices, and safeguards are assessed in research projects, especially in health and AI-related uses.
EDPB Annual Report 2025
Date: 9 April 2026
Source: Official link
The EDPB has published its 2025 Annual Report, which does not in itself create new obligations but provides a clear indication of the Board’s institutional and doctrinal priorities.
The report highlights the Helsinki Statement on Enhanced Clarity, Support, and Engagement, aimed at making GDPR compliance clearer and more workable.
It also emphasizes the growing importance of inter-regulatory cooperation, notably with the Commission, on the relationship between the GDPR and other digital-law instruments such as the DMA, the DSA, and the preparatory work on the AI Act.
European Commission and EDPB: joint work on competition and data protection
Date: 28 April 2026
Source: Official link
The Commission services and the EDPB have announced the launch of joint work aimed at producing guidance on the interaction between EU competition law and data protection law.
The press release states that this work will focus on targeted situations in which data law is relevant to the competition analysis, and vice versa.
The stated objective is to ensure a coherent approach across the two bodies of law, while providing greater clarity for economic operators and enforcement authorities.
This initiative follows on from the work carried out on the DMA/GDPR interface. It is an important signal for major platforms, digital ecosystems, and more broadly all cases where data plays both an economic and regulatory role.
Recommendation on age verification at EU level
Date: 29 April 2026
Source: Official link
The Commission has adopted a recommendation aimed at promoting the deployment in the EU of age verification solutions based on anonymous proof-of-age technologies, with an explicit focus on privacy and data protection.
It recommends that Member States use the European blueprint, prepare implementation plans, and cooperate with DSA coordinators, the Commission, researchers, and civil society. The text provides that EU citizens should have access to robust, privacy-preserving solutions by 31 December 2026.
The Commission also announces a European age-verification scheme, a list of solutions compliant with security and privacy standards, and a list of trusted providers for age-proof attestations.
Notably, the solution must allow a user to prove that they are above a certain age without revealing their exact age or identity to the platform.
Targeted consultation on the energy consumption and emissions of AI models and systems
Date: 7 April 2026
Source: Official link
The Commission has launched a targeted consultation as part of a study on measuring and promoting energy-efficient, low-emission AI in the EU.
Responses are intended to help develop a measurement framework for the AI Act’s energy objectives, and could also inform the design of a possible AI energy/emissions label.
The text is aimed in particular at companies that develop or deploy GPAI models or other AI systems, as well as their component and service providers. It recalls a concrete regulatory point: providers of GPAI models must document known or estimated energy consumption in their technical documentation under Annex XI of the AI Act.
Stakeholders could express interest until 10 May 2026, then respond to a questionnaire until 15 May 2026; the final summary will be published on the basis of aggregated data.
CNIL priority inspections for 2026
Date: 3 April 2026
Source: Official link
The CNIL has announced its priority inspection themes for 2026: recruitment, the French electoral register (REU), and sports federations.
The most directly relevant topic for data/AI monitoring is recruitment. The CNIL explains that these inspections, three years after publication of its dedicated guide, will check recruiters’ GDPR compliance on issues such as automated decision-making systems, candidate information, and retention periods.
The inspections will focus primarily on large companies and recruitment agencies.
CNIL final recommendations on tracking pixels in emails
Date: 14 April 2026
Source: Official link
The CNIL has published the final version of its recommendations on tracking pixels in emails, in response to the growing use of this technique to measure message opens, personalize communications, track readership, or measure deliverability.
It recalls that these pixels fall within the scope of trackers, in conjunction with Article 82 of the French Data Protection Act, and clarifies in which cases their use requires consent and in which cases an exemption may apply.
The text provides an important clarification: an exemption is recognized for the individual measurement of deliverability when it is linked to a service requested by the recipient, subject to strict safeguards; data must be limited to what is strictly necessary and used only for that purpose.
The CNIL also clarifies which emails may be considered linked to a requested service, including certain transactional emails and those for which the recipient has already consented.
Finally, it adopts a phased approach for legacy contact databases: for addresses collected before the recommendation was published, actors have three months to clearly inform recipients about the use of pixels and to allow them to object easily.
ICO final guidance on Storage & Access Technologies
Date: 29 April 2026
Source: Official link
The ICO has published its final guidance on Storage and Access Technologies (SATs), that is, on how the PECR and, where applicable, the UK GDPR, apply to cookies, tracking pixels, device fingerprinting, and similar technologies.
The regulator says the text was updated after two consultations and in light of changes introduced by the Data (Use and Access) Act.
It highlights the addition of new examples and practical clarifications aimed at making compliance easier. The announcement also includes an enforcement message: according to the ICO, 99% of the UK’s top 1,000 websites now meet its cookie-banner compliance requirements following its targeted action with the sector.