Here are key highlights from May 2025 detailing global news and regulatory updates.
US & Canada
- US House of Representatives narrowly passes a bill banning US states for 10 years from enacting and enforcing AI regulations, with the bill now advancing to the Senate.
- US Consumer Financial Protection Bureau (CFPB) rescinds a proposed rule aimed at preventing data brokers from selling or misusing the sensitive personal data of consumers.
- US Federal Trade Commission (FTC) finalizes order with webhoster over failing to implement data security protections that led to data breaches.
- US Office for Civil Rights (OCR) announces settlement with Florida healthcare provider, resolving an investigation into a complaint concerning impermissible access to electronic protected health information (ePHI).
EMEA
- Denmark’s data protection authority updates the remaining parts of its guidance on handling personal data breaches (in Danish).
- EU and Singapore sign the landmark Digital Trade Agreement to enhance consumer protection and facilitate trusted cross-border data flows (also in APAC).
- EU European Commission introduces a proposal to simplify the GDPR, seeking to ease compliance for businesses—particularly small and mid-sized enterprises—by extending certain exemptions and clarifying record-keeping requirements.
- EU European Commission seeks views on the use of data to develop AI, the simplification of data rules, and international data flows, with consultation open until July 18, 2025.
- EU European Data Protection Board (EDPB) issues an opinion recognizing the need for an extension to the UK’s data protection adequacy decisions under the GDPR and the Law Enforcement Directive (LED) until December 27, 2025.
- EU commissioner seeks to introduce a digital fairness act to clarify the rules for the use of AI solutions in business and consumer contexts.
- Finland’s data protection authority publishes guidelines for addressing data protection in the development and use of AI systems (in Finnish).
- Kenya’s data protection authority publishes guidelines to help entities to comply with the Data Protection Act, 2019.
- Nigerian and Somalian data protection authorities sign a memorandum of understanding to establish a framework for collaboration on data protection between the two nations.
Gain confidence to use and share sensitive data
Find out how our advisory services can help you safely leverage data derived from information about people. Watch this 15-minute webinar.
APAC
- China bolsters AI governance measures, launching a three-month campaign in May to regulate AI technology abuse.
- Japan enacts bill to promote development of AI while seeking to mitigate its risks.
- Singapore and EU sign the landmark Digital Trade Agreement to enhance consumer protection and facilitate trusted cross-border data flows (also in EMEA).
- Singapore Conference on AI publishes consensus on global AI safety research priorities.
LATAM
- Argentina introduces bill to amend data protection law, aiming to align with international standards and define key terms.
Global
- Global agencies—including agencies from the US, Australia, New Zealand, and the UK—produce joint report on best practices for the secure use of data when training and operating AI systems.
- Global Cross-Border Privacy Rules (CBPR) Forum launches international data protection and privacy certifications, providing a means for organizations to foster trust in cross-border data flows.
- ISO/IEC release new AI impact assessment standard (42005), with a focus on understanding how AI systems may affect individuals, groups, or society as a whole.