{"id":11446,"date":"2026-01-07T10:47:06","date_gmt":"2026-01-07T09:47:06","guid":{"rendered":"https:\/\/techgdpr.com\/?p=11446"},"modified":"2026-01-19T18:08:34","modified_gmt":"2026-01-19T17:08:34","slug":"data-protection-digest-03012026-improvements-are-being-made-to-gdpr-enforcement-us-consumer-privacy-and-emerging-shadow-ai","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-03012026-improvements-are-being-made-to-gdpr-enforcement-us-consumer-privacy-and-emerging-shadow-ai\/","title":{"rendered":"Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns"},"content":{"rendered":"\n

GDPR enforcement simplified<\/strong><\/h4>\n\n\n\n

A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU\/EEA<\/a>. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. <\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h4>\n\n\n\n

UK Adequacy decision<\/strong><\/h4>\n\n\n\n

The European Commission adopted two new adequacy decisions<\/a> for the UK \u2013 one under the GDPR and the other under the Law Enforcement Directive, until 27\u00a0December 2031.\u00a0 In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-\u00e0-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion<\/a> on these decisions.<\/p>\n\n\n\n

More legal updates<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

US consumer privacy updates: <\/strong>In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky<\/strong>, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer<\/a>, to obtain a copy of the consumer\u2019s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.<\/p>\n<\/div><\/div>\n\n\n\n

Similarly, in January, new regulations became effective in California<\/strong> regarding a risk-assessment framework for certain high-risk data processing activities<\/a>, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach<\/a> reporting, consumer rights requests, and data collection and deletion by data brokers<\/a>. <\/p>\n\n\n\n

AI use by banks<\/strong><\/h4>\n\n\n\n

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices<\/a> indicated by the report include:<\/p>\n\n\n\n