EDPB 119th Plenary (May 2026): What EU Developers and DPOs Need to Watch

The European Data Protection Board holds plenary sessions roughly monthly. These sessions are where EU data protection law gets made in practice—not through legislation, but through binding opinions, guidelines, and Art. 65 dispute-resolution decisions that every supervisory authority in the EU must follow. The 119th Plenary on May 11, 2026 arrives at a particularly dense regulatory moment: the EU AI Act GPAI provisions are three months from their August 2026 deadline, international transfer litigation is accelerating, and the WhatsApp Meta enforcement saga is heading toward another round of escalation.

This post explains what EU developers and DPOs should watch for and how plenary outcomes will affect your data stack.

Why EDPB Plenary Decisions Matter More Than Most Developers Realise

Many developers track GDPR compliance through supervisory authority (SA) decisions from their local DPA—the BayLfD, the CNIL, the ICO (pre-Brexit UK equivalent). What they miss is that the EDPB operates above national DPAs in cross-border cases and can issue binding decisions under Art. 65 GDPR that override national SA positions.

When the EDPB adopts an Opinion or Guideline in plenary, three things follow:

1. National DPAs align enforcement. A EDPB Opinion on, say, AI-generated profiling triggers coordinated enforcement across all 30 EEA member states within 6–18 months.
2. DPAs cite EDPB positions in company audits. If your ROPA or DPIA doesn't reflect current EDPB guidance, you have a gap—even if local case law is silent.
3. Court challenges are weakened. Companies that argue against enforcement can no longer claim regulatory ambiguity after an EDPB Opinion is published.

For developers: an EDPB guideline on automated decision-making, AI profiling, or international transfers is not abstract policy. It becomes an audit checklist item within 12 months.

Key Workstreams Likely on the Agenda

1. AI Act–GDPR Intersection Guidance

The EU AI Act designates EDPB as a key cooperative body for high-risk AI systems involving personal data processing. Art. 40 EU AI Act creates a bridge between AI conformity assessments and GDPR DPIAs. The EDPB has been developing a joint guidance framework since late 2025 to clarify:

• When a DPIA under GDPR Art. 35 is triggered by AI system deployment
• How "high-risk AI system" (Annex III) maps to "high risk to rights and freedoms" under Art. 35(1) GDPR
• What counts as adequate "human oversight" for Art. 22 GDPR automated-decision-making exemptions when an AI system is involved

Developer implication: If you deploy any Annex III AI system—hiring tools, credit scoring, education evaluation, biometric categorisation—you may need both an AI Act conformity assessment and a GDPR DPIA. The EDPB May plenary guidance will define exactly how these two instruments interact. Monitor the published text carefully; it will directly affect what your legal team must file before August 2026.

2. WhatsApp Business API: Meta Enforcement Escalation

The EDPB's Art. 65 dispute-resolution process for Meta Ireland has been running since 2022. Previous rounds resulted in the landmark €1.2 billion Meta fine (May 2023) and ongoing enforcement around WhatsApp's data-for-service model. What is expected to resurface in 2026:

• WhatsApp Business API data retention terms. Business accounts process customer message data under joint-controllership arrangements with Meta. The EDPB has questioned whether Meta's 90-day default retention for business-initiated messages satisfies Art. 5(1)(e) storage limitation.
• Cross-context data use. Whether Meta can combine WhatsApp Business API interaction data with Meta Ads targeting is unresolved under the Schrems II transfer framework, particularly given CLOUD Act exposure of Meta's Irish processors to US government orders.

Developer implication: If your SaaS uses WhatsApp Business API for customer notifications (order confirmations, support flows), you are a joint controller under Meta's terms. A EDPB decision tightening those terms creates immediate compliance obligations for you—revised DPAs, updated Art. 13 disclosures, possibly shortened retention periods you must enforce at the application layer.

3. International Transfer Tools: Post-DPF Stress Testing

The EU-US Data Privacy Framework (DPF) has been in force since July 2023, but legal challenges are progressing. The EDPB has been quietly updating its Recommendations 01/2020 on supplementary measures for international transfers in light of:

• The Schrems III petition filed at the CJEU (referral expected late 2026)
• FISA 702 reauthorisation (April 2024) with new provisions that EDPB legal staff consider incompatible with GDPR adequacy
• Cloud Act orders served on EU subsidiaries of US hyperscalers (Microsoft, Google, Amazon) since 2023—several of which have been publicly disclosed in German and Dutch court filings

The May plenary may advance a new EDPB Opinion on whether DPF transfers to companies subject to Cloud Act remain valid for sensitive data categories (health data, financial data, biometric data).

Developer implication: If your DPA checklist says "DPF covers us," verify whether the DPF organisation you transfer to (OpenAI, AWS, Google Cloud, Azure) processes any special category data for your customers. An EDPB Opinion narrowing DPF validity for special categories would require you to fall back to Standard Contractual Clauses—and conduct a Transfer Impact Assessment that accounts for Cloud Act exposure. Document this now, before the opinion drops.

4. Consent Management Platforms: Dark Patterns Enforcement

The EDPB published its Guidelines on Dark Patterns in social media (03/2022) and has since extended enforcement scrutiny to CMPs (Consent Management Platforms) used across web and mobile apps. The pending item for May 2026 relates to:

• Reject-all button placement. CMPs that bury "Reject all" behind two clicks while surfacing "Accept all" in one click are now consistently found to violate Art. 4(11) (freely given consent) and Art. 7(3) (ease of withdrawal).
• TCF 2.2 compliance review. The IAB Europe Transparency and Consent Framework received a conditional green light from the Belgian DPA in 2024. The EDPB is expected to review whether TCF 2.2 as currently deployed meets GDPR consent requirements at scale.

Developer implication: If you use any CMP (OneTrust, Cookiebot, Axeptio, etc.) check that your implementation exposes Reject All at the same depth as Accept All. CMPs that pass a vendor audit do not automatically pass your audit—the implementation matters. An EDPB opinion on CMPs in May 2026 will be used by DPAs to justify enforcement actions from Q3 2026 onward.

5. Binding Corporate Rules: Streamlined Authorisation Procedure

The EDPB has been working on a revised BCR (Binding Corporate Rules) authorisation procedure to reduce the 18–24 month approval timeline to under 12 months. For most mid-sized SaaS companies, BCRs remain impractical due to cost and complexity. But if BCR timelines shorten significantly:

• Larger EU SaaS companies may find BCRs viable for intra-group transfers to non-EU entities
• SaaS vendors offering multi-region EU data residency may use BCRs to simplify their customer DPA frameworks

Developer implication: Low near-term impact for most developers. Watch for BCR changes if your company has non-EU entities processing EU customer data intra-group.

The Three Documents to Download the Moment They Are Published

When the EDPB publishes plenary outcomes (typically 1–3 weeks after the session), three document types directly affect developers:

Subscribe to the EDPB newsletter at edpb.europa.eu or monitor their press releases section. New guidelines go through a public consultation period—typically 6 weeks—before finalisation. Use that window to review gaps against your current ROPA, DPIA inventory, and DPA agreements.

How EDPB Decisions Interact with EU AI Act August 2026 Deadline

The August 2026 deadline is the inflection point for GPAI model providers (Art. 51–56) and deployers of high-risk AI systems (Art. 26). The intersection with GDPR creates a dual-compliance burden:

• Art. 26(5) EU AI Act requires deployers to conduct a "fundamental rights impact assessment" that partially overlaps with a GDPR Art. 35 DPIA
• Art. 22 GDPR automated decision-making safeguards apply to any AI output that "significantly affects" an individual—the EDPB's guidance in May will define what "significantly affects" means in the context of AI-generated decisions

For SaaS developers: if you integrate AI models for any customer-facing decision (pricing, eligibility, content recommendation), the EDPB May guidance on Art. 22 scope is directly applicable. A narrow EDPB interpretation (Art. 22 only applies to fully automated, no-human-in-loop decisions) reduces your compliance burden. A broad interpretation (Art. 22 applies to AI-assisted decisions where humans rubber-stamp outputs) creates significant operational requirements.

The honest answer: no one knows which interpretation the EDPB will adopt. Build your systems to support both. That means logging AI decision inputs and outputs, maintaining a human review path, and documenting the technical basis for any automated output that affects a customer's access, pricing, or service terms.

What "EU-Native" Infrastructure Changes About EDPB Compliance

The EDPB plenary on international transfers highlights a structural risk that EU developers often underestimate: even if your code and your customers are in Europe, your cloud provider's ownership may make your data subject to US jurisdiction.

The Cloud Act exposure map:

• AWS: Amazon.com Inc. (US parent) — EU-based data subject to 18 USC §2713 orders
• Azure: Microsoft Corporation (US parent) — same exposure
• Google Cloud: Alphabet Inc. (US parent) — same exposure
• Koyeb: French company, but uses Equinix data centres under US Equinix ownership
• Railway: US entity — full US jurisdiction

The sota.io difference: sota.io runs on EU-owned infrastructure without US parent company exposure. When the EDPB narrows DPF validity for sensitive data or special categories, you are not caught in the crossfire. Your Cloud Act TIA is empty—there is nothing to assess—because there is no US legal entity that can receive a Cloud Act order for your data.

For DPOs completing GDPR Art. 30 ROPAs: infrastructure processor entries that point to sota.io require no Art. 46 transfer documentation. No SCCs, no DPF, no TIA. That is a material reduction in your compliance paper trail and audit exposure.

Action Checklist: Before and After May 11

Before May 11 (now):

• Identify all AI systems you deploy that fall under Annex III EU AI Act
• Document whether those systems trigger GDPR Art. 35 DPIA independently of the AI Act
• Audit your CMP implementation: does Reject All require the same number of clicks as Accept All?
• List all processors subject to Cloud Act (US-parented cloud providers handling personal data)
• For each Cloud Act-exposed processor: do you have a Transfer Impact Assessment on file?

After May 11 (watch EDPB publications):

• Download EDPB Opinion on AI Act–GDPR interaction → compare against your Annex III inventory
• Download updated international transfer recommendations → re-evaluate DPF validity for special categories
• If CMP guidelines are updated → re-audit consent UI against new requirements
• Update ROPA entries for any processor whose transfer mechanism changes
• Notify DPO and legal team within 30 days of guideline finalisation

Summary

The EDPB May 2026 plenary matters for developers building on cloud infrastructure or deploying AI. The expected outputs—AI Act–GDPR interaction guidance, international transfer stress testing, and CMP enforcement updates—will translate into audit checklist items within 12 months. EU-native infrastructure removes the international transfer compliance surface entirely. Everything else still requires a legal response to what the EDPB publishes on and after May 11.

The EDPB publishes plenary decisions at edpb.europa.eu. Consult qualified legal counsel for advice specific to your organisation's data processing activities.