On March 19, 2026, the European Data Protection Board launched its Coordinated Enforcement Action for 2026. Twenty-five data protection authorities across the EU began simultaneously contacting organizations to assess compliance with GDPR transparency obligations — Articles 12, 13, and 14 — covering any system that processes personal data, including AI agents. Most companies using AI agents cannot demonstrate that compliance when asked. The failure isn't in the output layer. It's in what happens 400 milliseconds earlier, when the agent calls a tool.

The Context Window Is a GDPR Processing Record

Under GDPR, every piece of personal data that enters a system counts as processing. That's not a contested interpretation — it's Article 4(2): "any operation or set of operations which is performed on personal data ... whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation."

An AI agent's context window is its working memory. It accumulates everything the agent needs to complete a task: the user's instruction, outputs from tool calls, retrieved documents, intermediate reasoning. When a CRM tool call returns a customer record — name, email, purchase history, account tier, support ticket history, sometimes a date of birth — that entire record enters the context window. All of it is now being "processed" under GDPR.

The data minimization principle, Article 5(1)(c), requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." When an agent calls your CRM and the response returns 47 fields about a customer, and the agent only needed 3 of them to complete the task, processing all 47 fields into the context window may constitute a data minimization violation at the tool call layer — before the LLM has done anything with them, and before any user-facing output has been generated.

This is not how most teams think about agent privacy. They think about outputs.

Under GDPR Article 83(5), violations of the data minimization principle in Article 5 are subject to fines of up to €20 million or 4% of global annual turnover, whichever is higher. That exposure isn't triggered by what the agent says. It's triggered by what enters the governance plane around it.

The Scrubbing Approach Is Architecturally Too Late

The dominant approach to PII in AI systems is redaction and scrubbing: intercept the LLM's output before it reaches the user, strip PII, and log what was removed. Platforms like LangSmith, Helicone, and Arize Phoenix offer variations of this — observability layers that capture what the model produced and can flag or redact PII in response text.

This is useful for preventing PII from appearing in user-facing outputs. It does nothing for the data minimization problem, because by the time the output scrubber runs, the context window has already processed the full customer record. The scrubber catches PII at the exit door. GDPR's data minimization requirement applies at the entrance.

Practitioners building agentic systems have noted the architectural irony: using an LLM to redact PII from agent outputs means the PII was already given to the LLM to reason over. The same logic applies at the tool call level. A proxy that strips PII from what the model returns to the user doesn't address the fact that the CRM returned a full customer record into the context window in the first place.

The correct enforcement point is the data interface — what tool calls are allowed to return, before they write to the context window.

Why Tool Call Responses Are the Primary PII Vector

In a non-agentic system, a developer writes a query and specifies which fields to return. The data minimization decision is made explicitly, at query time, by a human. In an agentic system, the agent decides which tool to call and sends a natural-language or structured request; the tool returns whatever its API response structure is.

Most enterprise APIs — CRMs, HR systems, ERP platforms, customer support tools — are not designed for agentic consumption. They're designed for human-facing applications that display data in forms and tables. A CRM contact record API might return 50+ fields because a customer profile page needs all of them. When an agent calls that same API to answer "what was this customer's last order?" it gets all 50 fields, writes them to the context window, and uses 2 of them.

The agent isn't doing anything wrong. The tool call is functioning as designed. The problem is that the data interface was not designed for the minimization requirements of agentic processing. No one scoped it. No one enforced it. And now 25 EU regulators are asking your organization to document it.

What the EDPB's 2026 Enforcement Action Is Actually Looking For

The EDPB's 2026 Coordinated Enforcement Framework covers GDPR Articles 12, 13, and 14 — transparency and information obligations. DPAs across Europe are contacting organizations across multiple sectors to assess: what personal data systems process, what legal basis applies to that processing, and how data subjects can exercise their rights. AI tools are among the systems being scrutinized.

For agentic systems, the compliance gap typically lands at three failure points.

Scoping failure: The agent processes more personal data than necessary for the task because tool call responses return full records and no control layer limits the scope before they enter the context window.

Documentation failure: There's no session-level record of what data was present in the context window during a given agent run — making it impossible to respond to a data subject access request (DSAR) that asks "what did your AI know about me and when?"

Legal basis failure: The agent processes personal data from multiple sources (the user's input, a CRM, a support ticket system) but the data processing agreement and privacy notice only covers one source. The tool call data enters the context window without a documented legal basis for that specific processing.

All three failures are architectural. A better privacy policy doesn't fix them. An output scrubber doesn't fix them. They require enforcement at the data interface level, before data enters the context window.

How Waxell Handles This

The Signal and Domain layer addresses the context window minimization problem at the data interface. Instead of an agent calling a full CRM contact API and receiving 50 fields, the Signal/Domain layer mediates: it defines a scoped interface that returns only the fields authorized for a given agent's task context. The data minimization decision is made once, at the interface definition level, and enforced for every agent call — without requiring per-request scrubbing logic and without rebuilds when data interfaces change.

Waxell Runtime's policy engine enforces 50+ policy categories across the pre/mid/post execution arc, including data handling policies that operate before tool call responses are appended to the context window. Minimization enforcement runs before processing occurs, not after.

For organizations facing EDPB enforcement inquiries, Waxell's execution records provide the session-level audit trail that regulators are examining: what data entered the context window, from which tool call, at what time, under which policy configuration.

Waxell Connect governs the agents your organization didn't build — vendor agents, third-party integrations, and MCP-native agents that connect to your data sources with no SDK and no code changes required. For enterprises running Salesforce Einstein, Microsoft Copilot, or other third-party AI tools alongside internal agents, Connect applies the same data interface controls without requiring modification of the vendor's code. The agents you didn't build carry the same GDPR obligations as the ones you did. Connect is how you enforce them.

FAQ

What does GDPR's data minimization principle mean for AI agents specifically? GDPR Article 5(1)(c) requires that personal data be "limited to what is necessary" for the processing purpose. For AI agents, this applies to tool call responses: if an agent retrieves a customer record from a CRM and the record contains 50 fields, but only 3 are needed to complete the task, processing all 50 fields into the context window may violate data minimization. The principle applies to what enters the context window, not just what the agent outputs to the user.

Does output PII redaction satisfy GDPR data minimization? No. Output redaction prevents PII from appearing in user-facing responses, but it doesn't address data minimization, which governs what data is processed in the first place. When full customer records enter the context window, they have already been processed under GDPR's definition — regardless of whether they appear in the final output.

What is the EDPB's 2026 Coordinated Enforcement Action examining? The 2026 CEF, launched March 19, 2026 with 25 participating EU data protection authorities, is examining compliance with GDPR Articles 12, 13, and 14 — transparency and information obligations. For AI systems, this means demonstrating what personal data is processed, on what legal basis, and how data subjects can exercise their rights. Session-level documentation of agent context window contents is directly relevant.

What's the difference between a PII scrubber and data interface enforcement? A PII scrubber intercepts data at the output layer — stripping PII from what the model returns to the user. Data interface enforcement operates at the input layer — controlling what tool call responses are allowed to return before they enter the context window. The first approach addresses output exposure. The second addresses processing minimization under GDPR Article 5(1)(c).

Can third-party or vendor AI agents create GDPR data minimization exposure? Yes. Organizations are responsible for how personal data is processed by AI systems they deploy, including vendor-supplied systems. If a third-party agent calls your CRM API and returns full records into its context window, your organization may be the data controller for that processing — regardless of which vendor built the agent. Waxell Connect governs these agents without requiring you to modify the vendor's code.

What is the status of the Colorado AI Act's PII-related requirements? The original Colorado AI Act (SB 24-205) was stayed by a federal court on April 27, 2026, in X. AI LLC v. Weiser (D. Colo. 1:26-cv-01515). It was subsequently repealed and replaced by SB 26-189, the Colorado Artificial Intelligence Act (also called the ADMT Act), which Governor Polis signed on May 14, 2026. The ADMT Act has an effective date of January 1, 2027. Legal requirements under Colorado law are in flux, but the compliance rationale — documenting what AI systems process and demonstrating enforceable data controls — aligns with EDPB priorities regardless of state law status.

Sources

1. European Data Protection Board. "CEF 2026: EDPB launches coordinated enforcement action on transparency and information obligations under the GDPR." March 19, 2026. https://www.edpb.europa.eu/news/news/2026/cef-2026-edpb-launches-coordinated-enforcement-action-transparency-and-information_en

2. European Data Protection Board. GDPR Article 4(2) definition of "processing"; Article 5(1)(c) data minimization; Article 83(5) fine schedule. https://www.edpb.europa.eu/

3. Colorado General Assembly. SB 24-205 "Consumer Protections for Artificial Intelligence" (original act, stayed April 27, 2026); SB 26-189 "Colorado Artificial Intelligence Act / ADMT Act" (replacement, signed May 14, 2026, effective January 1, 2027). https://leg.colorado.gov/bills/sb24-205; https://leg.colorado.gov/bills/sb26-189

4. Clark Hill PLC. "Colorado's AI law delayed until June 2026: What the latest setback means for businesses." Background on the federal stay in X. AI LLC v. Weiser (D. Colo. 1:26-cv-01515), filed April 9, 2026; stay granted April 27, 2026. https://www.clarkhill.com/news-events/news/colorados-ai-law-delayed-until-june-2026-what-the-latest-setback-means-for-businesses/

5. Hacker News. "Show HN: Mighty – let AI agents use private data safely." https://news.ycombinator.com/item?id=44377516 — practitioner discussion of architectural barriers to safe PII handling with AI agents.

6. Hacker News. "Show HN: A local-first, reversible PII scrubber for AI workflows." https://news.ycombinator.com/item?id=46377070 — practitioner discussion of proxy-based PII scrubbing and its limitations.