GDPR Weekly Dispatch: EDPB Plenary Sets Age Assurance and AI Enforcement Agenda
Feb 9, 2026
🚨 Headline Story: EDPB February Plenary — Age Assurance, AI Task Force, and WADA
At its February 2025 plenary, the European Data Protection Board (EDPB) took three decisions that will shape how age verification, AI, and anti-doping data are handled under the GDPR.
Age assurance. The Board adopted a statement on age assurance setting out ten principles for processing personal data when determining an individual’s age or age range. The aim is a consistent EU approach that protects minors while respecting data protection principles. EDPB Chair Anu Talus stressed that the method used to verify age must be “the least intrusive possible” and that children’s data must be protected. The EDPB is also cooperating with the Commission on age verification in the Digital Services Act (DSA) context.
AI enforcement. The EDPB extended the ChatGPT task force into a broader task force on AI enforcement and agreed to set up a quick response team so DPAs can coordinate on urgent, sensitive cases. Talus framed the GDPR as a framework that “promotes responsible innovation” and said the new structures will help balance high data protection standards with the benefits of AI.
WADA. The Board adopted recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code, focusing on legal basis, purpose limitation, transparency, and the need for individuals to be fully informed and able to exercise their rights—especially where sensitive health data from biological samples are processed.
Why it matters: Age assurance is central to the DSA and child-safety debates; the new principles give industry and regulators a shared reference. The AI task force and quick response team signal that EU DPAs will treat AI as a priority and act in a coordinated way. WADA recommendations show the EDPB’s willingness to align global anti-doping rules with GDPR standards. Together, these moves reinforce that the Board is steering both policy (age, AI) and enforcement (coordination and speed) for the next two years.
Source: EDPB – EDPB adopts statement on age assurance, creates a task force on AI enforcement and gives recommendations to WADA (12 February 2025).
⚖️ Enforcement & Fines
LinkedIn Ireland fined €310 million by Irish DPC: The DPC found that LinkedIn unlawfully processed users’ personal data for behavioural analysis and targeted advertising. Consent was not freely given—wording and design (e.g. “Accept & Continue” vs “Manage Settings”) pressured users into accepting data use. The DPC also rejected reliance on legitimate interest and contractual necessity for this processing and found breaches of Articles 6(1)(a), (b), (f) and of transparency (Arts 13/14) and fairness. The decision includes a reprimand and an order to bring processing into compliance. Insight: This is one of the largest DPC fines and underlines that consent for ads must be genuinely optional and clearly presented; “dark patterns” and unequal prominence of choices will be treated as invalid consent.
Source: DPC – Irish Data Protection Commission fines LinkedIn Ireland €310 million.Polish SA: three fines for breach notification failures (6 Feb 2025): The Polish supervisory authority imposed an €6,800 fine on a county hospital in Września for failing to notify a personal data breach to the SA (patient data disclosed to an unauthorized person; risk was incorrectly assessed as low). Two further fines: €928,498.06 for failure to inform data subjects of a breach, and €19,800 for another failure to notify. These cases show strict application of Articles 33 and 34 and that even a single identified recipient can trigger notification and communication duties.
Source: EDPB – Polish SA: administrative fine for failure to notify a personal data breach.Spain (AEPD) – February 2025: Orange España €1.2 million (unlawful processing linked to fraudulent SIM duplicates); Caja Rural de Jaén €400,000 (inadequate security leading to unauthorized disclosure after a cyber attack); Línea Directa Aseguradora €300,000 (unlawful processing of customer data). Security and lawful basis remain core enforcement themes.
Source: Industry roundups (e.g. 2B Advice, Statista) and AEPD.
🏛️ Legal & Regulatory Updates
CEF 2025: Coordinated enforcement on the right to erasure (Art. 17): The EDPB has launched its 2025 Coordinated Enforcement Framework action on the right to erasure (“right to be forgotten”). 30 DPAs and the EDPS will take part, contacting controllers across sectors (new investigations or fact-finding) to see how erasure requests are handled and how conditions and exceptions are applied. Results will be aggregated for EU-wide follow-up. This follows the 2024 CEF on the right of access.
Source: EDPB – CEF 2025: Launch of coordinated enforcement on the right to erasure (5 March 2025).
EDPB plenary (above): Age assurance statement, AI enforcement task force, quick response team, and WADA recommendations form the main regulatory output of the week.
🌐 Industry & Tech News
NOYB complaint: WetterOnline and “disproportionate effort”: NOYB has filed a complaint with German data protection authorities against the WetterOnline app. The app shares users’ personal data (including very precise location) with many third parties for advertising; some of this data is sold via data brokers, while users have been denied access requests on the ground of “disproportionate effort.” NOYB and research (e.g. netzpolitik.org) highlight risks from Mobile Advertising IDs (MAID) and sensitive locations. Takeaway: Refusing access on the basis of disproportionate effort will be scrutinised; controllers must document and, where possible, simplify access processes.
Source: NOYB – WetterOnline sees “disproportionate effort” in complying with the GDPR.Meta €390m (DPC): Widely cited in recent roundups: Meta fined €390 million by the Irish DPC for forcing users to accept targeted advertising (consent not freely given). Reinforces the same theme as the LinkedIn decision for ad-funded platforms.
Source: Burges Salmon – Meta fined €390m and DPC.
💡 Opinion & Analysis
Consent and ads: The LinkedIn and Meta decisions make it clear that consent for behavioural and targeted advertising must be optional, informed, and unambiguous. Controllers should avoid pre-ticked boxes, misleading wording, and designs that steer users toward “Accept.” Equal prominence for “Accept” and “Refuse” (or “Manage”) is increasingly the baseline.
Right to erasure in the spotlight: With CEF 2025 focused on Art. 17, now is the time to review erasure workflows: how requests are received, how identity is verified, how exceptions (e.g. legal obligation, litigation) are applied and documented, and how refusals are communicated. Proactive audits will put you ahead of potential DPA fact-finding.
Breach notification: The Polish cases are a reminder that Articles 33 and 34 apply even when a breach affects a small number of individuals. Assess likelihood and severity of risk to rights and freedoms; when in doubt, notify the SA within 72 hours and inform data subjects where there is high risk, and document the assessment.
