Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't).
India - DPDP Act and Rules take effect
India’s Ministry of Electronics and Information Technology (MeitY) has published documents related to the country’s new data protection law, the Digital Personal Data Protection Act 2023 (the DPDP Act). The documents establish long-awaited compliance timelines for the DPDP Act and officially set out the final version of the Digital Personal Data Protection Rules 2025 (the DPDP Rules).
However, it is important to note that the effective implementation of the DPDP Act and the DPDP Rules is phased over the next 18 months, with most fundamental obligations coming into force at the end of that transitional period, in May 2027. With that in mind, Trilegal - our local counsel in India - have published a detailed summary of key legal and practical compliance considerations entitled 'Preparing for the DPDPA - getting the next 18 months right'.
EU Member States - European Commission publishes digital omnibus
On 19 November 2025, the European Commission published its digital omnibus with proposals to simplify EU rules on AI, cybersecurity, and data. The omnibus aims to follow an “innovation-friendly” approach while maintaining high standards of regulation.
In terms of GDPR reform, the Commission proposed a broad range of changes including on the definition of personal data, data subject rights, privacy notices, breach notification, DPIAs, cookies, and the use of artificial intelligence. In relation to the AI Act, as well as certain amendments to improve clarity and streamline processes, delays have been proposed to the applicability dates of key provisions, given the delayed availability of standards and common specifications, and the delayed establishment of national competent authorities. The omnibus also aims to reduce overlap and improve clarity of data laws by consolidating the Free Flow of Data Regulation, the Data Governance Act, and the Open Data Directive into the Data Act, creating a single legal instrument for Europe’s data economy.
While the proposals may have significant operational implications for businesses, they are only a first step, and do not yet have the force of law. The digital omnibus will now be submitted to the European Parliament and the Council for adoption. This creates some uncertainty for the AI Act, as to whether a delay to the timeline can be agreed before the current applicability date of 2 August 2026.
India - new AI governance guidelines
On 5 November 2025, the Indian Ministry of Electronics and Information Technology (MeitY) published the India AI Governance Guidelines, described by MeitY as a ''comprehensive framework to ensure safe, inclusive, and responsible AI adoption across sectors.'' The Guidelines are set out across four separate sections, covering: (i) cross-sector guiding principles for organisations using AI; (ii) key public policy recommendations; (iii) an action plan for institutions to operationalise the key recommendations; and (iv) practical guidelines on transparent and accountable AI deployment.
The Guidelines also set out, in Annex 3 (p.51), an overview of current laws in India that are relevant to AI systems, which may be of assistance to organisations deploying AI solutions in India. This list includes sector-specific laws and guidance issued by institutions such as the Reserve Bank of India, the Security and Exchange Board of India, and the Insurance Regulatory and Development Authority of India.
EU Member States - CJEU decision relating to the 'soft opt-in'
On 13 November 2025, the Court of Justice of the European Union (CJEU) published its decision in Inteligo Media SA v ANSPDCP (C-654/23), in relation the ‘soft opt-in’ under the ePrivacy Directive, where consent is not required for direct marketing of similar goods and services in the context of a sale, provided there is an opportunity to easily object free of charge.
The CJEU set out a broad view of direct marketing, which could include editorial content, particularly where the the goal is to promote paid for services or convert free trial users into subscribers. It also held that the exception can apply to indirect remuneration for freemium models (i.e. a commercial relationship does not always require monetary payment). It should be noted that the decision relates specifically to a free subscription and newsletter with the goal of promoting paid for services, and it is not clear how far the CJEU’s decision would also apply to other types of freemium model (e.g. registrations on fully free platforms or free articles and white papers where there is no direct paid for service).
United States - California - Guidance on 2026 CCPA regulations
The California Privacy Protection Agency has published high-level guidance on the new California Consumer Privacy Act regulations (available in their final approved form here), which come into effect on 1 January 2026. Broken down into ''7 things to know before the 2026 CCPA updates take effect'', the guidance covers risk assessments, requests to opt out of selling/sharing, requests to know, requests to correct, maintaining corrected data, health data corrections, and sensitivity of youth data.
View the high-level guidance
View the full suite of documents and materials related to this round of rulemaking
Finland - updated online data breach notification form
The Finnish data protection authority, the Office of the Data Protection Ombudsman, has made changes to its online personal data breach notification form. Use of this form is the Ombudsman’s preferred method of breach notification. The link to the online form remains the same as before, and it will continue to be available via the Government ICT Centre Valtori’s secure form service.
The purpose of the changes is to streamline the processing of notifications. The following changes have been made: the structure has been modified, the wording of the questions has been clarified, and guidance text has been added to make it easier to submit a notification.
China - Q&A published on cross-border transfer
On 31 October 2025, the Cyberspace Administration of China (CAC) released a Q&A on Cross-Border Security Management Policies, which includes ten practical points to assist organisations in complying with data export rules in China.
The Q&A provides clarification on exemptions, including where HR data is transferred in accordance with employment law and collective agreements (where the relevant agreements must comply with key data protection principles). The CAC confirms that where data is accessed locally by overseas members of staff, but is not transferred overseas, this does not constitute an export of data. There is also guidance on whether system changes require updated security assessments, continuous transfers of personal data, when new filings may be required if new transfer scenarios emerge, onward transfers, and certification.
International - enforcement sweep on the protection of children's privacy
Between 3 and 7 November 2025, the Global Privacy Enforcement Network (GPEN) ran a global sweep to examine how websites and mobile applications commonly used by children handle their personal data.
The sweep is a GPEN initiative whereby data privacy authorities work together for a week, once every year, to protect the privacy rights of individuals around the world and support cooperation in cross-border enforcement. The Office of the Privacy Commissioner of Canada, the United Kingdom Information Commissioner’s Office, and the Office of the Data Protection Authority of Guernsey are coordinating this year’s sweep, which focuses on the protection of children’s privacy.
The sweep will mark the 10-year anniversary of a similar children’s privacy sweep conducted in 2015, allowing authorities to compare results, understand how practices have evolved over the past decade and identify areas where further improvement is needed to protect children online. The results are expected to be released in early 2026.
Germany - Federal Government Bill to implement NIS 2 Passed by Bundestag
On 13 November 2025, the Bundestag passed the Federal Government Bill to implement NIS 2 on its third reading. The next stage is for the new law to be counter-signed and then promulgated in the Bundesgesetzblatt (the Federal Gazette). Supervision and oversight will be provided by the Federal Office for Information Security (BSI) and a federal administration-level Chief Information Security Officer (CISO BUND) will be established. A new reporting office is also due to be created between the BSI and the Federal Office for Civil Protection (BBK).
Affected organisations should assess their risk profile and compile a cybersecurity risk inventory, which will determine the extent to which security measures are required. Alongside general security measures, specific compliance measures could be needed, e.g., if the BSI issues sector-specific directions or if the Federal Ministry of the Interior prohibits certain supply-chain relationships under powers provided by the new legislation. There will be a three-stage process for incident reporting, whereby an initial report should be submitted upon discovery of an incident, with a detailed report to follow shortly thereafter and then a final report.
View the Bundestag overview of the new law with linked documents
View a Federal Government press release (both in German)
Denmark - Datatilsynet opinion on disclosures to evidence compliance with labour clauses
The Danish data protection authority, Datatilstynet, has published an advisory opinion on the legal basis for a supplier to disclose employee information to its contracting party to evidence compliance with the labour clauses in the contract. Labour clauses are widely used to ensure fair wages and working conditions for suppliers. Organisations often require the supplier to provide evidence of its compliance with labour clauses, typically in the form of employees' salary information, timesheets and employment contracts.
In its opinion, Datatilsynet considers that suppliers must generally find a legal basis for the disclosure in Article 6(1)(f) GDPR. Given the purpose of the labour clauses, this will generally constitute an overriding legitimate interest which would form the basis for the disclosure of the information in question, unless there are specific circumstances that prevent such disclosure.
919 Sanctions. We're keeping count.
That's the total number of regulatory sanctions around the world that Rulefinder Data Privacy has tracked so far in 2025.
It amounts to over $3,545,290,000 US dollars in penalties and numerous other reprimands and corrective actions.
Not seen our Enforcement Tracker yet? Ask us for a demo
How Rulefinder Data Privacy can help
Our subscribers hear about these and other privacy law developments as soon as we cover them
