DPRules Summer Edition - Key Global Data Privacy Developments You Might Have Missed
Vietnam – National Assembly passes new Personal Data Protection Law
The Vietnamese National Assembly has passed the proposed new Personal Data Protection Law (New PDP Law) which will take effect on 1 January 2026. The New PDP Law has been drafted to ensure consistency with the Vietnamese legal system and compatibility with relevant international treaties to which Vietnam is a signatory.
Among other things, the New PDP Law (i) prohibits buying and selling personal data; (ii) creates new rules for data sharing; (iii) strictly regulates the mechanism for data subjects to exercise their rights; (iv) updates the rules on impact assessments for international transfers (with an initial assessment to be updated on any changes to processing operations); and (v) includes sanctions for breaching the PDP Law, which may be administrative or criminal in nature.
Algeria - amendments to data protection law published
In Algeria, Law No. 25-11 has been published, which updates the existing data protection law (Law No. 18-07). Amendments include: (i) new provisions for data protection officers; (ii) new requirements regarding data protection impact assessments, especially for high-risk processing; (iii) new international data transfer arrangements; (iv) a new distinction regarding the processing of criminal offence data; (v) new breach response requirements; (vi) an expansion of the powers of the national authority through the establishment of regional units responsible for monitoring and auditing compliance; and (vii) a new obligation for organisations to maintain processing records and logs.
The Algerian data protection authority, the ANPDP, has published guidance, including a sample data protection policy and a summary of the new requirements.
View the new law
(Note: the above links go to pages in Arabic - should they not work, please see the listing page on the ANPDP's website)
China - CAC announcement on reporting information about DPOs
The Cyberspace Administration of China (CAC) has issued an announcement setting out details on how and when to report information about the person in charge of personal information protection (i.e. the data protection officer) to the competent authority.
Organisations processing personal information of more than 1 million individuals are required to complete the formalities for reporting certain information about the data protection officer to the relevant internet information department. Where an organisation already processes personal information of 1 million individuals, the information report must be made by 29 August 2025. Where an organisation does not yet process the personal information of 1 million individuals, the report must be made within 30 days of reaching 1 million. Where there are substantial changes, the formalities for changing the information shall be completed within 30 working days from the date of the change. The information report is to be made online.
Israel - updates to data protection law in force
On 14 August 2025, Amendment 13 to the Protection of Privacy Law (PPL) came into force. Amongst other things, the Amendment updates and clarifies the PPL and provides effective enforcement tools to increase the protection of the basic right to privacy.
The Amendment expands the supervisory and enforcement powers of the Privacy Protection Authority (PPA) including further powers to issue administrative fines. It also introduces mandatory appointment of DPOs in certain circumstances, a new notification obligation when processing large volumes of highly sensitive data, a reduction in the obligation to register digital databases, and new powers for the courts to award statutory damages in civil actions. There are also amendments to substantive definitions in the PPL to bring them into line with other data privacy laws including the EU's GDPR.
Read the Amendment (in Hebrew)
United Kingdom - commencement dates of Data (Use and Access) Act obligations announced
Most parts of the Data (Use and Access) Act (DUAA) require secondary regulation before they come into force and the UK Government has divided this process into 4 stages. The key stage from a data protection perspective is Stage 3 and the parts of the DUAA covered in this Stage will likely come into force in December 2025. Stage 4 includes the changes to the UK DPA "Information Commissioner's Office" governance structures, which are expected to come into force in early 2026.
The "Commencement Regulations" in relation to Stage 1 have now been published and the Commencement Regulations for the other Stages will be published in due course. There are some relevant points to note in the Stage 1 provisions, including (i) a provision permitting organisations to process personal data on grounds of public interest where the basis of such processing is set out in relevant international law; (ii) codification of the rule that any searches in the context of DSARs only have to be "reasonable and proportionate; (iii) clarification of the fact that other laws do not generally prevail over data protection requirements in relation to data subject rights; (iv) an update to the definition of “direct marketing”; and (v) harmonisation of data breach notification obligations between PECR and UK GDPR.
Sanctions. We're keeping count.
763. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2025. It amounts to over 2,280,030,000 US dollars in penalties and numerous other reprimands and corrective actions.
Not seen our Enforcement Tracker yet? Ask us for a demo.
DIFC - amendments to Data Protection Law
The Dubai International Financial Centre has announced updates to the Data Protection Law 2020 (DPL) through Law No. 1 of 2025 (the Amendment Law), which came into effect on 15 July 2025. The amendments are intended to provide additional rights and protections for data subjects and keep the DIFC in line with international standards. The changes are fairly limited in nature, but there are some important points for organisations to note.
The Amendment Law has made changes to the territorial scope of the DPL, with the extra-territorial application of the law now potentially flowing down to sub-processors, and a previous carve-out for “occasional” processing having been removed. The Amendment Law also introduces a private right of action for data subjects to apply to the court for compensation if they have suffered damage due to a contravention of the DPL or its Regulations. Finally, there have been increases in the maximum fines for certain violations.
Read the press release
Read the Amendment
United States - Minnesota - Data Privacy Act in effect
The Minnesota Consumer Data Privacy Act (MCDPA) came into effect on 31 July 2025. Breaches of the MCDPA are subject to civil penalties of up to $7,500 per violation, but there is a 30-day cure period for violations (until 31 January 2026). The Minnesota Attorney General has also launched a new website providing individuals with information on the MCDPA.
Similarly to other US state privacy laws, the MCDPA contains terms covering applicability, individual rights, privacy notices, data minimisation, data security and purpose limitation, sensitive data, data privacy and protection assessments, and universal op-out mechanisms.
Read the full text of the MCDPA (from page 155 onwards)
United States - California - CPPA unanimously adopts rulemaking package
On 24 July 2025, the California Privacy Protection Agency (CPPA) voted unanimously to adopt a rulemaking package covering: Automated Decision-making Technology Regulations; cybersecurity audits; risk assessments; insurance companies; and updates to the California Consumer Privacy Act. The California Office of Administrative Law has thirty working days to review and approve it (which is largely expected to be a procedural step).
Read the full modified text of the proposed regulations, as voted on by the CPPA Board
South Korea - PIPC publishes comprehensive data protection guideline
The South Korean data protection authority PIPC has published a new Guideline (Korean only). This "Integrated Guideline on Data Protection" provides further detail on the comprehensive data protection changes introduced in 2023 to the South Korean data protection act (PIPA).
For example, the 2023 amendments to the PIPA introduced new provisions in relation to lawful bases for processing and the newly published Guideline elaborates on this by providing more detail on the circumstances in which organisations can rely on the "fulfilment of a contract" ground. Other areas covered by the Guideline include circumstances in which consent cannot be obtained lawfully; clarifications around the purpose limitation rules; recommendations in relation to data deletion; and obligations (including required inspections) in the context of the relationship between organisations and service providers such as cloud hosting providers.
China - CAC issues updated guidelines on security assessment for data exports
On 27 June 2025, the Cyberspace Administration of China (CAC) issued an updated, third edition of its guidance on security assessment for data exports. The guidance aims to assist data exporters required to undertake the security assessment by simplifying the materials required and providing more detailed operational guidance. In particular, the update clarifies the rules applicable when a data exporter wishes to apply for an extension of the validity period of a security assessment.
Read the CAC press release
Security assessments are generally valid for three years, however, where a data exporter meets certain conditions, it can apply for an extension of the assessment by three years. The application must be made sixty days before the expiry of the security assessment.
Read the CAC's latest guidance on security assessments for data exports (in Chinese)
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
