Securiti’s Privacy Regulation Roundup summarizes the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.
North and South America Jurisdiction
1. Newfoundland’s IPC Publishes Guidance On Video Surveillance
Date: March 4, 2025
Summary: Newfound’s Information and Privacy Commissioner has published guidance on video surveillance. It is meant to assist public bodies and custodians in determining when such surveillance is necessary and justifiable to ensure compliance with the Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015) and the Personal Health Information Act (PHIA). Any authorized surveillance must comply with the relevant privacy laws when collecting personal information.
- Personal information under *ATIPPA, 2015* and *PHIA* includes identifiable images or voices in recordings;
- Privacy is a fundamental right that must be balanced with surveillance needs;
- Organizations must protect recorded data from unauthorized access, collection, and disclosure;
- Audio recording is significantly more invasive than video and should be avoided unless necessary.
Determining the Need for Video Surveillance
Before implementing or modifying a surveillance system, organizations must assess privacy risks and compliance by considering the Oakes Test:
- Necessity – Is there a real and ongoing problem that cannot be addressed by less invasive means?
- Effectiveness – Will surveillance effectively address the problem?
- Proportionality – Does the need justify the privacy intrusion?
- Least Intrusive Option – Is there a less privacy-invasive alternative?
Post-Decision Steps
1. Privacy Impact Assessment (PIA):
- Conducting a PIA before implementation is strongly recommended to identify and mitigate privacy risks;
- PIAs help ensure compliance with ATIPPA, 2015, and PHIA;
- Factors to consider include recording scope, storage security, public notifications, and access policies.
2. Policies and Procedures:
Organizations should establish clear policies, including:
- Purpose and scope of surveillance;
- Restrictions on usage (e.g., footage collected for security should not be used for HR matters);
- Access controls and safeguards to protect personal information;
- Handling of access requests (e.g., blurring individuals in footage);
- Complaint and retention policies.
3. Video Surveillance System Design
To minimize privacy impacts:
- Install cameras only in necessary locations, avoiding private areas (e.g., bathrooms);
- Limit recording times to when necessary rather than continuous monitoring;
- Avoid audio recording unless absolutely required;
- Implement tools to anonymize recorded data when needed.
4. Notification and Signage
Organizations must notify individuals of:
- The legal authority for surveillance;
- The purpose of data collection;
- Contact details for inquiries;
- Notification should include signage, website postings, and optional social media updates.
5. Review & Evaluation
- Conduct periodic audits to assess ongoing necessity and compliance;
- Adjust or remove unnecessary cameras and address emerging privacy concerns. Read More.
2. Bermuda's Privacy Commissioner Publishes Financial Services Guidance Notes
Date: March 7, 2025
Summary: The Bermuda Office of the Privacy Commissioner (PrivCom) has published the Financial Services Guidance Notes – Final Report. The report is meant to aid financial service providers in their Personal Information Protection Act 2016 (PIPA) compliance efforts.
The report comes after a March 2024 consultation with the industry to address compliance challenges, regulatory overlaps, and the need for guidance under PIPA, and compliance with other financial regulations in Bermuda. Additionally, it contains specific information on the interaction between PIPA and financial regulations, application to complex corporate structures, and data transfers to overseas third parties. The report also contains compliance expectations, FAQs, and case studies, noting how further clarification is needed on cross-jurisdictional corporate structures, privacy officer appointments, and the intersection with financial reporting obligations to ensure better compliance by subject organizations. Read More.
3. Governor Signs Bill Amending Kentucky’s Consumer Data Protection Act
Date: March 15, 2025
Summary: Kentucky Governor Andy Beshear signed HB 473 into law. This bill, which will take effect on January 1, 2026, amends Kentucky’s Consumer Data Protection Act to exempt health care providers from its application like other US states. Read More.
4. Quebec’s CAI Releases Guidance On Personal Data Processing During Recruitment
Date: March 17, 2025
Summary: The Quebec Commission on Access to Information (CAI) has released its guidance on processing personal data during recruitment. In it, the Commission reiterates the need to protect candidates’ personal information and makes it the legal responsibility of the employer, even when using third parties.
Furthermore, it advises data minimization to ensure only the most necessary information is collected, avoid collecting sensitive information at all, conduct regular privacy impact assessments, inform all candidates about any AI and psychometric tools being used, and avoid having AI make hiring decisions. All references must be verified after the post-conditional offer with the candidates’ consent, and any additional data will only be collected once a formal job offer is made. Any and all unnecessary collected personal data will be destroyed. Read More.
5. New Law Repealing Previous Federal Law On The Protection of Personal Data Held By Private Parties Comes Into Effect In Mexico
Date: March 20, 2025
Summary: Mexico’s new Federal Law on the Protection of Personal Data Held by Private Parties was published in the Official Gazette of the Federation. The new law became effective on March 21, 2025, repealing the 2010 Federal Law on the Protection of Personal Data Held by Private Parties.
The new law amends the definitions of databases, public access sources, data controller, processing, and personal data, while reaffirming the obligation of data controllers to establish controls or mechanisms to ensure the confidentiality of personal data by those involved in processing. Such obligations will continue to be effective even after the data controller and the other individuals’ termination. Furthermore, this law eliminates the possibility of processing personal data for purposes other than the one stated in the privacy policy, with new consent required for all such purposes. The law mandates the creation of a National Registry of Data Controllers, requiring all individuals and legal entities in the private sector that process personal data to register.
Lastly, the law allows data subjects to object to any form of data processing when (i) the processing is automated, (ii) without human intervention, (iii) it causes undesired effects on the data subject, and (iv) the purpose of the processing is to evaluate, analyze, or predict behavior, reliability, professional performance, among other aspects. Read More.
6. Governor Signs Bill Amending The Virginia Consumer Protection Act
Date: March 24, 2025
Summary: Virginia’s Governor, Glenn Youngkin, signed Senate Bill 754 into law on March 24, 2025. The law, which became effective on July 1, 2025, amends the Virginia Consumer Protection Act to establish opt-in consent to obtain, disclose, sell, or disseminate reproductive or sexual health information, even if such information is necessary to deliver a product or service requested by the consumer.
The Virginia Consumer Protection Act is different from the Virginia Consumer Data Protection Act (VCDPA). However, this law adopts the VCDPA’s consent standard, which requires a clear, affirmative, specific, informed, and unambiguous opt-in.
Any person who suffers a loss due to a violation of the Act is entitled to actual damages (willful violations lead to treble damages) and reasonable attorneys' fees and court costs. Additionally, the Attorney General of Virginia may sue to enjoin violations and recover relevant civil penalties in cases of willful violations. Read More.
Date: March 26, 2025
Summary: The Office of the Privacy Commissioner of Canada (OPC) has announced its release of an organizational breach risk assessment tool on March 26, 2025. This tool assists federal institutions and companies in assessing the risk of significant harm in the event of a breach while guiding users through a series of questions meant to determine whether the affected individuals ought to be informed. Read More.
Date: March 26, 2025
Summary: The Utah legislature passed several laws on March 26, 2025. These include the following:
SB 142 - App Store Accountability Act: This mandates app store providers to verify users’ ages and gain parental consent for any minors under 18 before allowing them account creation, app downloads, and purchases. Furthermore, they must use appropriate encryption for data protection, with no contracts being enforceable without parental consent. Developers are also subject to similar age verification and parental consent requirements while not being allowed to share minors’ age data. Both providers and developers are subject to civil action for violations. The Act takes effect on May 6, 2026.
HB 418: The Act mandates users to have the right to confirm, access, delete, correct data portability, opt-out of targeted advertising, and sale of their personal data—including their social graphs—across digital platforms. This Act amends the Utah Consumer Privacy Act users with the right to correct inaccuracies. Furthermore, social media companies must implement data interoperability interfaces and establish requirements for data sharing between social media services. The law also provides for civil penalties and includes a severability provision. The Act will become effective in July 2026. Read More on SB 142 | Read More on HB 418
EMEA Jurisdiction
9. European Health Data Space Regulation Published In Official Journal Of The EU
Date: March 5, 2025
Summary: The European Health Data Space Regulation (EHDS) was published in the Official Journal of the EU on March 5, 2025, and will be enforceable from March 26, 2027. Under this regulation, organizations must ensure compliance with the European electronic health record exchange format while users are empowered with data subject rights, including access, rectification, and portability of their electronic health data. Fines are introduced for infringements of the Act, with penalties reaching up to €20 million or 4% of an undertaking's total worldwide annual turnover. Accompanying the official Act are FAQs, which cover the EHDS's objectives, scope, data subject rights, and its interaction with other EU legislation, such as the GDPR, Data Act, and AI Act. Read More.
10. European Supervisory Authorities Issue Opinion On European Commission's Rejection Of Subcontracting RTS Under DORA
Date: March 7, 2025
Summary: The European Supervisory Authorities (ESAs) issued an Opinion regarding the European Commission's rejection of the draft DORA Subcontracting RTS on March 7, 2025. Per the Opinion, they stated they would not be proposing any amendments to the Commission's suggested changes. The European Commission had already informed the Chair of the Joint Committee of the ESAs about its rejection of the draft Subcontracting Regulatory Technical Standards (RTS) on January 1, 2025.
The draft Subcontracting RTS outlines specific requirements for subcontracting ICT services that support a financial entity's critical functions, with Article 5 proposing various subcontracting conditions to be included in contracts between financial entities and ICT service providers.
However, the European Commission has rejected the draft, arguing the provisions in Article 5 concerning the monitoring of the subcontracting chain exceeded the ESAs' mandate under Article 30(5) of DORA, as they introduced requirements not directly related to subcontracting conditions. In their rejection letter, the Commission specified that Article 5 and the related recital 5 would need to be removed for the RTS to be adopted. Read More.
11. CJEU Issues Clarification In Case On Gender Identity Data In Public Records
Date: March 13, 2025
Summary: The CJEU ruling in C-247/23 Delditis clarifies that all national authorities must correct inaccurate gender identity data in public records without requiring proof of gender reassignment surgery under Article 16 of the GDPR. The case came to the fore after a transgender refugee in Hungary’s request for rectification was denied due to a lack of surgery. Per the ruling, such a requirement violates fundamental rights under the Charter of Fundamental Rights (Articles 3 & 7) and contradicts GDPR’s accuracy principle. However, reasonable evidence may be requested, such as medical certificates, without excessive conditions. Read More.
12. European Commission Proposes A Six Months Extension To UK Adequacy Decision
Date: March 18, 2025
Summary: On March 18, 2025, the European Commission proposed a six-month extension to the adequacy decisions that allow for the free flow of personal data between the EU and the UK. If approved, the extension will push the expiration date to December 27, 2025.
The extension would prolong the validity of the 2021 adequacy decisions that recognize the UK’s data protection standards equivalent to those in the EU, thus enabling seamless data transfers under the GDPR and the Law Enforcement Directive. Without these decisions, EU businesses would face numerous compliance issues when transferring personal data to the UK.
The current adequacy decisions were set to expire on June 27, 2025. The Commission is currently assessing the UK’s data protection standards owing to the legislative updates underway. The extension would provide the necessary time for the Commission to complete its assessment. Read More.
13. Two New European Commission Decisions Require Apple to Take Interoperability Measures For Its Devices & Apps
Date: March 19, 2025
Summary: The European Commission has adopted two decisions under the Digital Markets Act (DMA).
Per these decisions, Apple is obligated to implement specific measures to comply with interoperability requirements to facilitate smoother interaction between iOS and third-party connected devices.
Per the first decision, Apple must enhance nine iOS connectivity features for devices like its smartwatches and headphones in a way that:
- Enhances access to iPhone features for third-party devices;
- Offers faster data transfers via Wi-FI and NFC;
- Simplifies device set-up and pairing.
Per the second decision, Apple must improve its interoperability request process for developers requesting access to iPhone and iPad features, with key improvements including:
- Better access to technical documentation on features not yet available to third parties;
- Timely communication and updates;
- Predictable review timelines.
The decisions came after an extensive engagement with Apple and public consultation feedback that reiterated the Commission’s commitment to a competitive digital market. Read More.
14. Belgian DPA Reiterates Importance Of Clear & Transparent Communications In Latest Decision
Date: March 24, 2025
Summary: The Belgian Data Protection Authority (DPA) has reiterated the importance of clear and transparent communication under the GDPR in its recent decision (51/2025). The DPA has ruled that making data subjects responsible for monitoring privacy policy updates constitutes a violation of Article 12(1).
Article 12(1) requires data controllers to provide information on personal data collection and data subject rights to data subjects in a "concise, transparent, intelligible, and easily accessible form, using clear and plain language." Making it the data subjects’ responsibility to regularly check for changes is a failure to meet those requirements. Read More.
15. European Health Data Space Regulation Published & Enters Into Force
Date: March 26, 2025
Summary: The European Health Data Space Regulation (EHDS) was officially published in the Official Journal of the European Union on March 5, 2025, and entered into force on March 26, 2025. The implementation and application of its provisions will begin on March 26, 2027.
The EHDS streamlines EU-wide health data exchange and access and improves individuals’ access to and control over their personal electronic health data, while also enabling certain data to be reused for research and innovation purposes for the benefit of European patients. Additionally, the EDHS outlines data subject rights, including the right to access, rectification, and portability of personal electronic health data, with certain restrictions for patient safety and ethical considerations as well as compliance with a European electronic health record exchange format. Read More.
16. Apple Fined €150 Million By French Competition Authority Over App Tracking Transparency (ATT) Framework
Date: March 31, 2025
Summary: The Autorité de la concurrence (French Competition Authority) has issued a €150 million fine to Apple for its abuse of its dominant position through the implementation of its App Tracking Transparency (ATT) system.
The Authority has found that Apple’s implementation of ATT is neither necessary nor proportionate as it requires iPhone and iPad users to consent via a partially standardized pop-up to allow third-party apps to collect data (via the Identifier for Advertisers - IDFA) for targeted advertising. The Authority rests its decision upon the following factors:
- An artificially complex framework that specifically penalizes publishers of third-party applications: The ATT framework presents numerous consent pop-ups, excessively complicating the use of third-party applications within the iOS environment.
- Operating rules that undermine the neutrality of the framework: The ATT framework necessitates that users decline tracking on one occasion but confirm consent on two occasions for third-party applications. This practice diminishes the probability of consent, directly impacting the advertising revenue of app publishers and the effectiveness of advertising services by restricting the data available for personalized advertisements.
- Asymmetry of treatment between Apple and publishers: Apple's past and present practice of mandating double consent for third-party tracking while employing a single consent for its own personalized advertising provides Apple with an unfair competitive advantage in the advertising market. This has the potential to divert revenue and user data away from other publishers.
The Authority has not officially mandated structural changes to the ATT framework but it has put the onus on Apple to ensure its practices comply with the relevant competition laws. Read More.
17. Court of Justice of the European Union Issues Ruling On Case C-710/2
Date: March 31, 2025
Summary: The Court of Justice of the European Union (CJEU) has issued its ruling on Case C-710/23.
The case involved a request by L.H. to the Czech Ministry of Health for information regarding contracts for COVID-19 screening tests, including the identification of the signatories on behalf of the involved legal persons and the related certificates. The Ministry had partially granted the request and then later redacted the personal data (name, signature, contact details) of the natural persons representing the legal entities, citing GDPR requirements. These redactions were then challenged by the national law in the Czech Republic requiring informing and consulting data subjects before disclosing their personal data in such official documents. The Supreme Administrative Court in the Czech Republic then referred two questions to the CJEU: first, whether the disclosure of a natural person's data (name, signature, contact information) as a legal person's representative constitutes processing of their ‘personal data’ under the GDPR; and second, whether national law can make the application of Article 6(1)(c) or (e) of the GDPR by a public authority conditional on informing the data subject before disclosing their data to a third party.
The CJEU has now ruled that the disclosures of the first name, surname, signature, and contact details of a natural person representing a legal person constitute the processing of personal data under points 1 and 2 of Article 4 of the GDPR. As for the second question, the Court determined that Article 6(1)(c) and (e) of the GDPR, read in conjunction with Article 86, do not preclude national law requiring a public authority to inform and consult the concerned natural person prior to disclosing their personal data in official documents, provided that such an obligation is not impossible to implement, does not demand disproportionate effort, and thus does not lead to a disproportionate restriction on public access to those documents. Read More.
Asia Jurisdiction
18. Brunei Darussalam Adopts Personal Data Protection Order 2025
Date: March 7, 2025
Summary: Brunei Darussalam has enacted the Personal Data Protection Order 2025 (Order), meant to ensure appropriate data privacy for individuals. Some of the key points of the Order are as follows:
- Organizations must obtain consent before collecting, storing, or processing personal data;
- Individuals have the right to access and correct their personal data;
- Organizations are responsible for maintaining data accuracy and ensuring data security;
- Data breaches must be reported to the relevant authority within three days;
- The Authority for Info-communications Technology Industry has enforcement powers, and penalties will be imposed for non-compliance.
Organizations will have a one-year grace period to comply with the legislation. Read More.
Date: March 7, 2025
Summary: The Australian Communications and Media Authority (ACMA) has issued Telstra a AUD 626,000 penalty for breaching spam regulations. Between October 2022 and June 2024, Telstra sent more than 10 million marketing texts without an option to unsubscribe and thousands more to customers without appropriate consent. Read More.
20. Hong Kong’s ABB Upholds PCPD’s Notice Against EC Healthcare On Data Protection Principle Violation
Date: March 13, 2025
Summary: The Administrative Appeals Board has upheld the PCPD’s enforcement notice against EC Healthcare for violating Data Protection Principle 3. EC Healthcare was accused of sharing client data of Primecare and New York Medical Group with other brands under EC Healthcare. The enforcement notice ruled that data use must align with the original collection purpose and rejected procedural objections, confirming the PCPD’s thorough investigation. Read More.
21. Malaysia’s Department of Personal Data Protection Initiates Public Consultation On Guidelines For DPIA, Data Protection by Design, & Automated Decisionmaking & Profiling
Date: March 20, 2025
Summary: The PDP has launched a public consultation on three draft guidelines to strengthen compliance with the Personal Data Protection Act 2010. The guidelines cover:
- Data Protection Impact Assessment (DPIA);
- Data Protection by Design; and
- Automated Decision-Making & Profiling.
They outline risk thresholds, privacy-by-design principles, and protections for AI-related processing, including biometric data and CCTV usage. Feedback can be submitted until May 19, 2025. Read More.
22. New Facial Recognition Measures Issued In China
Date: March 22, 2025
Summary: The Cyberspace Administration and Ministry of Public Security have issued new facial recognition security measures. Effective June 1, 2025, these new measures require compliance with privacy laws, consent, PIPIAs, and alternative verification options. Any public use must prioritize safety, include warning signs, implement encryption, and detect intrusions. Users will be able to file complaints against potential misuse. Read More.
23. Vietnam’s Prime Minister Releases List Of Important & Core Date
Date: March 25, 2025
Summary: The Prime Minister has released its list of important and core data after a public consultation. The Data Law, effective July 1, 2025, classifies important data into categories such as financial, biometric, and health, while core data covers aspects such as ethnicity, religion, and geospatial. Read More.
en
pt-br
es
fr
ar
