Gen AI drives surge in data complaints
Generative AI is driving a surge in data protection complaints across Europe.
The Data Protection Commission (DPC) saw contacts rise by 45% in 2025 compared to 2024, with a further increase to 60% above 2024 levels in the first months of 2026.
The trend is replicated across European data protection authorities and attributed in large part to the use of large language models by complainants to formulate and draft complaints.
Paul McDonagh-Forde, the DPC's Brussels-based attaché, was speaking at the Irish Centre for European Law's (ICEL) Privacy and Data Protection Conference, Ten Years of GDPR: Reflections, Insights and Lessons (15 May), held in Chartered Accountants House, Dublin.
A panel discussion, ‘Relevant and Recent GDPR Developments’, was chaired by ICEL President, Mr Justice Anthony M Collins (Judge of the Court of Appeal and former Advocate General of the Court of Justice of the European Union).
In her presentation on recent decisions of the Court of Justice and General Court, Catherine Donnelly SC noted that in EDPS v Single Resolution Board (C-413/23), the Court held that personal opinions constitute personal data without any need to examine their content, purpose or effect, as they are necessarily closely linked to the individual.
Pseudonymised
Pseudonymised data remains personal data where it can be re-attributed using separately held information, with identifiability assessed by reference to all means reasonably likely to be used, including available technology and the costs of identification.
She noted consequences from X v Russmedia Digital (C-492/23) include obligations to identify advertisements containing sensitive data before publication, verify the identity of the advertiser, and prevent publication absent explicit consent or an article 9(2) exception. Article 32 requires controllers to block copies of non-compliant content.
In Mousse v CNIL (C-394/23), the Court held that article 6(1)(b) requires processing to be objectively indispensable for performance of the contract, with no less intrusive alternative available.
Processing of gender identity for personalised commercial communications met neither the article 6(1)(b) nor the article 6(1)(f) threshold, with personalisation capable of being limited to name alone.
Donnelly reported that in Brillen Rottler (C-526/24), the Court held that the article 12(5) exception must be interpreted strictly and relied upon only exceptionally.
A single request may be excessive, but only where formal compliance masks an abusive intention to engineer an advantage; a pattern of requests followed by compensation claims across multiple controllers may evidence that intention.
Deleted data
On other data subject rights, in WS v Commission (T‑144/25), the Court confirmed that the GDPR confers no right to restoration of lawfully deleted data.
In Deldits (C-247/23), accuracy under article 16 is assessed by reference to the purpose of collection; where that purpose is identification, gender identity at the time of registration must be used, and rectification cannot be made conditional on surgical treatment.
She added that the case was interesting because it was one of few, “where the court found that the rule actually infringed the essence of the right, so there wasn't a need for a proportionality assessment”.
In Bindl v Commission (T-354/22), the embedding of a Sign-In with Facebook hyperlink on a commission website was held to constitute a third country transfer of the applicant's IP address without compliance with the applicable conditions, with the resulting uncertainty constituting actual and certain non-material damage.
One of the findings on remedies, from IP v Quirin Privatbank AG (C-655/23) was that article 82 GDPR is exclusively compensatory, the attitude or motivation of the controller is irrelevant to the amount or form of compensation, and a prohibitory injunction cannot substitute for damages.
Davinia Brennan, partner at Matheson LLP, outlined three key elements, “which are converging, in my view, to reshape how organisations are approaching data governance.”
- Speed of AI tech leading to increased EU DP regulatory activity,
- ‘Reopening of the GDPR,’ considering AI Act via Digital Omnibus package,
- Expanding digital EU rulebook ‘creating compliance challenges’.
Davinia Brennan outlined the substantive proposals contained in the Digital Omnibus, including an updated definition of personal data, additional legal bases for processing special category data, simplified breach reporting, and a harmonised DPIA template.
Role structures
She mapped the parallel role structures under the GDPR and the AI Act - controllers and processors under the GDPR; providers, deployers, importers and distributors under the AI Act — and noted that maximum fines under the AI Act, at 7% of global turnover or €35 million, exceed those available under the GDPR.
She also noted the Omnibus proposal to permit refusal of abusive access requests as one of the more practical simplification measures.
Paul McDonagh-Forde noted that the EDPB and EDPS Joint Opinion 2/2026 supports the objectives of simplification but criticises the absence of fundamental rights and proportionality assessments.
He added however that this objection was “a bit more nuanced” than headlines might suggest.
Simplifying enforcement
“All the European DPAs also recently produced something called the Helsinki Declaration,” he added, which commits to simplifying the enforcement of the GDPR, particularly for SMEs.
He flagged the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) view that the proposed changes to the definition of personal data go beyond existing case law and narrow the protection afforded by the right to data protection.
He also referred to reports that while Data Processing Agreements have welcomed the single-entry point proposal, not all member states have given it a positive reception, “so it remains to be seen what happens there.”
Referencing the increase in DP complaints, he observed that AI is not just a subject of regulation but is actively reshaping the regulatory environment itself.
He flagged the proposed extension of the legal basis for processing special category data for bias detection and mitigation across all AI systems and identified European digital sovereignty and age-gating on social media as likely themes in Brussels.
Event moderator, David Fennelly SC, concluded that “we now face applying and understanding the GDPR in a much more complex, broader environment, both legally and politically.”