Privacy Regulation Roundup: Top Stories of January 2025

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. US Department of Justice Publishes Provisions Aimed At Preventing Undue Access To Americans’ Sensitive Data

Date: December 27, 2025
Summary: The US Department of Justice (DoJ) has published the Final Rule implementing Provisions About Preventing Access to US Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the Final Rule).

This comes after the Notice of Proposed Rule Making (NPRM) publication in October 2024.

This Final Rule implements Executive Order# 14117 by providing generally applicable rules for specific categories of data transactions that pose an unacceptable risk to US national security. The EO highlights the vulnerability of Americans’ sensitive data. The Final Rule addresses the elevated risks to their sensitive data posed by countries of concern actively using their data to train their AI capabilities, which are more capable than ever of affecting US national security.

The countries of concern and covered persons to whom the Final Rule applies are identified. Consequently, the Final Rule designates classes of prohibited, restricted, and exempt transactions while establishing thresholds for certain sensitive personal data, including human genomic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and certain covered personal identifiers.

Lastly, the Final Rule also prescribes processes to obtain licenses that authorize prohibited or restricted transactions, protocols for the designation of covered persons, and provides advisory opinions and recordkeeping, reporting, and other due diligence obligations for covered transactions.

The Final Rule enters into effect 90 days from its publication in the Federal Register. Read More.

2. Several New Data Regulations Come Into Effect In The US

Date: January 1, 2025
Summary: The following regulations came into effect:

• Iowa Consumer Data Protection Act (ICDPA);
• Nebraska Data Privacy Act (NEDPA);
• Delaware Personal Data Privacy Act (DPDPA);
• New Hampshire Consumer Expectation of Privacy (NHPA);
• New York Senate Bill 7676B for an Act to amend the general obligations law, in relation to contracts for the creation and use of digital replicas;
• Personal Information Protection Act 2016 (PIPA) of Bermuda;
• Virginia SB 361 amending Consumer Data Protection Act;
• Virginia HB 707 amending Consumer Data Protection Act;
• California's Protecting Youth From Social Media Addiction Act.

3. CFPB Recognizes FDX As The New Standard-Setting Body Under The Personal Financial Data Rights Rule

Date: January 8, 2025
Summary: The Consumer Financial Protection Bureau (CFPB) has recognized the Financial Data Exchange, Inc. (FDX) as the first standard-setting body under the Personal Financial Data Rights rule.

Under the rule, financial providers must allow consumers to freely transfer their personal financial data to another provider. The CFPB has also established a formal application process to become a recognized industry-standard-setting body, with FDX set to be the standard-setting body for the next five years. Read More.

4. New Jersey Becomes Latest US State With Data Privacy Law

Date: January 15, 2025
Summary: The New Jersey Data Protection Act (NJDPA) became effective on January 15, 2025. Similar to eighteen other US jurisdictions, this data privacy regulation establishes several obligations for data controllers that will operate in New Jersey. Some of the key provisions and obligations established by the law include:

• Definition of key terms that outline consumer rights, such as the right to access, rectify, and opt out of targeted advertising;
• Provision of a universal opt-out mechanism that must be available to users after July 15, 2025;
• Establishment of appropriate mechanisms for obtaining user consent for sensitive data processing;
• Implementation of data security measures that can adequately address the potential risks to users’ data;
• A cure period of 30 days given to organizations found in non-compliance to rectify their non-compliance before regulatory actions.

The Attorney General’s Office will have the enforcement powers of this act. Read More.

5. FTC Finalizes New Amendments To COPPA Rules

Date: January 16, 2025
Summary: The Federal Trade Commission (FTC) has finalized amendments to the Children's Online Privacy Protection Act (COPPA) Rules. Verifiable parental consent is now required when sharing children's data with third parties for targeted advertising purposes, and personal data retention is limited to the duration necessary for the collected purposes. COPPA Safe Harbor programs are mandated to disclose membership lists and report to the FTC.

The definition of personal information is expanded to include biometric and government-issued identifiers, while proposed changes regarding push notifications and educational technology companies in schools are excluded.

The new COPPA Rules will become effective 60 days after publication in the Federal Register, and covered entities will have one year to comply. Read More.

6. New Executive Order Mandates Development Of New AI Plan Facilitating US Leadership In The Field

Date: January 23, 2025
Summary: The White House has issued an Executive Order to facilitate US leadership in AI. The order mandates the development of an AI plan within 180 days to enhance the US’ global leadership in AI for human development, economic competitiveness, and national security.

The order involves the Assistant to the President for Science and Technology, the Special Advisor for AI and Crypto, and the Assistant to the President for National Security Affairs. Additionally, the EO includes a review of policies from the previous administration's revoked EO 14110 and revisions to the OMB Memoranda to align with the new AI policy. Read More.

EMEA Jurisdiction

7. CJEU Provides Clarity On What Constitutes "Excessive" Data Subject Access Requests

Date: January 9, 2025
Summary: The Court of Justice of the European Union (CJEU) has clarified what constitutes an excessive data subject access request (DSAR) under the GDPR. This comes from a case involving an Austrian citizen who submitted 77 requests to the Austrian Data Protection Authority (DPA) over 20 months, including 46 right-to-erasure requests and 29 access requests to various other controllers.

Per the CJEU's ruling, a "request" under Article 57(4) of the GDPR encompasses various claims. For an individual's requests to be "excessive", the supervisory authority must be able to demonstrate abusive intent rather than simply the number of requests. Per this clarification, a single broad request could be deemed excessive if it shows abusive intent, while multiple narrower requests might not be.

Additionally, the ruling allows authorities to charge reasonable fees or refuse to act on such requests if deemed necessary and proportionate. Read More.

8. Collection Of Gendered Titles Violates Principles Of GDPR, CJEU Rules

Date: January 9, 2025
Summary: The CJEU has ruled on the French railway company SNCF's requirement that passengers disclose their gender as either “Monsieur” or “Madame” when purchasing their tickets. Per the ruling, this ticketing practice violates the GDPR's principle of data minimization and necessity as such data is not indispensable for service performance. SNCF's justification of assigning gender-specific accommodations on night trains or assisting passengers with disabilities was deemed insufficient to warrant such data collection as the customers were not explicitly informed, breaching the GDPR's transparency obligations.

The judgment reiterates that all data processing must be “adequate, relevant, and limited to what is necessary.” Additionally, data processing activities must be carried out in a manner without any inherent risks to individuals' fundamental rights, such as discrimination. Read More.

9. CJEU Rules In Favor of European Commission In Bindl v Commission

Date: January 8, 2025
Summary: In Case T-354/22, Bindl v Commission, the European General Court found the European Commission's transfer of personal data to third parties unlawful. The third parties included Meta Platforms, and the data was transferred without appropriate safeguards, which violated Regulation (EU) 2018/1725.

The affected individual visited a website to sign up for an event in 2021 and 2022. He observed that the website connected with third-party providers, such as AWS and Microsoft, and transferred his personal data, such as his IP address and browser details, to their servers in the US.

He then wrote multiple emails to the Commission, raising concerns about potential data transfers and requesting details. The Commission responded that AWS EMEA processed and stored his data in Luxembourg. Owing to the similarity of both requests, the Commission informed him that they had already responded to his query.

The individual then moved to the European General Court, requesting an annulment of the unauthorized data transfers, a declaration of the Commission's failure to comply with his information request, provide him compensation for non-material damages as a result of his right of access being violated, and coverage of all legal costs. Read More.

10. French CNIL Publishes Recommendations On Creation Of Privacy-Friendly Mobile Apps

Date: January 14, 2025
Summary: The Commission Nationale Informatique & Libertés (CNIL) has published the final version of its recommendations to help professionals design privacy-friendly mobile apps. The recommendations address more sensitive privacy risks in mobile apps, such as access to real-time location and health information.

Key Objectives of these guidelines include:

• Defining roles of app publishers, app developers, SDK providers, OS providers, and app store providers.
• Specifying the division of responsibilities between stakeholders in the mobile ecosystem and clarifying their obligations to provide legal certainty.
• Providing practical advice on how to manage such collaborations.
• Improving user information on the use of their data.
• Mandating that user consent for non-essential data processing, such as targeted ads, is voluntary and easy to withdraw.

The CNIL will also initiate an investigative campaign on mobile apps in early spring 2025 to ensure they comply with the applicable rules. Until then, the CNIL will continue to handle complaints, conduct necessary investigations, and adopt corrective measures to protect mobile app users' privacy. Read More.

11. DORA Becomes Applicable To EU Financial Entities

Date: January 17, 2025
Summary: The Digital Operational Resilience Act (DORA) became applicable to EU financial entities on January 17, 2025, after being in force since January 16, 2023.

DORA strengthens the IT security of financial institutions such as banks, insurance companies, and investment firms, ensuring that the European financial sector can stay resilient in the event of a severe operational disruption. The regulation, which applies to 20 different types of financial entities and ICT third-party service providers, is a significant step towards harmonizing rules related to operational resilience within the financial sector. Read More.

Asia Jurisdiction

12. New Clauses In Vietnam's Law On Telecommunications Come Into Effect

Date: January 1, 2025
Summary: Clauses 3 and 4 of Article 72 of Vietnam's Law No. 24/2023/QH15 on Telecommunications took effect on January 1, 2025. This comes after the law became enforceable on July 1, 2024. Key provisions of the law include:

• Enterprises must register and notify the types of services they provide and disclose service quality information;
• Foreign providers of basic telecommunication services must comply with principles respecting sovereignty, security, and international commitments;
• Enterprises offering Data Center and Cloud Computing Services must:
  • Register services and comply with laws on data protection and network security;
  • Avoid accessing or using user data without consent;
  • Prevent unauthorized access as per government requests;
  • Declare data center conformity with technical standards before operation.

The law ensures stricter oversight and regulation of telecommunications, internet services, and data handling practices. Read More.

13. New Chinese Regulations On Network Data Security Management Come Into Force

Date: January 1, 2025
Summary: The Network Data Security Management Regulations came into force in China on January 1, 2025, after they had been formally approved on August 30, 2024, and published on September 30, 2024. The regulations will be applicable on:

• Data processing and security management within China;
• Processing personal information of individuals in China;
• Data processing outside China that harms national security, public interests, or rights of Chinese citizens/organizations.

Obligations for data processors include:

• Strengthen data security through measures such as encryption, backups, access control, and security authentication;
• Prevent data tampering, destruction, disclosure, and unauthorized access or use;
• Provide information in a centralized and accessible format that includes:
  • Identity and contact details of the data processor;
  • Purpose, method, type, and necessity of processing, particularly for sensitive personal information;
  • Retention period and post-retention handling methods;
  • Data subject rights, including access, correction, deletion, restriction, and withdrawal of consent. Read More.

14. Indian Ministry of Electronics and Information Technology Publishes Draft DPDPA Rules 2025

Date: January 3, 2025

Summary: India's Ministry of Electronics and Information Technology (MEITy) published the draft DPDPA Rules 2025 on January 3, 2025. Public comments on the draft rules will remain open until February 18, 2025. Key provisions of the draft include:

• Conditions and obligations for consent managers, including maintaining records and preventing data breaches;
• Consent managers must ensure data principals give informed consent for data processing, safeguard data, and avoid conflicts of interest with data fiduciaries.

Obligations for data fiduciaries include:

• Provide clear notices to data principals about consent and data processing;
• Implement reasonable safeguards (e.g., encryption) to prevent breaches;
• Notify data principals and the Data Protection Board of India of breaches promptly;
• Delete data when no longer needed;
• Obtain verifiable parental consent for processing children's data;
• Make Data Protection Officer (DPO) contact details publicly available.

Specific obligations for significant data fiduciaries include:

• Conduct annual audits and Data Protection Impact Assessments (DPIAs);
• Ensure algorithms do not risk data principals' rights. Read More.