Data Privacy Frontline Report

October 2025

Here are key highlights from November 2025 detailing global news and regulatory updates.

 

US & Canada

  • California’s privacy protection agency releases a guide for complying with changes to the California Consumer Privacy Act (CCPA) that come into effect on January 1, 2026, highlighting seven things that business should prepare for.

  • US appeals court rules that publishing breached data on the dark web can itself constitute harm, lowering the burden of proof for data breach lawsuits and increasing companies’ legal exposure.

  • US senator introduces the Health Information Privacy Reform Act (HIPRA) to extend HIPAA-like protections to health data held by non-HIPAA entities and to update certain HIPAA provisions.

  • US White House executive order that was leaked proposes federal action to challenge state AI laws, aiming to reduce regulatory barriers and promote innovation.

  • US company agrees to pay $1.3 million to settle class action litigation over a November 2023 cyberattack that exposed data of as many as 151,000 individuals.

  • US Commerce Secretary urges the EU to roll back its Digital Services Act and Digital Markets Act rules targeting U.S. tech firms, offering major investment incentives while warning of potential trade retaliation if regulations remain unchanged. (also in EMEA)


EMEA
  • EU European Commission unveils proposals to simplify digital regulations through targeted amendments to the GDPR and AI Act, aiming to reduce compliance burdens, clarify rules for AI-related data processing, and boost EU competitiveness while maintaining strong privacy and security standards.
  • EU European Council adopts new rules to streamline cooperation among national data protection authorities, seeking to speed up cross-border GDPR complaint handling and make enforcement more efficient.
  • EU European Data Protection Board (EDPB) issues a positive opinion on the European Commission’s draft adequacy decision for Brazil, confirming that Brazil’s data protection framework offers safeguards essentially equivalent to EU standards. (also in LATAM)
  • EU data protection authority provides guidance for risk management of AI systems, striving to deliver actionable insights and practical guidance for identifying and reducing common technical risks.
  • EU urged by US Commerce Secretary to roll back its Digital Services Act and Digital Markets Act rules targeting U.S. tech firms, offering major investment incentives while warning of potential trade retaliation if regulations remain unchanged. (also in US & Canada)
  • Nigerian data protection authority co-authors a white paper urging early-stage innovators to embed privacy-by-design in digital public infrastructure and AI.
Gain confidence to use and share sensitive data
Find out how our advisory services can help you safely leverage data derived from information about people. Watch this 15-minute webinar.
Watch On-Demand Now
APAC
  • Australian government establishes the Australian Artificial Intelligence Safety Institute (AISI) to monitor and test emerging AI capabilities and identify risks and harms.
  • India’s Digital Personal Data Protection Act (DPDPA) regulations are published, completing the implementation of the country’s new data protection regime after a two-year drafting process.
  • New Zealand’s privacy commissioner claims change is needed to the country’s Privacy Act 2020, including stronger penalties for breaches, a right to erasure, and safeguards for automated decision-making.
LATAM

  • Brazil’s data protection framework is deemed essentially equivalent to EU standards, as confirmed by the European Data Protection Board’s (EDPB) positive opinion on the European Commission’s draft adequacy decision. (also in EMEA)

  • Paraguay approves a comprehensive personal data protection law, with implementation set for 2027 after a two-year transition period. (article in Spanish)

Global

  • International AI Safety Report releases a second update, providing policymakers with the latest insights on technical safeguards and risk management for general-purpose AI.