Veeam Completes Acquisition of Securiti AI to Create the Industry’s First Trusted Data Platform for Accelerating Safe AI at Scale
ViewA quick overview of global privacy headlines you cannot afford to miss.
August 27, 2025
United States
The Federal Trade Commission has increased the fees telemarketers must pay to access the National Do Not Call (DNC) Registry. Starting in FY 2026, the cost to download a single area code will rise to $82 (up from $80), while nationwide access will cost up to $22,626 (up from $22,038). Charities, political organizations, and other exempt entities remain eligible for free access, and the first five area codes continue to be free of charge.
This means that telemarketers face slightly higher compliance costs, reinforcing the importance of keeping annual DNC access current to avoid penalties.
August 27, 2025
United States
The National Institute of Standards and Technology (NIST) has issued a revised version of Special Publication (SP) 800-53, Security and Privacy Control Catalog, in line with Executive Order 14306 on strengthening national cybersecurity. The update expands requirements around software resiliency, developer testing, secure deployment and management of updates, as well as integrity and validation measures.
Organizations are encouraged to engage cross-functional teams to align their software development and update practices with the revised controls and ensure stronger protection across systems.
August 27, 2025
Country: Canada
The Privacy Commissioner of Canada has ruled that individuals may, in limited cases, request the de-listing of information from search results when its continued display poses serious harm that outweighs the public interest. The decision stemmed from a complaint against Google involving outdated news reports of a dismissed criminal charge that remained searchable by name, causing alleged assault, job loss, and stigma.
The Commissioner found Google in breach of PIPEDA for refusing to remove the links and ordered de-listing from name-based searches. While the articles remain online at their original sources, they should no longer appear in Google results. The Office is considering further steps to secure compliance.
August 21, 2025
United States
The Federal Trade Commission (FTC) has issued letters to major tech companies warning against adopting censorship or weakening encryption in response to foreign government demands. Citing examples such as the EU’s Digital Services Act, the UK’s Online Safety Act, and the UK’s Investigatory Powers Act, the FTC stressed that applying foreign rules to American users could violate Section 5 of the FTC Act, which prohibits unfair or deceptive practices.
The FTC under Chairman Trump and Vice Chair Vance emphasized that companies must honor their commitments to American consumers by safeguarding privacy, ensuring strong encryption, and avoiding censorship practices that serve foreign interests. Firms were invited to meet with the Commission by August 28 to discuss compliance with U.S. obligations.
August 18, 2025
United States
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a $175,000 settlement with BST & Co. CPAs, LLP, a New York accounting and consulting firm, over potential violations of the HIPAA Security Rule. The case stemmed from a 2019 ransomware incident that compromised the protected health information (PHI) of a covered entity client. OCR’s investigation found that BST had failed to conduct a thorough risk analysis as required under HIPAA.
As part of the settlement, BST agreed to a two-year corrective action plan, including completing a full risk analysis, developing a risk management plan, updating HIPAA policies and procedures, and providing annual workforce training. This marks OCR’s 15th ransomware enforcement action and highlights its continued focus on risk analysis compliance.
August 12, 2025
United States
The HHS Office for Civil Rights (OCR) has released new and updated guidance on the HIPAA Privacy Rule. A new FAQ clarifies that covered entities may disclose PHI for treatment purposes within value-based care arrangements, such as accountable care organizations, without patient authorization. An updated FAQ also confirms that individuals’ right of access extends to a broad set of records, now explicitly including consent forms for treatment.
The guidance follows broader federal efforts to improve interoperability and patient access to data, aligning with recent CMS initiatives and industry commitments to support seamless information sharing.
August 11, 2025
Canada
The Privacy Commissioner of Canada has released new guidance for public and private sector organizations on the responsible use of biometric technologies, including facial recognition and fingerprint scanning. The guidance stresses that collection and use of biometric information must be tied to an appropriate purpose, with careful assessment of privacy risks, proportionality, consent, transparency, and safeguards for accuracy and security.
Revisions made after stakeholder consultation clarified definitions, aligned the guidance more closely with legal requirements, refined consent standards, and added emphasis on lawful authority and risk assessment. The Commissioner underscored the need to integrate privacy protections at the outset of biometric initiatives to balance innovation with individual rights.
August 8, 2025
Argentina
The Argentine Access to Public Information Agency (AAIP) has issued two resolutions to bolster privacy and transparency in the public sector. Resolution 145/2025 launches a three-year program requiring agencies to adopt privacy policies, appoint data protection officers, register databases, and train staff. Resolution 148/2025 introduces a mandatory request tracking system for all entities under the Access to Public Information Act, effective September 1, 2025.
Both measures advance the AAIP’s 2022-2026 Strategic Plan and reinforce its role as the authority for personal data protection and access to information. Read more on Resolution 145 and Resolution 148.
August July 6, 2025
California
The California Privacy Protection Agency (CPPA) has taken the unprecedented step of filing a judicial action to enforce an investigative subpoena against Tractor Supply Company (NASDAQ: TSCO), a Fortune 500 retailer. The CPPA alleges the company failed to cooperate with questions under oath regarding compliance with the California Consumer Privacy Act (CCPA), including whether it honored consumers’ right to opt out of the sale and sharing of personal data.
This marks the CPPA’s first-ever judicial subpoena enforcement and its first public acknowledgment of an ongoing investigation. The fact that a Fortune 500 company is at the center of the case underscores the agency’s willingness to take on large, well-resourced businesses. The action sends a strong message: non-cooperation will not be tolerated, and even the biggest players are not immune from aggressive enforcement under California’s privacy regime.
August 4, 2025
Brazil
Brazil has issued Decree No. 12,573/2025 launching a new National Cybersecurity Strategy (E-Ciber), replacing its 2020 framework. The plan sets out 40 actions to strengthen governance, update legislation, and create a national body to oversee cybersecurity, with emphasis on essential services and critical infrastructure. It also supports SMEs with flexible compliance plans, insurance mechanisms, and a certification seal, while promoting awareness, public–private cooperation, and Brazil’s role in international forums.
The strategy positions Brazil as a regional leader in cybersecurity and raises the bar for businesses to adopt higher security and compliance standards.
August 1, 2025
United States
NIST has issued Revision 4 of Special Publication 800-63, Digital Identity Guidelines, its first update since 2017. The revision strengthens requirements around risk management, fraud prevention, identity proofing, and password controls, while positioning identity management as a cross-functional business process.
For organizations, the update signals the need to adopt a more integrated, risk-based approach to digital identity in order to meet heightened security standards.
August 28, 2025
United Kingdom
The UK Information Commissioner’s Office (ICO) has opened a consultation on draft guidance for Distributed Ledger Technologies (DLT). Running from 28 August to 7 November 2025, the consultation seeks stakeholder feedback to refine the guidance and clarify how data protection rules apply to blockchain and similar systems.
The survey, hosted on Citizen Space, takes about 15 minutes to complete and invites views on organisational impact, the draft text itself, and general comments. Responses may be subject to disclosure under the Freedom of Information Act and UK GDPR.
August 21, 2025
United Kingdom
Following the entry into force of the Data (Use and Access) Act 2025 (DUAA), the ICO has launched consultations on draft guidance for two key amendments: a new ‘recognised legitimate interest’ lawful basis and the new requirement for organisations to establish data protection complaints processes.
The new lawful basis allows personal information to be used for certain pre-approved public interest purposes, such as crime prevention, safeguarding, and emergencies, while the complaints process must be in place by June 2026. The consultations aim to provide clarity and practical examples to help organisations apply the amendments confidently. The consultation on recognized legitimate interest closes October 30, 2025, and the consultation on complaint processes closes October 19, 2025.
August 20, 2025
United Kingdom
The UK has commenced the first phase of the Data (Use and Access) Act 2025 (DUAA) through the Commencement No. 1 Regulations 2025. Effective August 20, the regulation establishes a legal framework for data access, giving customers and authorized individuals the right to request their data.
It also sets new duties for the Information Commissioner, including annual reporting and performance analysis, and begins provisions on the Information Commission, copyright, and AI system reporting. This marks the first step in a four-stage rollout of the DUAA.
August 18, 2025
Austria
The Austrian Federal Administrative Court (BVwG) has upheld the Data Protection Authority’s ruling against DerStandard’s “Pay or Consent” model, which required users to either purchase a subscription or accept online tracking. The court found that such consent cannot be considered “freely given” and criticized the absence of granular options for users to selectively consent to specific purposes.
The case is expected to proceed to the EU Court of Justice (CJEU), potentially setting an EU-wide precedent on the lawfulness of “Pay or Consent” models. Organisations using similar approaches should urgently review their consent practices to ensure users are offered a genuine, non-monetary alternative, such as an equally accessible “Reject All” option.
August 1, 2025
Algeria
Algeria has enacted Law No. 11-25, amending its 2018 data protection framework to better align with international standards. Key updates include new definitions for biometric data, profiling, pseudonymization, and data breach; mandatory requirements such as DPO appointments, detailed processing records, and DPIAs for high-risk activities; and a five-day breach reporting deadline to the data protection authority (ANPDP).
The law also introduces a framework for international data transfers based on adequacy decisions, while expanding ANPDP’s oversight powers through audits and controls. These changes mark a major step in modernizing Algeria’s privacy regime and strengthening its convergence with global data protection norms.
August 1, 2025
United Kingdom
The ICO has published new guidance to help organizations prevent accidental disclosure of personal data when releasing documents, such as in FOI or Subject Access Request responses. The resource, replacing earlier 2023 advice, includes checklists and how-to videos on spotting hidden data (metadata, hidden rows, filters), using redaction tools, and safer file formats.
The ICO warned that serious breaches, including those at the Police Service of Northern Ireland and the Ministry of Defence, show the need for stronger processes. The guidance provides organisations with clearer steps to reduce compliance risks.
August 27, 2025
Malaysia
Malaysia’s Personal Data Protection Department (PDP) has launched a consultation on proposed updates to the 2013 regulations. -. Key takeaways are:
The public consultation closes on 8 September 2025. The proposals reflect a shift toward stricter compliance and greater accountability, bringing Malaysia’s framework closer to international standards and raising legal and financial risks for businesses that fall short.
August 12, 2025
Cambodia
Cambodia’s Ministry of Post and Telecommunications has published a draft Personal Data Protection Law (PDPL) for public consultation. The law would apply to organisations inside and outside Cambodia offering goods or services to Cambodian residents and establishes six legal bases for processing, data subject rights, DPIA obligations, breach notification duties, and privacy-by-default requirements.
It also introduces a two-year transition period and penalties of up to 600 million Cambodian Riel. The draft PDPL represents a major step in strengthening digital rights and trust in Cambodia’s growing online ecosystem.
August 8, 2025
Australia
The Australian Information Commissioner (AIC) has filed suit against Optus for alleged violations of the Privacy Act 1988 following a breach affecting 9.5 million customers. The AIC claims 9.5 million separate violations, with potential penalties of up to A$2.2 million per breach. Compromised data included passport numbers and home addresses, intensifying calls from Prime Minister Anthony Albanese for stronger privacy laws.
The case adds to mounting pressure on Optus, which has already faced a CEO resignation after the 2023 outage and is now subject to separate proceedings by Australia’s media regulator. The lawsuit highlights Australia’s shift toward tougher corporate accountability in data protection.
August 4, 2025
China
China’s Ministry of Industry and Information Technology (MIIT) has issued enforcement notices to dozens of apps and SDKs for violating user rights under the Personal Information Protection Law (PIPL). Inspections identified 57 apps and SDKs in one review and 23 apps in another, citing illegal data collection, excessive permissions, and inadequate disclosure.
Offending apps have been ordered to make corrections or face legal action, reflecting China’s continued tightening of privacy enforcement and accountability for app operators.
Date:August 1, 2025 l Country: Thailand
August 1, 2025
Thailand
Thailand’s Personal Data Protection Committee (PDPC) has announced five enforcement actions against government agencies, hospitals, and private companies for violations of the Personal Data Protection Act 2019 (PDP 2019). Fines ranged from THB 16,940 to THB 7 million, with breaches including weak security controls, failure to conduct risk assessments, and not appointing Data Protection Officers.
The PDPC stressed that organizations must maintain strong security standards, carry out regular risk assessments, and ensure continuous monitoring to safeguard personal data.
China’s Draft Telecom Standards: The MIIT’s 23 proposed telecom standards covering processor security, V2X platforms, and protections for minors, remain open for comment until September 5, 2025.
China’s Draft Standard on Data Erasure: The CAC has proposed new rules for consumer electronics with data storage, requiring overwrite and command clearing functions, one-click erasure, and verification of data deletion. Public consultation closes September 13, 2025.
Sri Lanka’s PDPA Revisions: Cabinet-approved amendments to the Personal Data Protection Act will enter into force on September 18, 2025, strengthening coordination with the DPA and boosting enforcement capacity.
New Jersey Data Privacy Proposed Rules: The deadline for comments on proposed rules under the state’s new data privacy law has been extended to September 2, 2025, giving stakeholders more time to weigh in.
California Advancing New Privacy Bills: AB 322 on geolocation notices, AB 1043 on age verification for minors, and SB 354 on insurance data protections.
Brazil Online Child Protection Bill (PL 2628/2022): The Chamber of Deputies has fast-tracked and approved the bill, which introduces stricter safeguards for minors online. Further movement in the Senate is expected.
Brazil Digital Era Child Protection Statute): Recently introduced in the Chamber of Deputies, this bill could add new privacy obligations for services aimed at children.
Greece Telecom Security Rules: ADAE’s Decision No. 304/2025 now requires telcos to adopt security policies, train staff, encrypt passwords, and report breaches, with enforcement already underway and two-year recordkeeping.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2026 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, LLC.
3155 Olsen Drive
Suite 325
San Jose, CA 95117
Type
