EDPB adopts new measures on age assurance, AI oversight, and anti-doping rules

The European Data Protection Board (EDPB) has announced several new measures following its February 2025 plenary meeting in Brussels, focusing on child protection online, artificial intelligence (AI) enforcement, and athlete data privacy.

One of the key outcomes was a statement on age assurance, which sets out ten principles for how companies should process personal data when verifying someone’s age or age range. The goal is to make sure children are shielded from harmful content while ensuring that verification methods are minimally intrusive and respect privacy rights. EDPB Chair Anu Talus stressed that age assurance must protect children’s well-being without exposing their personal data unnecessarily. The Board is also working with the European Commission on age verification within the framework of the Digital Services Act.

The EDPB also announced it will expand its existing ChatGPT task force into a broader AI enforcement group. This new task force will coordinate data protection authorities’ (DPAs) actions on pressing AI-related issues. To handle urgent cases, the Board will also establish a quick response team. Talus underlined that the GDPR is designed to strike a balance between encouraging innovation and maintaining strong privacy protections, and the new structures will help regulators manage AI’s risks while supporting its benefits.

Finally, the Board issued recommendations on the 2027 World Anti-Doping Agency (WADA) Code, focusing on how athletes’ sensitive data, such as health information from biological samples, should be handled. The EDPB emphasised that national anti-doping organisations must follow standards equivalent to the GDPR, including having a clear legal basis for processing data, limiting use to specific purposes, and ensuring that athletes are properly informed about how their data is used and able to exercise their rights.