The GDPR has been in force since 2018, but it continues to evolve. Court rulings, new guidelines, tightened controls — 2025 and 2026 bring important changes for everyone working with email data. Here's what you need to know.

The Meta Ruling: What It Means for Email

In May 2025, the European Court of Justice (ECJ) issued a landmark ruling: Data protection supervisory authorities can take action not only against companies that process data, but also against those that provide the technical infrastructure.

  • Hosting providers are liable when customers violate GDPR
  • Email services must monitor their customers more closely
  • "We didn't know" is no longer an excuse

The New BSI Technical Guidelines Update

The German Federal Office for Information Security (BSI) updated its technical guidelines for email security in 2025:

BSI TR-03108 (Secure Email Transport):

  • New updates emphasize stricter transport security baselines, including modern TLS standards
  • MTA-STS must be implemented
  • DANE for all new domains

BSI TR-03182 (Email Authentication):

  • DMARC policy must be set to "reject"
  • DKIM keys must be at least 2048 bits
  • SPF entries must be regularly checked

The ePrivacy Regulation: Status 2025/2026

The ePrivacy Regulation, originally supposed to come into force alongside GDPR, is still not in effect. But there's movement:

  • The EU Council established its position in autumn 2025
  • The European Parliament is expected to vote in spring 2026
  • Entry into force could occur by end of 2026

Current drafts increase pressure on providers to implement stronger encryption and anti-eavesdropping safeguards.

GDPR Fines: The Numbers Are Rising

2024 and 2025 brought new record fines:

  • Meta: 1.2 billion euros (data transfer to USA)
  • Amazon: 746 million euros (advertising tracking)
  • Clearview AI: 30 million euros (facial recognition)

Smaller companies were also punished more severely. The average GDPR fine in 2025 was 75,000 euros — significantly more than in previous years.

The "Right to be Forgotten" for Emails

An unresolved problem: How does the "right to be forgotten" work with emails? When someone requests deletion of their data, companies must remove all copies. But what about emails that land with other recipients?

Conclusion

The GDPR isn't a static law. It lives, it grows, it's refined through rulings and guidelines. 2025 and 2026 bring important decisions for email data protection.

Your email privacy isn't a luxury. It's a right. And legislation is slowly catching up to what technology has long enabled.