Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't).
United States - Montana - Privacy law amendments enacted
On 8 May 2025, the Governor of Montana signed into law SB 297 (an act generally revising privacy laws). The key changes to the Montana Consumer Data Protection Act (MCDPA) brought about by this amendment include: a lowering of its applicability threshold; new privacy notice requirements; privacy protections for children; the removal of the right to cure; and changes to the exemptions for non-profits and for data covered by the Gramm-Leach-Bliley Act.
Following the amendments, the MCDPA applies where a person conducts business in Montana (or produces products or services targeted at Montana residents), and: handles the personal data of at least 25,000 consumers (reduced from 50,000); or handles the personal data of at least 15,000 consumers (previously 25,000) and derives more than 25% of revenue from personal data sales (no change).
Australia - AI model clauses
The Australian Government has released AI model contractual clauses, which have been designed to manage emerging risks, issues and ethical challenges in the procurement and deployment of AI systems (including software or services with integrated AI). Whilst the AI model clauses have been developed specifically to assist public sector procurement, they may also prove helpful for private sector organisations looking to mitigate risks and promote transparency and accountability in the purchasing and deployment of AI systems.
The AI model clauses are intended to assist the purchasing of: (i) services where the seller may be using AI systems in the provision of the services (for example, if a consultant uses AI in the preparation of presentations and reports); and (ii) bespoke AI systems (for example, chat-bots for websites or AI tools to assist decision making). The clauses also cover other use cases, such as the development of automated decision-making tools, procuring or using off the shelf AI systems, and procuring a product with embedded or integrated AI capabilities.
The clauses are available here
Data Privacy: Stay ahead of the curveAs AI accelerates, so do the compliance challenges. In this recent article, we explore the growing intersection between AI and data privacy, covering key compliance risks, from DPIAs to automated decision-making, and what they mean for AI governance. Our new AI Regulation & Governance module keeps you up to speed with:
Exclusively available to Rulefinder Data Privacy subscribers. Get in touch for a demo or more details. |
Denmark - cookie guidance issued
On 15 May 2025, the Danish data protection authority (Datatilsynet) and the Danish Agency for Digital Government issued a joint guide on compliant use of cookies and similar technologies. The rules on the use of cookies, as set out in the e-Privacy Directive, are implemented in Denmark in the Danish Executive Order on Cookies. The Executive Order applies alongside the Danish Data Protection Act, and as such, organisations using cookies or similar technologies that process personal data will need to ensure compliance with both laws. The cookie guide is written for organisations that offer websites and/or apps and reviews the requirements of the applicable legislation, as well as providing practical advice and examples on how to comply. The guide also sets out risk factors and potential barriers to compliance, of which organisations should be aware.
The guide is available here (in Danish)
Malaysia - JPDP publishes Cross Border Data Transfer Guidelines
With effect from 1 April 2025, the PDPA Amendment Act removed the requirement for destination jurisdictions to be formally approved by the Malaysian Government and allowed organisations to transfer personal data to jurisdictions in the circumstances outlined in section 129 of the PDPA (including where the destination jurisdiction has any law in force which is substantially similar to the PDPA, or where the individual consents to the transfer).
Following public consultation, to help organisations understand and comply with the rules on cross-border data transfers, Malaysia's Department of Personal Data Protection (the JPDP) has now published detailed Cross Border Data Transfer Guidelines. This includes guidance on conducting transfer impact assessments (when assessing similarity of laws to the PDPA), the scope of various exceptions, and the requirement to take reasonable precautions and conduct due diligence. The guidance also covers the responsibilities of data controllers when transferring personal data, how to deal with data processors, and record keeping requirements.
The guidelines are available here (scroll down for English version
Kenya - ODPC consults on data protection guidance documents
The Kenyan Office of the Data Protection Commissioner (ODPC) has published a consultation on a series of eight draft guidance documents to assist organisations in their efforts to comply with the requirements of the Data Protection Act 2019. The eight draft guidance documents cover: children's data, historical and statistical data, biometric data, audio-visual recordings and photography, public sector processing, journalism, processing by micro, small, and medium enterprises, and processing for research purposes. The ODPC has also provided a template document for comments and invited responses by 30 May 2025.
Sanctions. We're keeping count.
174. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2025. It amounts to over 2,208,470,000 US dollars in penalties and numerous other reprimands and corrective actions.
Not seen our Enforcement Tracker yet? Ask us for a demo.
Canada - launch of consultation on a children's privacy code
The Office of the Privacy Commissioner of Canada (OPC) has launched an exploratory consultation to develop a children’s privacy code, the purpose of which is to enhance the protection of young people’s personal information in the digital world. This approach builds on the OPC’s past work relating to children’s privacy, such as the G7 Data Protection and Privacy Authorities’ Statement on AI and Children, and past resolutions jointly released with Canada’s provincial and territorial counterparts on the best interests of young people and deceptive design patterns.
The consultation will explore creating clear, practical guidelines for companies that handle children’s personal information, to help them ensure that their products and services are designed with the highest standards of privacy and data protection in mind, and that they provide children with tools that will empower them to exercise their privacy rights. Feedback is to be submitted by email to cpvp-opcconsultation1@priv.gc.ca by 5 August 2025.
South Korea - PIPC urges additional security measures
The South Korean data protection authority (the PIPC) has issued a statement urging organisations to implement specific additional safety measures. The request is primarily targeted at organisations that engage in large-scale processing. The PIPC has made the statement in light of a large cyber-attack affecting a telecom provider, which resulted in theft of its customer information in the second half of April 2025. More specifically, threat actors were able to steal customers' "Universal Subscriber Identity Module" (USIM) data - data stored on USIM cards which are a type of SIM card for 3G services. Millions of customers are said to be affected. The PIPC asks organisations to secure USIM data, to the extent they process it, by: (i) ensuring employees who handle personal information subscribe to the USIM protection service or replace their USIM; and (ii) using additional authentication methods other than mobile phones when authenticating users.
The PIPC’s statement is available here (in Korean)
Finland - guides on development and use of AI systems
The Finnish data protection authority, the Ombudsman, has published non-exhaustive guidelines on how to take data protection requirements into account when developing or deploying an AI system. The Ombudsman notes that the development of an AI system often meets the high-risk criteria, meaning a data protection impact assessment must be carried out. Risks should be assessed before personal data is processed, and appropriate controls put in place (including, for example, in relation to security). Organisations must establish a lawful basis for processing when developing or using an AI system, as well as to train an AI system. The Ombudsman emphasises the importance of complying with core data protection principles (e.g. transparency, data minimisation, and purpose limitation), and the AI system must be designed in a manner that enables data subject rights to be facilitated.
The guidelines are available here (in Finnish)
France - CNIL recommends extra security measures for large databases
The French data protection authority (the CNIL) has issued a recommendation which suggests that organisations with personal data contained in large databases should implement enhanced security measures. The CNIL's statement follows a recent increase in opportunistic cyber-attacks on large databases such as customer databases and CRM systems.
The CNIL starts by referring to its existing Security Guide (in French) that contains the basic security measures expected of all organisations processing data. It then lists a number of specific measures for "large databases" which it loosely defines as "databases containing the data of several million persons". These include: (i) securing external access with multi-factor authentication; (ii) logging, analysing, and setting limits on the data flows that pass through the information system; (iii) conducting training and awareness; (iv) and supervising data security with subcontractors/processors.
The recommendations are available here (in French)
Australia - Notifiable data breaches report published
The Office of the Australian Information Commissioner (OAIC) has released a report on notifiable data breaches from 1 July to 31 December 2024 (the Report), which highlights areas of potential risk for organisations to consider. The period saw 595 data breaches reported to the OAIC, which continues the upward trend of notifications. Malicious or criminal attacks remained the leading source of data breaches, accounting for 404 notifications (69%), with human error (e.g. e-mail sent to the wrong recipient) accounting for 170 notifications (29%). Cyber security incidents were the source of 247 (61%) of all malicious or criminal attacks. The top three cyber-attack methods were: (1) phishing; (2) ransomware; and (3) compromised or stolen credentials for which the method was unknown. The top sectors from which reports originated were: (i) health service providers (20%), (ii) Australian Government (17%), (iii) financial organisations (9%) and (iv) retail (6%).
It is worth noting that the Attorney-General’s Department is in the process of conducting a comprehensive review of the Privacy Act 1988, which includes proposals that would strengthen the Notifiable Data Breaches scheme, including changes to the reporting timeframes (i.e. setting a 72-hour timeframe to notify the OAIC of eligible data breaches).
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
