Contributed by: Maria Moloney PhD Adjunct Research Fellow Performance Engineering Lab Department of Computer Science University College Dublin

The CEDPO Conference last October opened with a clear focus on the future of data protection in the age of Digital Transformation.

After a warm welcome from CEDPO Managing Director Paul Jordan, the floor was handed over to our very own Jared Browne for a captivating keynote address. Jared explored the current challenges presented by the pervasive rise of easy-to-develop AI. He teased out the difficult balance between the need to utilise personal data to power new and ever-evolving AI models and the serious ethical risks and potential for harm that can result from its misuse. Jared successfully blended a technical and ethical discussion with wit, humour, and even a surprising anecdote involving cocaine that made for an intensely engaging and thought-provoking 30-minute session.

Following the keynote, Paul Jordan moderated the first panel discussion. The central topic was the proposed changes to the GDPR under the EU Commission’s Digital Omnibus initiative, launched in September 2025. A lively and often conflicting debate ensued, both among the panelists and with the audience. The main point of contention was the proposed elimination of the obligation to maintain a Registry of Processing Activities (RoPA) for companies with 750 or fewer employees. It was particularly insightful to hear the Commission’s rationale and the strong reactions from the audience regarding this potential loosening of compliance requirements.

The day continued with two highly technical, yet engaging, panel discussions. The second panel focused on recent European Court of Justice (ECJ) rulings. They provided an expert dissection of the complex issue of pseudonymised data transfers, specifically clarifying the relative nature of personal data following the pivotal EDPS v Single Resolution Board ruling (Case C-413/23 P, 4 Sept 2025). Their evident expertise and rapport made this a conference highlight.

The third panel shifted focus to the benefits and legal effects of certification under the GDPR. Experts from key European projects offered deep insights into where certification adds value, how organisations can prepare for assessment, and the future of harmonized, EU-wide trust mechanisms.

The first day of the conference ended with a fireside chat between Paul Jordan and Ernst Wilhelm, the Data Protection Officer (DPO) at GFT Technologies SE. The discussion centred around whether DPOs should assume responsibility for AI compliance or collaborate with other organisational experts. This chat really brought home the fact that the DPO role is undeniably evolving, though its final shape remains unclear.

The Second day of the conference was opened with a talk given by Matteo Colombo that explored Europe’s digital transformation, segueing nicely to the first panel discussion moderated by Jared Browne. This panel discussed how DPOs should interpret AI in their job roles. More specifically, it looked at the overlap of the GDPR with the EU AI Act. The panel addressed the EDPB’s Helsinki Statement, which aims to improve GDPR compliance clarity for smaller organizations and enhance enforcement consistency across sectors. The panel concluded with a frank discussion on the regulatory “alphabet soup” and the contradictory messages European companies feel they are receiving from the EU Commission.

The second panel of the day was equally engaging and relevant as it examined and dissected the interplay between the GDPR and the Digital Markets Act (DMA). The panel initiated a discussion on the forthcoming joint EU Commission guidelines clarifying the interaction between the GDPR and the DMA. These original guidelines aim to provide legal certainty for “gatekeepers” by clarifying the DMA interaction with the GDPR. A key focus was on the lawful basis of consent, particularly how the gatekeepers’ “nudging” tactics often invalidate customer consent.

After lunch, the highlight of the conference was a talk given by our very own Commissioner Michael McGrath. He spoke about the Digital Fairness Act and the need to fill certain gaps in legislation around consumers safety, especially child safety. He discussed Dark Patterns employed by a large percentage of companies across the EU and the idea of unfair personalisation. He distinguished between acceptable personalisation which is often needed and desired by consumers to make their lives easier and unfair personalisation that exploits the vulnerabilities of consumers. For instance, offering gambling content to known gambling addicts causes harm to that individual. This is not enhancing the lives of consumers but rather damaging them. The commissioner’s talk was considered and thought provoking and set the stage for the final afternoon discussions of the conference.

The following panel was very closely linked to Commissioner McGrath’s talk on the Digital Fairness Act (DFA). This very interesting and relevant discussion outlined the existing gaps in current EU law and more specifically consumer protection law around Dark Patterns and Unfair Personalisation. While the DFA’s final form (soft or hard law) remains uncertain, the panel explored solutions to these challenges.

The conference concluded with an analytically rich panel discussing the Data Act and the GDPR. The discussion offered invaluable insights into the Data Act’s nuances. Key takeaways included the Data Act’s clarification of data ownership throughout the data lifecycle, and the critical point that its data-sharing obligations do not supersede the GDPR’s requirement for a lawful basis for sharing personal data. This has proven to be a common point of confusion for companies.

Conclusions

The 2025 CEDPO Conference highlighted Europe’s ongoing work around how best to transition to this new digital age. What was once its strength, ensuring ethical and trustworthy regulation of technologies, may now be threatening innovation. This environment of dense legislation challenges all stakeholders. The future must now be about innovation paired with accountability. Most importantly, however, as evidenced in the conference, the collaborative and transparent spirit among European colleagues shaping this transformation remains strong and highly motivating.