Data Privacy Frontline Report

Here are key highlights from January 2026 detailing global news and regulatory updates.

US & Canada

• Canada’s data protection authority investigates company, finding ongoing failures to fully erase personal data from returned devices and underscoring the need for organizations to rigorously wipe information and train staff accordingly.

• California’s governor announces strong participation in the state’s new Delete Request and Opt-out Platform (DROP) privacy tool, which demonstrates Californians’ readiness to take control of their personal data.

• US Department of Justice creates an AI Litigation Task Force to challenge state-level AI regulations deemed unconstitutional or overly burdensome, aiming to ensure a uniform federal framework that supports innovation.

• US research center warns in a new report that unregulated digital technologies and weak privacy laws are fueling a health data privacy crisis that harms equity and trust in care.

• US company agrees to a class action settlement of up to $47.5 million to resolve claims that it violated data privacy laws by using third‑party tracking technologies exposing members’ sensitive information.

EMEA

• European supervisory authorities issue roughly EUR 1.2 billion in GDPR fines in 2025 while also recording a sharp 22% rise in personal data breach notifications, signaling sustained enforcement intensity and a more volatile threat environment across Europe.

• EU and Brazil finalize a mutual adequacy agreement recognizing each other’s data protection frameworks as equivalent, enabling free and secure cross‑border data flows and strengthening digital trade between the two regions (also in LATAM).

• EU European Commission proposes a new cybersecurity package that proposes to revise the Cybersecurity Act, aiming to secure information and communication technology supply chains, simplify certification, and support compliance.

• EU data protection authorities warn that while they support efforts in the Digital Omnibus Bill to simplify AI Act implementation, administrative streamlining must not come at the expense of protecting fundamental rights.

• EU pseudonymization case is withdrawn at the request of the parties, leaving earlier clarifications by the EU’s top court on pseudonymized data as the operative guidance going forward.

• Israel's privacy protection authority releases a comprehensive guide on implementing privacy‑enhancing technologies in AI systems (in Hebrew).

• Italian data protection authority member resigns amid a corruption and embezzlement investigation, stating that his decision, though personally painful, was necessary to preserve the institution’s credibility (in Italian).

• Qatar Financial Centre, Dubai International Financial Centre, and Abu Dhabi Global Market mutually recognize each other’s data protection frameworks, enabling streamlined cross‑border personal data transfers and strengthening regional regulatory cooperation across the Gulf’s financial centers.

• Türkiye’s data protection authority finalizes data breach notification requirements and clarifies that data controllers must notify the data protection authority without delay and within a maximum of 72 hours after becoming aware of a personal data breach (in Turkish).

• UK's data protection authority issues updated guidance on international transfers that introduces a clear three‑step process to help organizations determine when a restricted transfer is taking place and clarifies roles, responsibilities, and compliance expectations under the UK GDPR.