Privacy Regulation Roundup: Top Stories of February 2025

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. Hawaii Releases Seven Guidelines On Various Data Protection Issues

Date: February 18, 2025
Summary: The Hawaii State Data Office has released seven sets of guidelines on data protection issues relevant to state agencies, including using GenAI technology. The guidelines cover the following topics:

• Data Quality Guidelines: Proactively monitor, manage, and improve data quality, including increased accuracy, completeness, consistency, timeliness, uniqueness, and validity.
• Data Privacy Guidelines: Ensure personally identifiable information is identified and protected during data collection, processing, storage, usage, and sharing processes.
• Data Catalog Guidelines: Instruct agencies on how to identify and inventory all existing assets with a summary of each data set, who owns each set, and how the set can be used.
• Data Classification Guidelines: Instruct agencies on classifying data based on sensitivity for proper protection, including data access control.
• Data Retention Guidelines: Define how long agencies must store data sets to ensure compliance and to prevent data loss by ensuring data backups.
• Open Data Guidelines: Handle publicly accessible data to ensure that it is consistently shared and updated, outlining how to identify open data according to applicable policies.
• GenAI Assistant Technologies Usage Guidelines: Advise agencies on safe and responsible use of AI technologies, including dos and don'ts, best practices, and key features of specific GenAI tools. Read More.

2. Judge Rejects EPIC's Request To Stop DOGE's Access To US Treasury & OPM Personal Data

Date: February 24, 2025
Summary: EPIC's request for a temporary injunction to stop the Department of Government Efficiency (DOGE) from accessing personal data from the U.S. Treasury and OPM has been rejected by a federal court in Virginia.

Per the complaint, DOGE has forced an unlawful disclosure of vast amounts of government workers and average American' data to unauthorized personnel, violating the Privacy Act, Internal Revenue Code, and Fifth Amendment rights. The judge, Rossie Alston of the Eastern District of Virginia ruled that EPIC and the government worker were not entitled to an injunction, based on the plaintiffs' inability to demonstrate irreparable harm. Read More.

EMEA Jurisdiction

3. European Banking Authority’s New Guidelines Narrow The Scope Of ICT & Security Risk Management After DORA Comes Into Effect

Date: February 11, 2025
Summary: The European Banking Authority has narrowed the scope of its Guidelines on ICT and security risk management owing to the harmonized ICT risk management requirements under the Digital Operational Resilience Act, effective from 17 January 2025. The new amendments simplify the framework and provide legal clarity. The revised Guidelines will now apply to only entities covered by DORA, including credit institutions, payment institutions, account information service providers, and certain exempted institutions. Additionally, the Guidelines now focus solely on relationship management requirements for payment service users. Read More.

4. Eurosystem Updates Its Framework For TIBER-EU Framework

Date: February 12, 2025
Summary: The Eurosystem has updated the European framework for threat intelligence-based ethical red-teaming (TIBER-EU). Per the latest additions, the framework now aligns with the Digital Operational Resilience Act (DORA) regulatory technical standards on threat-led penetration testing (TLPT) and provides comprehensive guidance for authorities, entities, threat intelligence providers, and red-team testers on conducting controlled cyberattacks to enhance cyber resilience. Additionally, it outlines a standardized approach for performing DORA TLPT in a qualitative, controlled, and safe manner across the EU. The updated framework includes steps for conducting threat intelligence-based red-team testing by designated financial entities compliant with DORA. Read More.

5. European Commission Adopts Regulatory Technical Standards For Penetration Testing Under DORA

Date: February 16, 2025
Summary: The European Commission adopted the Regulatory Technical Standard (RTS) for Threat-Led Penetration Testing (TLPT) under the Digital Operational Resilience Act (DORA) on February 13, 2025. This regulation supplements the existing rules by setting clear criteria for identifying financial entities required to conduct threat-led penetration testing (TLPT).

The regulation specifies the following:

• Sets out the criteria for identifying financial entities required to perform threat-led penetration testing (TLPT);
• Establishes the requirements regarding the testing scope, methodology, and results of TLPT, including the testing process;
• Lays down the requirements and standards governing the use of internal testers;
• Contains the rules on supervisory cooperation and mutual recognition of TLPT.

The regulation will take effect 20 days after it is published in the Official Journal of the European Union. Read More.

6. European Commission Publishes Regulation Implementing Technical Standards For Reporting Major ICT Incidents Under DORA

Date: February 20, 2025
Summary: The European Commission published a regulation on February 20, 2025, which implements the technical standards for the application of the Digital Operational Resilience Act to report major ICT incidents and notify significant cyber threats in financial entities (Regulation (EU) 2025/302), which will become effective on March 12, 2025. The regulation contains templates and procedures for such financial entities to report major ICT-related incidents and notify significant cyber threats. Read More.

7. European Commission Publishes Regulation Clarifying Content & Incident Notification Deadlines For Reporting Major ICT Incidents Under DORA

Date: February 20, 2025
Summary: The European Commission published regulatory technical standards on February 20, 2025, that supplement the Digital Operational Resilience Act on content and deadlines related to reporting major ICT incidents and voluntary notifications of significant cyber threats. (Regulation (EU) 2025/301), which will become effective on March 12, 2025. The regulation contains specific content and deadlines for incident notifications and reports while also requiring financial entities to use secure channels, reclassify incidents when needed, and disclose outsourcing arrangements. Read More.

Asia Jurisdiction

8. Chinese CAC Approves New Information Compliance Audit Measures

Date: February 12, 2025
Summary: The Personal Information Protection Compliance Audit Management Measures have been reviewed and approved by the Cyberspace Administration of China (CAC) and will come into effect on May 1, 2025. Per these measures, personal information handlers are required to conduct regular compliance audits, with organizations managing data of more than 10 million individuals being required to conduct such audits every two years. However, in case of significant risks or large-scale data breaches, specialized organizations can perform audits.

Handlers must cooperate with the audit, correct any identified deficiencies, and report to the authorities. Large internet platforms will be subject to enhanced oversight, and violations will be subject to relevant punitive actions per the PIPL and Network Data Security Management Regulations. Read More.

9. India’s TRAI Amends Regulations Against Unsolicited Commercial Messages

Date: February 12, 2025
Summary: TRAI has amended the ​​Telecom Commercial Communications Customer Preference (TCCCP) Regulations to enhance safeguards against unsolicited commercial communication (UCC).

Some of the updates in the amendment include:

• Simplified spam reporting and faster action by access providers.
• Standardized number series for telemarketing identification.
• Easier opt-out options for consumers.
• Escalating financial penalties for violations.

The amendments come into effect 30 days after their publication, with some provisions becoming applicable within 6 days. Read More.

10. Amendments To 1988 Communications & Multimedia Act Come Into Effect In Malaysia

Date: February 12, 2025
Summary: The Communications and Multimedia (Amendment) Act of 2025 revises major provisions of the Communications and Multimedia Act of 1988 and became effective from February 11, 2025. The amendments include the following:

• Clarification of "communications data" and definition of "prohibited content";
• Increases penalties, with fines up to MYR 1 million and imprisonment of up to 5 years for violations;
• Bans unsolicited commercial electronic messages.

11. Saudi Arabia Introduces Risk Assessment Guidelines for Transferring Personal Data outside the Kingdom

Date: February 24, 2025
Summary: Saudi Arabia’s SDAIA issued the Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom. The guideline establishes a structured approach for assessing risks related to cross-border personal data transfers. It includes:

• Four-Phase Risk Assessment: Entities must follow a phased process—preparation, assessing negative impacts, evaluating transfer risks, and analyzing implications for Saudi Arabia’s vital interests.
• Preparation Phase: Determines if a risk assessment is required based on factors such as processing sensitive data, large-scale operations, or continuous monitoring.
• Negative Impacts & Risk Analysis: Identifies vulnerabilities, potential threats, probability of occurrence, and severity of impact, requiring controls to mitigate risks.
• Risk Assessment for Data Transfers: Organizations must analyze the nature of the transfer, verify recipient compliance with PDPL, and evaluate mitigation measures.
• Implications for National Interests: Assesses risks to Saudi Arabia’s vital interests, requiring alternative methods or enhanced safeguards for high-risk scenarios.Read more.

12. Malaysia's Personal Data Protection Department announces Data Protection Officer Appointment Guidelines and Data Breach Notification Guidelines

Date: February 25, 2025
Summary: The Data Protection Officer Appointment Guidelines and Data Breach Notification Guidelines are set to take effect on June 1, 2025. The guidelines outline requirements for appointing Data Protection Officers (DPOs) and handling data breaches. Key provisions include:

Breach Guidelines:

• Notification to the Commissioner: Required if the breach causes significant harm or affects more than 1,000 individuals.
• Notification Timeframe: Must be reported within 72 hours; delays require an explanation.
• Affected Data Subjects: Must be reported within 7 days after initial notification to the Commissioner.
• Record-Keeping: A breach register must be maintained for 2 years.

DPO Guidelines:

• Appointment Requirement: DPOs must be appointed if processing exceeds 20,000 data subjects, or 10,000 for sensitive or financial data, or if regular monitoring is involved
• Qualification Requirements: DPOs must be knowledgeable in data protection laws and security, and based in Malaysia or easily reachable.
• Responsibilities: DPOs must ensure compliance, conduct impact assessments, and serve as the point of contact for both the Commissioner and data subjects.
• DPO Notification: Must notify the Commissioner within 21 days of appointment. Read more.