Privacy Regulation Roundup: Top Stories of May 2025

North & South America Jurisdiction

1. New Oklahoma Bill That Amends Security Breach Notification Act Sent To Governor

May 28, 2025
Oklahoma, United States

Oklahoma’s Senate Bill 626 amending the Security Breach Notification Act became law on May 28, 2025, without the governor’s signature and will take effect on January 1, 2026. The new law expands the definition of personal information to include biometric data and unique electronic identifiers, introduces a mandatory 60-day breach notification timeline to affected individuals and, where applicable, the Attorney General, and exempts small-scale breaches affecting fewer than 500 residents (or fewer than 1,000 for credit bureaus) from certain requirements. It also authorizes the Attorney General to impose civil penalties of up to $150,000 per breach, based on the organization’s efforts to prevent the breach and the scale of the incident.

Organizations must ensure their breach response processes are aligned with these updated obligations ahead of the effective date.

Read More

2. New Colorado Bill Adds Major Data Minimization Amendment to the Colorado Privacy Act

May 23, 2025
Colorado, United States

Colorado’s Governor has signed Senate Bill 276 into law, introducing a significant amendment to the Colorado Privacy Act (CPA). While the bill broadly addresses immigration and civil rights, it notably expands the CPA by defining “precise geolocation data” as sensitive information.

Under the amendment, businesses must now obtain opt-in consent not only to process but also to sell sensitive data, including precise geolocation information. This update marks a key shift in how location data is regulated, reinforcing the state’s broader commitment to privacy protections.

Organizations operating in Colorado should closely review their data practices to ensure compliance with these new requirements.

Read More

3. Nebraska Enacts Parental Rights in Social Media Act

May 20, 2025
Nebraska, United States

Nebraska’s Governor has signed Legislative Bill 383 into law, enacting the Parental Rights in Social Media Act. The law requires social media platforms to obtain verifiable parental consent before allowing minors to create accounts. It further mandates age verification mechanisms and provides parents with supervisory controls over minor accounts. The Act also renames the existing Child Pornography Prevention Act and expands its scope to prohibit conduct involving AI-generated pornography. The law takes effect on January 1, 2026.

This law places new compliance obligations on social media companies operating in Nebraska, particularly around consent management and content moderation. Businesses must implement robust parental consent flows, age verification tools, and parental access features before the effective date to remain compliant.

Read more

4. CFPB Withdraws Proposed Rule on Data Broker Practices

May 15, 2025
United States

The Consumer Financial Protection Bureau (CFPB) has withdrawn its Notice of Proposed Rule: “Protecting Americans from Harmful Data Broker Practices (Regulation V) (NPRM),” originally issued on December 3, 2024. The proposal aimed to impose opt-in consent requirements for data brokers prior to selling or sharing sensitive personal information such as financial data, Social Security numbers, and health history, and to broaden certain Fair Credit Reporting Act (FCRA) definitions.

The CFPB stated that formal rulemaking is not necessary to address the issues raised in the NPRM. However, the decision faced immediate pushback on May 16, 2025, Senator Ruben Gallego sent a letter urging the CFPB to reconsider, citing the growing risks associated with unchecked data broker practices.

While the rule is currently off the table, data brokers and financial data handlers should monitor the CFPB’s stance closely, as the agency may revisit regulatory action in the future. Read More on Notice of Proposed Rule for Regulation V and Letter sent by Senator Ruben Gallego.

5. Colorado Senate Bill 288 Advances, Targeting Non-Consensual Intimate Image Disclosures

May 13, 2025
Colorado, United States

Colorado Senate Bill 288 has been signed by the Speaker of the House and the President of the Senate, moving it to the Governor’s desk for final approval. The bill seeks to combat the non-consensual disclosure of intimate digital images by criminalizing such actions and providing affected individuals with a civil cause of action.

It provides clear definitions, liability exceptions, and assigns enforcement authority to the Colorado Attorney General. The law is scheduled to take effect 90 days after the legislature adjourns, unless delayed by a referendum to November 2026.

To comply with the new legal standards and mitigate liability, digital platforms and content-hosting services will be required to strengthen moderation tools and implement effective user reporting mechanisms.

Read More

6. HB 514 Targeting Nonconsensual and AI-Generated Explicit Content Passed into Law

May 13, 2025
Montana, United States

Montana’s House Bill 514 is signed by Governor Gianforte. The bill significantly expands the state’s criminal code by prohibiting not only the distribution but also the possession and threat of disclosure of both real and digitally fabricated sexually explicit images without consent.

HB 514 reflects a growing national trend to address harms posed by deepfake abuse and nonconsensual intimate imagery (NCII). Businesses operating in Montana, especially platforms hosting user-generated content should review their content moderation and reporting mechanisms in anticipation of stricter enforcement obligations.

Read More

7. Texas Secures Largest-Ever State Privacy Settlement in Google Case

May 9, 2025
Texas, United States

Attorney General Ken Paxton has announced a record-setting $1.375 billion settlement with Google, resolving a lawsuit over alleged unlawful tracking of Texans' geolocation, incognito searches, and biometric data. This is the largest privacy-related settlement ever obtained by a single U.S. state significantly surpassing a prior $391 million multistate settlement.

The case, originally filed in 2022, accused Google of secretly collecting sensitive personal data and violating user trust. The agreement highlights Texas’s aggressive stance on privacy enforcement, following a previous $1.4 billion settlement with Meta over facial recognition practices.

This case reinforces the growing trend of states taking bold, independent action to enforce data privacy. It signals heightened scrutiny of Big Tech’s data practices and sets a powerful precedent for financial penalties tied to biometric, location, and search data violations. Organizations must reassess their data governance and ensure transparency to avoid similar liability.

Read More

8. Bill Amending Montana Consumer Data Privacy Act Signed By Governor

May 8, 2025
Montana, United States

Montana has enacted SB 297, significantly amending the Montana Consumer Data Privacy Act (MCDPA), with changes taking effect October 1, 2025. The amendment introduces a Connecticut- and Colorado-style duty of care for minors, requiring controllers to avoid heightened risks of harm when offering online services to users under 18. It also adds new requirements for design, consent, and risk assessments without mandating age verification.

The bill lowers applicability thresholds (25,000 consumers or 15,000 if profiting from data sales), narrows exemptions for nonprofits and financial institutions, and prohibits disclosure of certain sensitive identifiers under the access right. It also expands privacy notice requirements and removes the cure period for enforcement, giving more power to Montana’s Attorney General.

This update signals growing U.S. momentum around youth data safeguards and brings more small-to-mid-sized businesses under privacy regulation raising the bar for ethical, transparent data use.

Read More

9. State Privacy Enforcers Target Noncompliance in Texas and California

May 6, 2025
Texas, California, United States

Texas Attorney General Ken Paxton has issued a 30-day compliance notice to TP-Link, Alibaba, CapCut, and other Chinese-affiliated companies under the Texas Data Privacy and Security Act (TDPSA). This move follows the AG’s prior investigation and subsequent ban of CCP-linked AI service DeepSeek on state-owned devices.

Meanwhile, the California Privacy Protection Agency (CPPA) imposed a $345,178 fine on retailer Todd Snyder for CCPA violations. The company failed to process opt-out requests for 40 days, over-collected personal data via its privacy portal, and improperly required identity verification to honor opt-outs.

These actions signal growing enforcement from U.S. state privacy regulators and highlight the importance of maintaining accurate consent mechanisms, minimizing data collection, and monitoring vendor configurations. Companies operating in Texas and California should assess compliance readiness to avoid similar penalties.

Read More: Texas AG Notice; CPPA enforcement .

10. Virginia Bill Limiting Minors’ Use Of Social Media Signed into Law

May 2, 2025
Virginia, United States

Virginia has amended its Consumer Data Protection Act to introduce rules governing minors' use of social media. The new provisions, effective January 1, 2026, require platforms to use “commercially reasonable” methods like neutral age gates to determine if users are under 16. By default, minors’ usage is capped at one hour per app per day, adjustable by parents. However, the law does not mandate special access or controls for parents.

Age verification data must be used solely for that purpose, with limited exceptions. Importantly, platforms cannot charge more or limit services for minor accounts.

Unlike laws struck down in Arkansas and California, Virginia’s version avoids requiring parental consent for account creation, potentially giving it a stronger legal footing.

Read More

11. Cybersecurity Regulations of NYDFS Provisions Related To Small Businesses Come Into Effect

May 1, 2025
New York, United States

The New York Department of Financial Services’ updated cybersecurity regulation takes effect today, introducing new obligations for small businesses, Class A companies, and covered entities. Small firms must implement stronger access controls and password policies, while larger entities must conduct regular system scans and deploy advanced threat detection tools.

Exemptions apply to entities not handling nonpublic information and captive insurers. Compliance deadlines vary based on company classification.

These provisions heighten cybersecurity expectations across the financial sector, reinforcing DFS's leading role in setting national standards.

Read More

12. Montana Expands Genetic Privacy Law to Include Neural Data

May 1, 2025
Montana, United States

Montana’s governor has signed SB 163, amending the Genetic Information Privacy Act with changes effective from October 1, 2025. The revised law will now cover “neurotechnology data,” defined as information capable of recording, interpreting, or altering nervous system responses to external stimuli. It also exempts de-identified neural data used for research, provided it cannot be reasonably linked back to individuals.

Additional updates include exceptions to the right of access where clinical trial data is collected under valid consent that meets specific format and content requirements. These changes highlight growing regulatory attention to brain-interfacing technologies and signal a need for companies using such data especially in wearables or emotion-driven advertising to revisit their notice and consent practices.

Read More

Europe & Africa Jurisdiction

13. Belgium DPA Launches New Digital Platform for Data Breach Notifications with Grace Period

May, 23, 2025
Belgium

Belgium's Data Protection Authority has announced the launch of a new platform for organizations to file data breach notifications and manage all the relevant procedures through this portal. It will become available for all DPO cases and relevant breach notifications from June 2, 2025. However, E-forms to notify the DPA about a data breach will not be available to organizations after May 23, 2025.

The DPA has also provided a grace period for data breach notifications due to a system blackout from May 23, 2025, to June 2, 2025. Organizations will have until June 9, 2025, to report any breaches discovered between May 21, 2025, and June 6, 2025.

Read More

14. Danish Data Protection Agency & Digital Agency Issue Joint Cookie Guidance

May 16, 2025
Denmark

The Danish Data Protection Agency and the Danish Digital Agency have jointly issued guidance to help organizations using cookies and similar technologies comply with the Cookie Executive Order and GDPR. The aim is to support a consistent understanding of the rules and promote the implementation of compliant consent mechanisms.

The guidance highlights the need to identify all tracking technologies, ensure consent is voluntary, informed, specific, and revocable, and restrict data collection to what is necessary. It also stresses preventing unauthorized third-party use, maintaining proper documentation, and seeking regulatory support when needed.

Organizations in Denmark are expected to align their consent practices with this guidance to ensure transparency and compliance.

Read More

15. UK ICO Fines Sole Trader £50,000 for 194,000 Unlawful Marketing Calls

May 15, 2025
United Kingdom

The UK Information Commissioner’s Office (ICO) has fined Darian Bishop, trading as ECO4U, £50,000 for making over 194,000 unsolicited marketing calls to individuals on the Telephone Preference Service (TPS) register. The calls, promoting boiler and solar panel grants, were described by recipients as deceptive and threatening, with some falsely implying government affiliation.

Despite prior enforcement in 2015, Bishop continued the unlawful activity, claiming consent through Facebook forms an assertion refuted by complainants. The ICO found he failed to take reasonable steps to ensure legal compliance, issuing both a fine and enforcement notice. This case underscores the ICO’s commitment to holding even small-scale violators accountable and serves as a warning to all businesses engaging in direct marketing.

Read More

16. EU Commission Finds TikTok’s Ad Repository Likely in Breach of Digital Services Act

May 14, 2025

The European Commission has issued preliminary findings that TikTok’s ad repository fails to meet the Digital Services Act (DSA) transparency requirements. The platform allegedly omits key details such as ad content, targeting criteria, and sponsor information, and lacks proper search functionality-limiting public oversight.

TikTok may face fines of up to 6% of global annual turnover and enhanced supervision if non-compliance is confirmed. The case is part of broader DSA proceedings into TikTok’s algorithmic risks, youth protection, and election integrity. The company can now respond before a final decision is made.

This demonstrates the EU's serious enforcement of the DSA's transparency rules. Digital platforms, especially those with large user bases, must ensure their ad repositories are fully transparent and publicly searchable to avoid significant penalties.

Read More

17. Belgian Market Court Upholds €250K GDPR Fine Against IAB Europe

May 14, 2025
Belgium

The Belgian Market Court has annulled decision 21/2022 by the Belgian DPA against IAB Europe on procedural grounds but upheld the €250,000 fine and key findings. The Court confirmed that IAB Europe acts as joint controller for user preferences processed via its Transparency and Consent Framework (TCF), and that the TC String qualifies as personal data under the GDPR. However, the Court rejected the DPA’s claim that IAB also acts as a controller for processing within the OpenRTB protocol.

This judgment follows the CJEU’s 2024 ruling in case C-604/22 and reinforces the view that sectoral frameworks like the TCF carry joint controllership responsibilities. The case highlights growing regulatory scrutiny over consent frameworks and Real-Time Bidding practices.

Read More

18. ICO Publishes Draft Guidance On Encryption Under UK GDPR for Public Consultation

May 13, 2025
United Kingdom

The UK Information Commissioner’s Office (ICO) has published a draft update on encryption practices under the UK GDPR, now open for public consultation. The guidance emphasizes that encryption is a key security measure but not a means of anonymization- encrypted data still qualifies as personal data if an organization can decrypt it.

The draft also offers practical examples across technologies such as IoT devices, body-worn cameras, drones, and CCTV systems. The ICO reinforces that organizations must apply full GDPR obligations to encrypted personal data, recognizing encryption as a safeguard-not a loophole.

Read More

19. EU Unveils Draft Guidelines to Protect Minors Online Under the Digital Services Act

May 12, 2025

The European Commission has released draft guidelines to help platforms-excluding micro and small enterprises-better protect minors online, in line with the Digital Services Act. Measures include age assurance, private-by-default child accounts, safer recommender systems, and stronger controls to prevent cyberbullying.

The guidance takes a risk-based, privacy-by-design approach and is open for public feedback until 10 June 2025. Final publication is expected by summer. In parallel, the EU is developing a privacy-preserving age verification app as an interim tool until the EU Digital Identity Wallet launches in 2026.

Read More

20. Italy’s Garante Fines Acea Energia and ARSAC for Major GDPR Breaches

May 8, 2025
Italy

Italy’s data protection authority (Garante) has issued two major GDPR enforcement decisions. On May 7, 2025, Acea Energia and five partner firms were fined a total of €3.85 million for unlawful telemarketing, including calls without consent, use of illegally sourced contact lists, and failure to implement security and compliance controls. The companies must now notify affected individuals and stop using the unlawfully acquired data.

A day later, on May 8, Garante fined public agency ARSAC €50,000 after finding unlawful data processing linked to remote work policies. Violations included lack of legal basis, inadequate transparency, and failure to conduct a DPIA despite requiring employees to share geolocation data. These actions reaffirm Garante’s active stance on enforcing GDPR in both the private and public sectors.

Read More on the Acea Energia enforcement here, and on the ARSAC enforcement here.

21. EDPB and EDPS Respond to Draft Proposal on GDPR Record-Keeping Simplification

May 8, 2025

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a joint response to the Commission’s draft proposal to simplify GDPR record-keeping obligations under Article 30. The proposal would extend the current exemption for organizations with fewer than 250 employees to include entities with up to 500 employees, such as small mid-cap companies and certain non-profits.

The EDPB and EDPS expressed preliminary support for the initiative but stressed that key safeguards must remain, particularly the obligation to maintain records for processing that is likely to pose a high risk to individuals' rights and freedoms. They also highlighted the importance of maintaining a risk-based approach and called on the Commission to provide analysis on how many organizations would benefit and what the impact on data protection would be.

The supervisory authorities noted that a formal consultation will follow once the legislative proposal is published, allowing for more detailed feedback.

Read More

22. Swiss Regulator Clarifies:  Existing Data Protection Act Applies to AI-Driven Data Processing

May 8, 2025
Switzerland

The Swiss Federal Data Protection and Information Commissioner (FDPIC) has clarified that the revised Federal Act on Data Protection (FADP), effective since September 2023, already governs AI-supported data processing. As Switzerland moves toward ratifying the Council of Europe’s Convention on AI and Human Rights, the FDPIC emphasized that existing legal obligations remain fully in force.

Manufacturers, providers, and users of AI must ensure transparency in the purpose, functionality, and data sources of their systems. Individuals have rights to object to automated decisions and to know if they're interacting with an AI. High-risk AI uses such as facial recognition or deepfake applications must undergo a data protection impact assessment and, in some cases, may be outright prohibited. The regulator warns that data protection law prohibits any use of AI that undermines digital self-determination.

Read More

23. Data (Use & Access) Bill Passes Third Reading In House Of Commons

May 7, 2025
United Kingdom

The UK’s Data (Use and Access) Bill passed its third reading in the House of Commons on May 7, 2025, and now returns to the House of Lords for consideration of recent amendments. The bill introduces notable provisions, including a list of recognized legitimate interests for data processing such as national security and crime prevention and clarifies conditions under which data can be reused for new purposes.

It also imposes timelines and clearer standards for responding to subject access requests, introduces human oversight for automated decision-making with significant individual impact, and aligns international data transfer rules with UK security standards.

Organizations should closely monitor this legislative development to ensure forward-looking compliance strategies.

Read More

24. EU Cracks Down on Member States for Digital Regulation Failures

May 7, 2025

The European Commission has taken enforcement action against 19 Member States including Germany, France, and Poland for failing to transpose the NIS2 Directive by the October 2024 deadline. These states now have two months to comply or risk referral to the EU Court of Justice.

Separately, the Commission has referred five countries: Czechia, Spain, Cyprus, Poland, and Portugal, to the Court of Justice For failing to meet the EU Digital Services Act (DSA) obligations such as appointing Digital Services Coordinators and setting penalties.

The actions reflect the Commission’s intent to ensure consistent digital rule enforcement across the EU. Read More on the NIS2 Directive enforcement here, and on the DSA referrals to CJEU here.

25. Kenya High Court Blocks Worldcoin’s Biometric Data Processing for DPA Violations

May 5, 2025
Kenya

Kenya’s High Court has ruled that Worldcoin-linked entities violated the Data Protection Act by collecting and transferring biometric data without a valid Data Protection Impact Assessment (DPIA), lawful consent, or registration as data controllers or processors.

The judgment, issued in Katiba Institute & Others v Tools for Humanity Corporation & Others, bars these entities from processing biometric data in Kenya and mandates deletion of all previously collected data within seven days.

Data processing may only resume upon full compliance with the DPA, setting a precedent for stricter biometric data governance in Kenya.

Read More

26. EDPB Adopts Key Opinions on Adequacy Decisions

May 5, 2025

The European Data Protection Board (EDPB) has adopted two key opinions on adequacy decisions. For the first time, the EDPB assessed an international organization issuing a positive opinion on the European Commission’s draft adequacy decision for the European Patent Organisation (EPO). The Commission found that the EPO’s data protection framework aligns well with EU standards, setting a precedent for international bodies.

In parallel, the EDPB adopted an opinion supporting a six-month extension of the UK’s adequacy decisions under the GDPR and Law Enforcement Directive, now valid until December 27, 2025. This extension allows more time to assess the UK’s evolving legal landscape, ensuring uninterrupted data flows from the EEA in the interim.

These decisions reaffirm the EDPB’s role in maintaining robust safeguards for international data transfers. Read More on EDPB opinion on EPO here, and on UK adequacy status extension here.

27. Irish DPC Fines TikTok €530 Million over Unlawful Data Transfers to China

May 2, 2025
Ireland

The Irish Data Protection Commission has imposed a €530 million fine on TikTok for violating the GDPR by unlawfully transferring EEA user data to China and failing to provide sufficient transparency in its 2021 privacy policy. The DPC found breaches of Article 46(1), citing inadequate safeguards in China, and Article 13(1)(f) for failing to clearly disclose such transfers.

Although TikTok updated its privacy policy in December 2022 to mention international data access, the regulator ruled that protections remained insufficient during the infringement period (July 2020–December 2022). TikTok has six months to rectify its practices or risk a suspension of its data transfers to China. Additional enforcement could follow after recent revelations of EEA data stored on Chinese servers.

The case reinforces the requirement for organizations to ensure adequate safeguards for third-country transfers and maintain clear, detailed, and truthful privacy disclosures, especially when dealing with jurisdictions lacking an EU adequacy decision.

Read More

Asia Jurisdiction

28. China Issues New Rules on Online Identity Authentication

May 19, 2025
China

The Cyberspace Administration of China (CAC) issued new "Measures for the Administration of National Network Identity Authentication Public Services,". Set to take effect on July 15, 2025, these measures address online identity authentication for individuals. Per these new measures, platforms must only collect necessary data, with users’ explicit consent. They must also ensure robust data security and store all data within China. Moreover, non-compliance will lead to severe penalties, including potential criminal liability, which underscores China's continued push for greater user control over data.

Read More

29. OAIC Updates Guide To Health Privacy On Genetic Information Disclosures in Australia

May 12, 2025
Australia

The OAIC updates its Guide to Health Privacy to clarify for healthcare providers what genetic information to disclose to family members without user consent. Such disclosure is allowed only in instances where the information was collected during health services, and is needed to prevent a serious threat to a genetic relative. By underscoring that such disclosures are rare exceptions, the OAIC demands strong justification and focuses on direct genetic risks within families.

This highlights the ongoing challenge of adapting privacy regulations to the unique implications of genetic data in healthcare.

Read More

30. Temu Fined - 1.37 Billion for Privacy Violations by South Korea’s PIPC

May 12, 2025
South Korea

South Korea’s Personal Information Protection Commission (PIPC) has imposed a ₩1.369 billion fine and a ₩17.6 million penalty on Temu for multiple breaches of the Personal Information Protection Act (PIPA).

The e-commerce platform was found to have transferred user data overseas without proper disclosure, failed to appoint a domestic agent despite a large Korean user base, and maintained a burdensome account deletion process. It also illegally collected resident registration numbers and facial videos from Korean sellers during onboarding. While Temu has taken some remedial actions such as updating its privacy policy and deleting unlawfully collected data-the PIPC issued additional orders to improve oversight and uphold user rights.

The enforcement highlights South Korea’s tightening grip on foreign tech companies operating in its jurisdiction, particularly around cross-border data practices and transparency obligations. Read More.

31. New Zealand Introduces Deepfake Exploitation Bill to Combat Digital Harm

May 12, 2025
New Zealand

New Zealand has introduced the Deepfake Digital Harm & Exploitation Bill to criminalize the creation and distribution of non-consensual, digitally fabricated intimate imagery.

By amending the Crimes Act 1961 and the Harmful Digital Communications Act 2015, the bill strengthens protections against AI-driven image manipulation. For data protection, it signals a broader mandate to safeguard personal digital assets especially visual data against malicious use. Once passed, the bill will take effect the day after receiving Royal assent.

Read More

32. EU and Japan Deepen Digital Cooperation at Third Digital Partnership Council

May 12, 2025

At the third EU–Japan Digital Partnership Council meeting in Tokyo, both sides reaffirmed their commitment to closer collaboration on strategic technologies and digital governance. Co-chaired by EU Executive Vice-President Henna Virkkunen and senior Japanese ministers, the meeting marked progress on joint workstreams including AI, 5G/6G, semiconductors, quantum computing, and high-performance computing.

New areas of cooperation were announced, covering digital identities, trust services, cybersecurity, data governance, online platforms, and critical infrastructure like submarine cables and Arctic connectivity. In light of growing geopolitical tensions, both sides emphasized the importance of strengthening this partnership to promote digital resilience, innovation, and shared values.

This signals a strategic alignment between the two economies to deepen trusted data flows beyond the private sector, potentially setting a precedent for global data governance frameworks that emphasize cross-border collaboration in public-interest domains.

Read More

33. South Korea’s PIPC Launches Investigations Into Ufirst Insurance Marketing & Hana Financial Find

May 8, 2025

The Personal Information Protection Commission (PIPC) has launched investigations into Ufirst Insurance Marketing and Hana Financial Find. These investigations come after a reported breach, and they focus on potential personal information protection law violations due to inadequate data security measures. This highlights PIPC’s growing emphasis on enforcing data security obligations, especially in sectors handling large volumes of sensitive personal information. It also serves as a reminder that failure to implement appropriate safeguards can trigger regulatory scrutiny and potential penalties.

Read More

34. EU and Singapore Sign Landmark Digital Trade Agreement

May 7, 2025

The EU and Singapore signed a landmark Digital Trade Agreement (DTA), marking a major milestone in deepening their digital and economic ties. The agreement, signed by EU Commissioner Maroš Šefčovič and Singapore Minister Grace Fu, sets high standards for digital trade rules, reflecting both parties’ commitment to open, fair, and rules-based digital economies.

It facilitates trusted cross-border data flows, strengthens online consumer protection, and prohibits unjustified data localization measures. It also covers key areas such as privacy, electronic contracts, digital authentication, and regulatory cooperation, setting high standards for digital trade. By embedding principles of openness, transparency, and data protection, the DTA reinforces both parties' commitment to a fair and competitive digital economy and will soon undergo ratification processes in both regions.

Read More

35. UK & India Conclude Free Trade Agreement With Digital Trade Provisions

May 6, 2025

The UK and India wrapped up negotiations on a free trade agreement with provisions on digital trade. The deal will allow cross-border data flows with safeguards to enhance online consumer protection. Additionally, it aims to reduce spam by requiring user consent and clearly identifying unsolicited messages.

The agreement reflects both countries’ shared goal of fostering a secure, open digital economy alongside deeper trade ties.

Read More

36. Vietnam’s New Personal Data Protection Law Moves Toward National Assembly Approval

May 5, 2025
Vietnam

Vietnam’s Draft Law on Personal Data Protection, introduced in September 2024, has been reviewed by the Standing Committee and is now pending final approval by the National Assembly. The draft law mandates explicit, voluntary consent for data processing, prohibits coercive consent practices, and establishes new supervisory entities for data protection enforcement.

It also introduces defined rules for cross-border data transfers and outlines strict penalties for non-compliance. The legislation marks a significant step toward a comprehensive national framework for data privacy, signaling increased regulatory expectations for organizations processing personal data in Vietnam.

Read More .

37. Pacific Alliance–Singapore Free Trade Agreement Enters into Force

May 3, 2025

The Pacific Alliance–Singapore Free Trade Agreement (PASFTA) took effect on May 3, 2025, for Singapore, Chile, and Peru. It represents a pragmatic approach to digital trade, balancing economic integration with the sovereign right to regulate data flows in the public interest. PASFTA focuses on cross-border data flows and requires parties to allow data transfers for business purposes, as well as certain restrictions to safeguard legitimate public policy objectives. Thus, it ensures that digital trade liberalization does not come at the expense of privacy, security, or other key policy concerns.

Read More

38. Malaysian DPDP Releases Guidelines On Cross-Border Data Transfers

May 2, 2025
Malaysia

The Malaysian Department of Personal Data Protection (PDP) has released its guidelines on cross-border data transfers. These guidelines outline various requirements related to data controllers, including a valid legal basis, secure transfer methods, and record-keeping. They also recommend regular Transfer Impact Assessments (TIAs) and the use of Standard Contractual Clauses and Binding Corporate Rules for compliance.

By recommending TIAs and formal transfer mechanisms like SCCs and BCRs, the guidelines reflect a shift toward a more risk-based and accountability-driven approach to cross-border data governance. For organizations operating across borders, this introduces new expectations around diligence, documentation, and the assessment of foreign legal regimes potentially raising the compliance bar and increasing the importance of robust internal data transfer policies.

Read More

WHAT'S NEXT:
Key Privacy Developments to Watch For

• Kenya's ODPC Seeks Input on Key Data Protection Guidance: The Office of the Data Protection Commission (ODPC) has published draft sector-specific guidance notes to support Data Protection Act compliance, covering areas like children's and biometric data. Stakeholders are invited to submit feedback by May 30, 2025.
• New Jersey Rulemaking in progress: The Division on Consumer Affairs is accepting public comments on proposed data privacy rules until August 1, 2025. These rules aim to clarify key provisions of the New Jersey Data Privacy Act, including requirements for privacy notices, consent, and data disclosures
• IPP 3A in New Zealand goes into effect: The Information Privacy Principle (IPP) 3A under New Zealand's Privacy Amendment Bill will take effect on June 1, 2025, aligning personal data handling with EU adequacy requirements.
• Provisions of Privacy and Other Legislation Amendment 2024 to commence: Certain provisions of the Australian Government’s Privacy and Other Legislation Amendment 2024 are to commence either on a date to be proclaimed or by 10 June 2025, whichever comes first.
• Malaysia PDPA takes full effect: The final phase of the Malaysian Personal Data Protection (Amendment) Act 2024 takes effect on June 1, 2025, requiring DPO appointments, breach notifications, and enabling data portability rights.
• Expected approval for Vietnam Draft Law on Personal Data Protection: The Draft Law on Personal Data Protection, introduced in September 2024, is pending National Assembly approval- watch for its formal enactment soon.
• Growing focus on protecting minors’ data: Expect movements on bills like South Carolina (SB 68), Louisiana (HB 570), Connecticut (SB 6857), Texas (SB 2881), and Kids Online Safety Act, all aimed at regulating minor’s access to online services through age verifications and parental consent requirements.
• Stronger genetic and biometric information protections: Louisiana (HB125) and the Traveler Privacy Protection Bill at federal level progressing to regulate the use of facial recognition in airports and restrict the collection of genetic data by foreign entities.
• New Jersey’s insurance related bill: Keep an eye on Bill A5017 which proposes an exemption for personal data used in fraud prevention during insurance underwriting and claims. Insurers should closely monitor its status.
• CCPA’s board supports bills to strengthen privacy protections for California residents: The CCPA’s board supports the on-going Californian bills including AB 1355, SB 361, and SB 44, expanding on location privacy, data portability, and protections for neural data under the CPRA.
• Introduction of privacy acts by US Senators at federal level: Look out for the DOGE BROS Act, and the Reproductive Data Privacy and Protection Act, both of which signal federal interest in expanding data privacy protections, especially around government-held and health-related data.
• Comprehensive Consumer Data Protection Bills Progressing: Comprehensive privacy initiatives are moving forward in Massachusetts (SB 2516), Connecticut (SB 1356), and Maine (HP 710),  signaling a broader state-level push for stronger privacy rights.
• Oregon’s bill awaits governor’s approval: HB 3875, amends Oregon Consumer Privacy Act law to include motor vehicle manufacturers and their affiliates in the scope of law, irrespective of the company’s satisfaction of the law’s applicability thresholds. The law is to take effect 91 days after the current legislative session ends.
• Public comment period for draft regulations in California: The California Privacy Protection Agency opened a public comment period from May 9 to June 2, 2025, on proposed changes to CCPA regulations.
• Children's privacy code development in Canada: The Privacy Commissioner has launched an exploratory consultation on a Children’s Privacy Code under PIPEDA- watch for further drafts and stakeholder feedback phases in the coming months.