Tughans Solicitors

Data Protection and AI expectations for 2026

Paul Eastwood
Partner

Sector: Contracts and Technology

T: +44 (0) 28 9055 3377

M: +44 (0) 78 0358 9018

On 19 December 2025, the European Commission formally renewed its Adequacy Decisions (made in the wake of Brexit, in 2021) in respect of the UK’s data protection laws.

 

The renewal of these Decisions means, in real terms, that controllers and processors of personal data can continue to send such data between the European Economic Area (EEA) and the United Kingdom for at least another 6 years (subject to another mid-term review in 2029) without additional measures – like lengthy contract provisions – being required.

 

Whilst this was not unexpected, it is nevertheless welcome news as it avoids what would have been a huge shake-up to how businesses in Northern Ireland currently trade and do business.

 

However, looking ahead, there are other changes on the horizon to which users of personal data in the UK do need to pay attention and will likely require some action to be taken in 2026; not least due to the ongoing roll-out of the UK’s Data (Use and Access) Act 2025 and the continued importance of compliance with and respect for data protection rules and principles when using, developing and incorporating artificial intelligence.

 

We anticipate the following data protection and AI developments for 2026 will have the greatest impact on businesses in Northern Ireland:”

  • further expansion of the use of AI (requiring Data Protection Impact Assessments, Legitimate Interest Assessments and updating of transparency information) set against heightened personal awareness (and, potentially, wariness) of individuals in respect of use of their personal data in AI;
  • the impact of the continued roll-out of EU AI Act, given its extra-territorial reach (meaning it applies to organisations outside the EU where that organisation’s AI system is placed on the EU market, put into service in the EU, or its outputs are used in the EU, even if the organisation is not based in the EU);
  • new legislative requirement for a data protection complaints policy;
  • relaxation of some rules around use of website cookies;
  • (potentially) easier transfer of personal data to third countries; and
  • greater sophistication of security risks (like phishing emails and deepfakes), re-enforcing need for effective staff training and awareness.

 

There is also the potential for substantial changes to be made to EU data protection law as a result of the EU’s “Digital Omnibus” bill. However, what that Bill says now and what it will say after it traverses the legislative process and becomes binding could be materially different, and is not likely to be known in 2026; so businesses will have to maintain just a watching brief for now.

 

As ever, businesses will have opportunities to harness evolving technologies, and it is those who do so in a lawful way which will be well placed to realise the short-term and long-term benefits. If you would like to discuss how we can assist with those opportunities, please contact Paul Eastwood, Partner in Tughans’ Contracts & Technology team.

 

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.