Here are key highlights from July 2025 detailing global news and regulatory updates.
US & Canada
- California data protection authority adopts a new cybersecurity audit rule requiring businesses that pose significant privacy or security risks to conduct annual audits using independent professionals, thereby defining what constitutes “reasonable” cybersecurity under state law.
- California university study reveals widespread non-compliance among registered data brokers with the California Consumer Privacy Act, with 40% of brokers failing to respond to data access requests and many imposing inconsistent, burdensome procedures.
- Minnesota’s Consumer Data Privacy Act took effect on July 31, giving residents stronger control over how their personal data is collected, used, and sold, and granting individuals rights to challenge automated profiling decisions.
- Ontario enacts Bill 194 to strengthen public sector cybersecurity and privacy by requiring institutions to assess risks, report harmful breaches to the Information and Privacy Commissioner, notify affected individuals, and comply with new oversight powers.
- US White House unveils a sweeping AI Action Plan focused on accelerating innovation, removing regulatory barriers, and asserting national leadership in artificial intelligence, while discouraging state-level regulation.
- US White House announces a national health data tracking system that enables patients to opt in and securely share medical records across apps and health networks, integrating data from Big Tech and major providers to deliver personalized wellness insights—while also sparking privacy concerns.
- US Department of Health and Human Services’ Office for Civil Rights reaches a settlement with a provider of psychological and psychiatric services after finding that the provider impermissibly disclosed electronic protected health information (ePHI) online.
- US District Judge rules that the dismissal of the Federal Trade Commissioner was illegal, asserting that the action violated the statutory protections of agency independence.
EMEA
- France’s data protection authority publishes the final version of its guide on transfer impact assessments (TIAs), providing direction on how the analysis for TIAs can be conducted (in French).
- EU data protection authorities welcome targeted modifications to the GDPR that simplify record-keeping obligations for enterprises with fewer than 750 employees and preserve core data protection principles while reducing administrative burdens.
- EU European Commission holds firm on implementing the Artificial Intelligence Act despite calls from member states and industry leaders for delays, reaffirming its August compliance deadline for general-purpose AI systems.
- EU European Commission publishes the final version of its General-Purpose AI Code of Practice, inviting AI model providers to voluntarily adopt safety, transparency, and copyright standards that align with the EU AI Act.
- EU European Commission initiates a process to adopt new adequacy decisions with the UK, affirming that the UK’s legal framework continues to offer data protection safeguards that are essentially equivalent to those of the EU.
- UAE enacts amendments to key legislation to enhance data subject rights and clarify international data sharing standards, effective July 15, 2025.
Gain confidence to use and share sensitive data
Find out how our advisory services can help you safely leverage data derived from information about people. Watch this 15-minute webinar.
APAC
- China proposes the creation of a new global AI cooperation organization to promote inclusive development, positioning itself as a leader in shaping international norms for artificial intelligence.
- Singapore’s data protection authority launches a suite of new tools—including the Global AI Assurance Sandbox, a Privacy Enhancing Technologies (PETs) adoption guide, and a new data protection standard—to help businesses deploy AI responsibly and build public trust in a secure digital ecosystem.
LATAM
- Mexico enacts a sweeping public security law and links it to the creation of a national information database that centralizes sensitive data from individuals and companies, raising privacy concerns.
Global
- BRICs push for UN-led governance of artificial intelligence at the Rio Summit, seeking to establish a multilateral framework that promotes equitable global oversight.
- Global network conducts an international joint testing exercise focused on agentic AI systems, aiming to build shared evaluation methods and foster global collaboration on AI safety.