Data Privacy Frontline Report

Here are key highlights from June 2026 detailing global news and regulatory updates.

US & Canada

• Canada launches its “AI for All” strategy to boost AI adoption and economic growth—targeting higher uptake, job creation, and stronger domestic infrastructure—while reinforcing digital sovereignty and addressing governance, privacy, and AI‑related risks.

• Canadian government introduces Bill C‑36 to modernize private‑sector privacy law by recognizing privacy as a fundamental right, strengthening consent and deletion rights, and shifting enforcement to a new regulator with significant penalty powers.

• Louisiana enacts the Louisiana Data Privacy Act, establishing a comprehensive consumer privacy framework—effective in 2027—that mirrors common US state models while imposing obligations on businesses through CCPA‑style thresholds and broad exemptions.

• US Department of Health and Human Services (HHS) announces a settlement with a group health plan following a ransomware attack investigation, resolving potential HIPAA violations related to inadequate risk analysis and security controls through a financial penalty and corrective action plan.

• US Commerce Department orders the Census Bureau to stop using differential privacy techniques that add statistical noise to protect, a move experts warn could reduce data detail or availability.

• Vermont becomes the 23rd U.S. state to enact a comprehensive consumer privacy law with the Data Privacy and Online Surveillance Act, introducing a Connecticut‑style framework with some differences in applicability thresholds and opt‑out requirements, and with enforcement set to take effect in 2028.

EMEA

• EU and Brazil sign a Digital Partnership to deepen cooperation on data governance, AI, and digital infrastructure, to be implemented through regular high-level exchanges and technical workstreams. (also in LATAM)

• EU European Commission publishes a voluntary Code of Practice to guide providers and deployers in marking and labelling AI‑generated content ahead of the AI Act’s transparency obligations.

• EU European Parliament approves amendments to the AI Act to simplify compliance and delay certain obligations while maintaining its risk‑based framework, including changes to reduce overlaps, support SMEs, and adjust timelines for high‑risk AI requirements and transparency measures. 

• EU European Commissioner and the European Data Protection Board (EDPB) adopt a common data breach notification template to help organizations and regulators standardize, streamline, and harmonize GDPR breach reporting processes across the EU.

• EU European Data Protection Supervisor (EDPS) warns that “shadow AI”—the unauthorized use of AI tools by employees without organizational approval or oversight—creates hidden data breach risks by bypassing safeguards and placing personal data into unmonitored systems.

• Italy's data protection authority fines airline €180,000 for unfair handling of passengers’ health data, citing inadequate transparency and excessive retention periods despite finding the underlying data processing itself was lawful.

• Nigeria's data protection authority and Meta launch a two‑year campaign to promote data privacy awareness, strengthen regulatory capacity, and enhance protections for data subjects, as part of a court‑approved settlement following investigations into Meta’s data processing practices.

• Romanian hospitals disconnect from the internet and revert to pen‑and‑paper operations after a major ransomware attack spreads through a widely used healthcare system, disrupting care but helping stop the hackers’ advance.