Data Privacy Frontline Report

Here are key highlights from March 2026 detailing global news and regulatory updates.

US & Canada

• California's data protection authority orders automotive company to pay a $375K fine and change its practices after concluding that aspects of its opt‑out process improperly hindered consumers’ ability to exercise their rights under the California Consumer Privacy Act.
• California's governor signs a first‑of‑its‑kind executive order directing the state to strengthen AI procurement standards and expand responsible use of artificial intelligence, requiring companies seeking state contracts to demonstrate strong privacy, security, and civil‑rights safeguards while using AI.
• Oklahoma enacts a comprehensive consumer data privacy law, establishing business‑friendly requirements and consumer rights around the collection and use of personal data, with the law set to take effect on January 1, 2027.
• Ontario's data protection authority gains global recognition for its updated de‑identification guidelines, receiving an award from the Future of Privacy Forum.
  
• US District Judge denies company request to block California’s AI data disclosure law, ruling that the company failed to show the law would force it to reveal trade secrets.

EMEA

• EU European Parliament adopts its position on a simplification (“omnibus”) proposal amending the Artificial Intelligence Act, endorsing a delay in the application of certain high‑risk AI rules to allow guidance and standards to be finalized and formally opening negotiations with the Council on the law’s final form.
• EU Court of Justice of the European Union (CJEU) rules that even a first data subject access request under the GDPR may be refused as abusive where the controller can demonstrate that the request was made not to exercise data protection rights but to artificially create grounds for claiming compensation.
• EU-Australia Free Trade agreement promotes the free movement of data between the EU and Australia by curbing unnecessary data‑localization measures while safeguarding the EU’s strong personal data and privacy protections (also in APAC).
• EU European Data Protection Board (EDPB) launches its 2026 enforcement framework, focusing on how controllers comply with GDPR transparency and information obligations.
• EU EDPB report examines cross‑border GDPR enforcement decisions on the use of legitimate interest as a legal basis, showing how supervisory authorities and the EDPB have applied Article 6(1)(f) across diverse cases while identifying recurring challenges in determining what constitutes a legitimate interest.
• EU EDPB and European Data Protection Supervisor (EDPS) support harmonizing the rules for clinical trials under the proposed European Biotech Act to improve legal clarity and competitiveness across the EU, while urging the introduction of specific safeguards to ensure a high level of protection for sensitive health and genetic data processed in this context.
• EU EDPS sets out how it will act as a market surveillance authority and notified body under the AI Act, outlining its new supervisory tasks, strategic vision, and priority actions.
• France’s data protection authority partners with the French national health authority on a draft guide aimed at helping healthcare professionals deploy artificial intelligence in  in healthcare settings (article in French).
• South Africa’s data protection authority issues final regulations under the Protection of Personal Information Act (POPIA), clarifying how designated organizations may lawfully process health information and removing several requirements proposed in earlier drafts.