Introduction

January 28, 2026, marks Data Protection Day, established in 2006 by the Committee of Ministers of the Council of Europe to commemorate the opening for signature of the Convention for the Protection of Individuals about Automatic Processing of Personal Data, universally known as Convention 1081.

On January 28, 1981, the first legally binding international treaty on the protection of personal data was signed in Strasbourg. Forty-five years later, that document remains the foundation on which the entire European and global regulatory framework for data protection has been built.

Convention 108: the seed from which the right to data protection sprouted

Convention 108 was a visionary response to the challenges that technological progress posed to privacy protection as early as the 1970s. At a time when there was no Internet, social networks, big data, or artificial intelligence, the drafters of the Convention foresaw that the Convention would need to be technologically neutral and capable of withstanding the test of time and digital evolution2.

That Convention gave rise to the pillars of data processing that still form the backbone of the GDPR today: lawfulness, fairness, purpose, proportionality, accuracy, security, and the rights of the data subject. The Convention also inspired Directive 95/46/EC and, subsequently, Regulation (EU) 2016/679.

In 2018, the Convention was modernized through the amending Protocol that gave rise to Convention 108+, an instrument that incorporates responses to the challenges of the digital age: biometric data, algorithmic transparency, breach notification, and enhanced accountability. However, as Beatriz de Anchorena, Chair of the Committee of Convention 108 and Head of the Argentine Data Protection Authority, pointed out:

*“On the anniversary of Convention 108, I would like to call on all Parties to reaffirm their commitment to Convention 108+, as its ratification will open the door to other countries wishing to join, transforming this legally binding instrument into a universal common ground for privacy and data protection.” *3

Convention 108+ has not yet entered into force: a sufficient number of ratifications are needed. This delay is in itself a worrying sign of the difficulty of maintaining momentum on data protection at the global level.

Data Protection Day 2026: “Reset or refine?”

This year, the Council of Europe and the European Data Protection Supervisor (EDPS) jointly organized a conference with an emblematic title: **“Reset or refine?” **4. The event, held at the European Commission’s Charlemagne building in Brussels, addresses the tensions between modernization and the protection of fundamental principles.

As Wojciech Wiewiórowski, European Data Protection Supervisor, pointed out:

*“In an evolving geopolitical landscape, the role of data protection extends far beyond the realm of privacy and often becomes a safeguard for democracy itself. At the EDPS, we will continue to support and promote a culture of data protection, in Europe and beyond.” *5

The conference program touches on crucial issues: the very definition of personal data in light of the recent ruling by the Court of Justice in the EDPS v SRB case (C-413/23 P); the future of Convention 108+ as a global standard; the reform of the GDPR in the context of the Digital Omnibus Package; and the evolution of online tracking techniques.

The central question is straightforward: how can Europe modernize its regulatory framework without compromising fundamental principles? How can “regulatory simplification” coexist with solid guarantees for individuals?

EDPB coordinated action on transparency

In this context, the European Data Protection Board has announced that the theme of coordinated enforcement action for 2026 will be transparency: the information obligations set out in Articles 12-14 of the GDPR6. National supervisory authorities will examine how organizations inform data subjects about the use of their personal data.

This choice is not accidental. Transparency is a prerequisite for the informed exercise of all other rights: without knowing who processes our data, for what purposes, and with what safeguards, we cannot exercise any effective control over our digital sphere.

The revision of the GDPR: the Digital Omnibus Package

Data Protection Day 2026 comes at a particularly sensitive time. On November 19, 2025, the European Commission published the Digital Omnibus Package, a reform proposal that includes significant changes to the GDPR, the ePrivacy Directive, the AI Act, and other digital regulations7.

The Commission presented the initiative as a “simplification” effort aimed at reducing the administrative burden on businesses, particularly SMEs and small mid-caps. However, the proposed changes go far beyond procedural simplification and touch on fundamental elements of the Regulation.

Among the most significant changes8:

  • Redefinition of the concept of “personal data” (Art. 4 GDPR): the proposal introduces a “subjective” approach whereby data would not be considered personal if the entity holding it does not have reasonably usable means to identify the data subject. That could exclude pseudonymized data from the scope of the GDPR for certain controllers.

  • New legal basis for AI: the processing of personal data for the development and operation of AI systems and models is explicitly recognized as a legitimate interest of the controller.

  • Changes to data breach notification (Art. 33 GDPR): raising the threshold for notification to supervisory authorities (only when the breach involves a high risk), extending the deadline from 72 to 96 hours, and introducing a single point of entry for notifications.

  • Limitations on the right of access (Art. 15 GDPR): expansion of the circumstances in which controllers may refuse or charge costs for access requests deemed “abusive” or “excessive.”

Reactions were immediate and polarized. The EDPB and EDPS issued a Joint Opinion on January 21, 2026, supporting the overall goal of simplification but calling for stronger safeguards for fundamental rights9. In particular, they expressed concern about the postponement of the application of essential requirements for high-risk AI systems and the proposal to remove the obligation for suppliers to register AI systems classified as “non-high-risk.”

The position of noyb (European Center for Digital Rights), the organization founded by Max Schrems, is much harsher. In a detailed analysis of over 70 pages, the proposed changes are called “the biggest attack on Europeans’ digital rights in recent years”10. According to noyb, the changes to the GDPR would create conflicts with the EU Charter of Fundamental Rights, lead to inconsistencies with the case law of the Court of Justice, and significantly lower protections for data subjects. The EDPB and the EDPS have also stated that “the proposed amendment to the definition of personal data in the GDPR would go beyond the case law of the Court of Justice of the European Union”11.

A coalition of 127 civil society organizations has sent an open letter to the Commission, arguing that the Digital Omnibus brings “deregulation, not simplification”12.

The debate is open. The Digital Omnibus will follow the ordinary legislative procedure in the European Parliament and the Council, with the possibility of substantial changes. Final adoption is expected in mid-2026, but could be accelerated if Parliament decides to apply the urgent procedure.

A necessary reflection: the silent decline of the culture of data protection

As I observe the celebrations of this Data Protection Day, I cannot help but reflect on the daily experience of those who deal with these issues professionally.

There is a noticeable decline in privacy and personal data protection. Not a regulatory decline, mind you: Europe has the most advanced legal framework in the world. The decline is cultural, social, and behavioral.

The data speaks for itself: the data breach crisis

According to the IBM Cost of a Data Breach Report 2025, published in July 202513:

  • The global average cost of a data breach fell to $4.44 million (the first decline in five years), but in the United States it reached a record $10.22 million.
  • 16% of breaches involved attackers using artificial intelligence tools, mainly for phishing (37%) and deepfakes (35%).
  • 20% of breaches were caused by shadow AI — unauthorized AI tools used by employees without IT oversight — with an additional average cost of $670,000 per incident.
  • 97% of organizations that experienced an AI-related security incident did not have adequate access controls for AI systems.
  • 63% of breached organizations do not have an AI governance policy or are still developing one.

These figures reveal a disturbing paradox: while AI adoption is accelerating, security and governance are lagging dramatically behind. The IBM report explicitly refers to an “AI oversight gap” — a gap between technology adoption and oversight that cybercriminals are already exploiting14.

The gap between stated awareness and actual behavior

Eurobarometer data reveal a complex picture of European citizens’ awareness. According to surveys15:

  • 67% of Europeans have heard of the GDPR, but only 36% actually know what it is.
  • 73% know at least one of their rights guaranteed by the GDPR, but only 31% know them all.
  • Only 13% of data subjects read privacy policies in full.
  • 57% of citizens are aware of the existence of a national data protection authority, but the percentage varies greatly between countries (from 82% in the Netherlands to 16% in Spain).

An academic study based on Eurobarometer 91.2 identified four types of “digital citizenship”: offline citizens (22%), social netizens (32%), web citizens (17%), and data citizens (29%). Significantly, young “digital natives” are evenly divided between social netizens — characterized by low privacy awareness despite heavy social media use — and data citizens — fully aware of their rights16.

Technological innovations as risk amplifiers

Technological innovations — generative artificial intelligence, pervasive biometric recognition, the Internet of Things, neurotechnologies — amplify the erosion of awareness. Each new technology promises benefits in exchange for data, and the promise is almost always accepted without critical reflection.

The IBM 2025 report is eloquent: 13% of organizations have already suffered breaches affecting their AI models or applications, while 8% do not even know if they have been compromised in this way17. AI has become a high-value target for cybercriminals, who are aware of the gap between adoption and security.

Bad habits that undermine protection

Bad habits become ingrained: reused passwords, permissions granted without reading, apps installed without verification, sensitive data shared carelessly on social networks. Convenience systematically prevails over caution.

The phenomenon of shadow AI is the most recent and worrying example: employees using ChatGPT, Copilot, and other generative AI tools to process company documents, contracts, and customer data—without any authorization or supervision. According to the IBM report, shadow AI-related breaches exposed more personally identifiable information (65%) and intellectual property (40%) than the global average18.

Superficiality in public debate

Superficiality dominates public debate: privacy is often dismissed as an obstacle to innovation, bureaucratic formalism, or a pretext for sanctions. The Digital Omnibus Package is the most recent manifestation of this: under the rhetoric of “simplification” and “competitiveness,” proposed changes could significantly weaken protections.

It is forgotten that data protection is a fundamental right recognized by Article 8 of the Charter of Fundamental Rights of the European Union, which is essential to protecting the freedom, autonomy, and dignity of the individual.

Staying vigilant: an imperative, not an option

Faced with this scenario, **staying vigilant is not an option; it is an imperative. **

For professionals in the sector, this means not giving in to the temptation of mere formal compliance, but promoting a substantive culture of data protection. For supervisory authorities, it means rigorous and consistent enforcement of the rules, capable of producing real deterrence — and the GDPR sanctions that exceeded €6.7 billion in 2024 show that this path is viable19.

For legislators, it means resisting the siren call of “simplification” when it masks a lowering of protections. The Digital Omnibus Package will serve as the test case: the European Parliament and the Council will have to assess whether the proposed changes constitute genuine procedural simplifications or substantial reductions in rights.

For citizens, it means reclaiming the awareness that their data is not a commodity, but an extension of their identity. The gap between the 73% who know at least one right and the 31% who know them all must be bridged through education, information, and accessible tools.

Conclusions

Forty-five years after the signing of Convention 108, Data Protection Day 2026 invites us to reflect beyond the ritual celebration. The question “Reset or refine?” posed by the organizers of the Brussels conference captures the crossroads we find ourselves at.

The answer cannot be a reset that erases the achievements of decades of regulatory development. It must be a refinement that strengthens, adapts, and makes existing safeguards more effective, without sacrificing them on the altar of misguided simplification.

Above all, it must be a cultural awakening: the rediscovery of the intrinsic value of data protection as the foundation of a society that respects human dignity. Because rules alone are not enough. There needs to be widespread awareness that privacy is not a luxury of the past, but a necessity for the future.

The protection of personal data, as the EDPS has pointed out, is now a safeguard for democracy itself. In an age of algorithmically amplified disinformation, political profiling, and manipulation of consent, defending privacy means defending the conditions that make a free society possible.

Related Hashtag

#DataProtectionDay #PrivacyMatters #GDPR #Convention108 #DataPrivacy #DigitalRights #EDPS #EDPB #CouncilOfEurope #DigitalOmnibus #DataBreach #AIgovernance #FundamentalRights #PrivacyAwareness #CyberSecurity #PersonalData #PrivacyByDesign #DataProtection2026 #DigitalEurope #HumanDignity

  1. Council of Europe, Data Protection Day - 28 January, https://www.coe.int/en/web/data-protection/data-protection-day ↩︎

  2. Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), Strasbourg, 28 January 1981, https://rm.coe.int/1680078b37 ↩︎

  3. Statement of Beatriz de Anchorena, Chair of the Committee of Convention 108, Data Protection Day 2026, https://data-protection-day.eu/ ↩︎

  4. European Data Protection Supervisor, Data Protection Day 2026: Reset or refine?, https://www.edps.europa.eu/data-protection/our-work/publications/events/2026-01-28-data-protection-day_en ↩︎

  5. Wojciech Wiewiórowski, European Data Protection Supervisor, Statement for Data Protection Day 2026, https://data-protection-day.eu/ ↩︎

  6. European Data Protection Board, Coordinated Enforcement Framework: EDPB selects topic for 2026, 14 October 2025, https://www.edpb.europa.eu/news/news/2025/coordinated-enforcement-framework-edpb-selects-topic-2026_en ↩︎

  7. European Commission, Digital Package, 19 November 2025, https://digital-strategy.ec.europa.eu/en/faqs/digital-package ↩︎

  8. White & Case LLP, GDPR under revision: Key takeaways from the Digital Omnibus Regulation proposal, 2 December 2025, https://www.whitecase.com/insight-alert/gdpr-under-revision-key-takeaways-from-digital-omnibus-regulation-proposal ↩︎

  9. EDPB-EDPS, Joint Opinion 1/2026 on the Proposal for a Regulation as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI), 21 January 2026, https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-12026-proposal_en ↩︎

  10. noyb - European Center for Digital Rights, Digital Omnibus: EU Commission wants to wreck core GDPR principles, 19 November 2025, https://noyb.eu/en/digital-omnibus-eu-commission-wants-wreck-core-gdpr-principles ↩︎

  11. Business Daily Network, European Commission faces scrutiny over digital omnibus package amid transparency concerns, 16 December 2025, https://businessdailynetwork.com/stories/677170982-european-commission-faces-scrutiny-over-digital-omnibus-package-amid-transparency-concerns ↩︎

  12. noyb, Open letter: Digital omnibus brings deregulation, not simplification, 11 November 2025, https://noyb.eu/en/open-letter-digital-omnibus-brings-deregulation-not-simplification ↩︎

  13. IBM Security, Cost of a Data Breach Report 2025, July 2025, https://www.ibm.com/reports/data-breach ↩︎

  14. IBM, 2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security, 19 November 2025, https://www.ibm.com/think/x-force/2025-cost-of-a-data-breach-navigating-ai ↩︎

  15. European Commission, Data Protection Regulation one year on: 73% of Europeans have heard of at least one of their rights, Press Release IP-19-2956, 13 June 2019, https://europa.eu/rapid/press-release_IP-19-2956_en.htm ↩︎

  16. Rughinis, R., Rughinis, C., Vulpe, S.N., Rosner, D., From social netizens to data citizens: Variations of GDPR awareness in 28 European countries, Computer Law & Security Review, Volume 42, Article 105585, September 2021, https://www.sciencedirect.com/science/article/abs/pii/S0267364921000583 ↩︎

  17. Help Net Security, Average global data breach cost now $4.44 million, 4 August 2025, https://www.helpnetsecurity.com/2025/08/04/ibm-cost-data-breach-report-2025/ ↩︎

  18. CyberScoop, Research shows data breach costs have reached an all-time high, 30 July 2025, https://cyberscoop.com/ibm-cost-data-breach-2025/ ↩︎

  19. DataStackHub, Data Privacy Statistics For 2025–2026, October 2025, https://www.datastackhub.com/insights/data-privacy-statistics/ ↩︎