EU institutions have launched new initiatives, including AI regulatory sandboxes and transparency codes for generative AI, signalling a shift from principles to practice amid ongoing debates over copyright, competition, and cross-border data flows.
The European regulatory landscape for artificial intelligence and data protection entered January with a flurry of concrete steps and consultation papers that signal how EU institutions expect to translate the AI Act and existing privacy rules into operational practices across industry and public bodies, according to a monthly roundup published by Dentons.
The European Commission has published a draft Implementing Regulation setting out detailed rules for AI regulatory sandboxes, controlled environments intended to allow the development, training, validation and testing of innovative AI systems under regulatory supervision. The draft is open for public consultation and requires Member States to establish at least one sandbox by 2 August 2026, a timetable intended to promote harmonised implementation of the AI Act across the EU, according to Dentons and the Commission’s consultation notice.
Commission work on transparency for generative AI also advanced in December with the publication of the first draft of a Code of Practice on marking and labelling AI-generated content. The draft sets out two complementary strands: measures for providers of generative models on marking and detection of AI-manipulated content, and guidance for deployers on labelling deepfakes and AI-manipulated text. The Commission has opened feedback windows for the draft and is pursuing an inclusive drafting process involving independent experts and thematic working groups, with the final Code expected in mid-2026; the Code is intended as a voluntary tool to help stakeholders meet Article 50 transparency obligations under the AI Act.
On data protection, the update notes several developments that aim to reduce legal uncertainty for cross-border data flows and enforcement. The European Commission renewed adequacy arrangements with the United Kingdom, preserving continuity for businesses and public authorities that rely on EU–UK transfers. Separately, a new EU Regulation introducing harmonised procedural rules for cross-border GDPR enforcement was published in the Official Journal and will become directly applicable in all Member States from 2 April 2027, a step designed to streamline cooperation among supervisory authorities.
The Court of Justice of the European Union delivered a significant ruling on responsibility for online advertising. In Russmedia the CJEU found that an online marketplace operator and a user advertiser who places an advert on the marketplace must be treated as joint controllers; the court also imposed a duty of diligence on marketplace operators to scrutinise advertisement content prior to publication, up to and including the refusal to publish where unlawful processing of sensitive data is identified, according to Dentons’ summary of the judgment.
European supervisory bodies have weighed in with guidance and critiques. The European Data Protection Board published recommendations, open for public consultation, on the legal basis for mandatory user accounts on e-shops, favouring “guest mode” options for purchases and warning that compulsory account creation will likely be lawful only in limited circumstances such as subscription services. The EDPB and the European Data Protection Supervisor have also started a joint examination of proposed changes in the Digital Omnibus initiative; while both welcome regulatory attention to digital markets they have cautioned that any modification of the definition of personal data could pose risks to the right to data protection and have signalled a forthcoming Joint Opinion.
Questions about the interaction of EU data protection rules with external legal frameworks also reached national courts. The Brussels Market Court referred preliminary questions to the CJEU on the compatibility of the US tax agreement FATCA with the GDPR, a referral that promises to clarify how international tax data-exchange obligations align with EU data-protection standards.
Intellectual property and AI policy continued to be areas of intense debate. A German appeals court confirmed that the use of a photographer’s work in the LAION image-text dataset fell within the text and data mining exception, and explicitly held that the scientific research exception is not excluded merely because datasets may later be used by commercial AI providers. At EU parliamentary level, the European Parliament JURI Committee published an economics study exploring options from exceptions and opt-outs to statutory licensing; the study concluded that a carefully designed statutory licensing regime could balance access to training data with incentives for rightsholders. The Alan Turing Institute released a report stressing “creative grey zones” in copyright law as AI systems and hybrid workflows emerge, and debates in other jurisdictions, most notably a proposal in India for a statutory licensing regime that would require remuneration but not refusal rights for rightsholders, underscore the global search for compromise between access and compensation.
Market scrutiny of dominant digital platforms has followed policy developments. The European Commission has opened an investigation into whether Google’s use of online content for AI purposes involves anticompetitive conduct, specifically examining the use of web publishers’ content in generative AI outputs and whether material uploaded to YouTube has been used to train Google’s models without appropriate market safeguards.
Taken together, these initiatives show regulators moving from principle to practice: establishing test beds for innovation, drafting practical transparency tools for generative AI, tightening cross-border enforcement mechanics under the GDPR and probing both the competitive and copyright dimensions of large-scale data use. The next six months, including finalisation of the Code of Practice and the consultations on sandboxes, will be pivotal for how these frameworks are implemented in industry and public administration.
##Reference Map:
- [1] (Dentons) – Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8, Paragraph 9
- [3] (European Commission consultation) – Paragraph 2
- [2] (European Commission draft Code) – Paragraph 3
- [4] (European Commission Code development page) – Paragraph 3
- [5] (European Commission announcement) – Paragraph 3
- [6] (European Commission participation notice) – Paragraph 3
Source: Noah Wire Services
Noah Fact Check Pro
The draft above was created using the information available at the time the story first
emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed
below. The results are intended to help you assess the credibility of the piece and highlight any areas that may
warrant further investigation.
Freshness check
Score:
8
Notes:
The narrative is a monthly update from Dentons, dated January 5, 2026, covering developments up to December 2025. Similar updates have been published monthly, with the most recent prior edition dated November 27, 2025. ([dentons.com](https://www.dentons.com/en/insights/newsletters/2025/november/27/eu-ai-and-gdpr-key-trends-and-insights/ai-and-gdpr-monthly-update-november-2025/ai-and-gdpr-monthly-update?utm_source=openai)) The content appears to be original and not recycled from other sources. The inclusion of recent developments, such as the European Commission’s draft Implementing Regulation on AI regulatory sandboxes and the first draft of the Code of Practice on transparency of AI-generated content, indicates a high level of freshness. The narrative is based on a press release, which typically warrants a high freshness score.
Quotes check
Score:
9
Notes:
The narrative includes direct quotes from the European Commission’s consultation notice and the Commission’s announcement. These quotes are unique to this report and do not appear in earlier material, suggesting original content. No identical quotes were found in earlier publications, indicating the quotes are exclusive to this update.
Source reliability
Score:
10
Notes:
The narrative originates from Dentons, a reputable international law firm. The information is corroborated by official European Commission sources, enhancing the reliability of the content.
Plausability check
Score:
9
Notes:
The claims made in the narrative align with recent developments in EU AI and data protection regulations. The European Commission’s draft Implementing Regulation on AI regulatory sandboxes and the first draft of the Code of Practice on transparency of AI-generated content are consistent with official announcements. The tone and language are consistent with official EU communications, and the narrative lacks excessive or off-topic detail.
Overall assessment
Verdict (FAIL, OPEN, PASS): PASS
Confidence (LOW, MEDIUM, HIGH): HIGH
Summary:
The narrative is a timely and original monthly update from Dentons, providing accurate and reliable information on recent developments in EU AI and data protection regulations. The content is corroborated by official European Commission sources, and the quotes are unique to this report, indicating a high level of originality. The plausibility of the claims is supported by recent official announcements, and the tone is consistent with official EU communications.
Supercharge Your Content Strategy
Feel free to test this content on your social media sites to see whether it works for your community.
