Key Global Data Privacy Developments You Might Have Missed (But Rulefinder Data Privacy Hasn’t)
Want to stay ahead of regulatory change? Rulefinder Data Privacy helps you track, interpret, and act on global developments - so your organisation can stay compliant with confidence. Here’s a roundup of key themes we’ve covered over the past month.
More reform, more uncertainty
Privacy regulation continues to evolve at pace
Stage 3 of the UK’s Data (Use and Access) Act 2025 is now in force, introducing further operational and compliance changes
The New Jersey Data Privacy Act has been amended, adding exemptions and extending existing ones – with practical implications for scope assessments
The European Data Protection Board has issued its opinion on the Digital Omnibus, raising some concerns while remaining broadly aligned with regulatory simplification
| What this means for you With so much noise around developments such as these, organisations should focus on concrete legal and regulatory developments, rather than being swayed by news articles or opinion pieces. |
Sensitive data under scrutiny
Privacy authorities continue to sharpen their focus on sensitive data and related processing activities.
Canada – Neural data added to sensitive information: The Office of the Privacy Commissioner of Canada has updated its Interpretation Bulletin on Sensitive Information to include neural data
Singapore – Stricter enforcement on NRIC numbers: From 1 January 2027, the Personal Data Protection Commission will intensify enforcement against misuse of national ID card numbers for authentication. See the supporting guidance
India – New obligations for synthetic data: The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules (2026) came into force on 20 February 2026, setting out clear obligations for processing synthetic (i.e. AI-generated) information. See MeitY’s FAQs on the rules
| Implications Sensitive and emerging data types, including neural data, ID numbers, and AI-generated informaiton, are under increasing scrutiny. Organisations should proactively update policies, assess risks, and strengthen controls. |
Cross-border data: Positive moves
We have seen some steps to facilitate cross-border transfers, providing greater clarity in certain jurisdictions / regions.
EU–Brazil: On 27 January 2026, the European Commission and Brazil adopted mutual adequacy decisions, enabling organisations to freely exchange data between the two jurisdictions without additional requirements or formal data transfer mechanisms
Argentina–US: On 5 February 2026, Argentina and the US signed an “Agreement on Reciprocal Trade and Investment”, including recognition of the US as adequate for cross-border data transfers
China: The Cyberspace Administration of China has published a Q&A (here, in Chinese) clarifying cross-border transfer rules without introducing new obligations
| Implications Track adequacy decisions, review data flows, and monitor changing guidance; update cross-border transfer policies and contracts; and ensure teams understand thresholds and regional rules. |
Children’s data: Continued focus
Children’s data, age verification and online safety have become key priorities for many regulators.
South Carolina, US: Age-Appropriate Design Code Act signed into law
International: multiple regulators are focusing on children’s data in 2026, through enforcement strategies, guidance and joint regulatory statements, alongside new laws and rules
UK: updated guidance on children’s higher protection matters
| Implications With children’s data and age assurance (e.g. verification) rising up regulatory and legislative agendas, organisations should immediately review compliance and implement safeguards where necessary. |
Regulatory agendas: Looking forward
Regulators worldwide are reviewing the past year’s activity and setting priorities for 2026, offering valuable insight for organisations planning compliance strategies.
Czech Republic: 2026 inspection plan announced, with a focus on public sector DPOs and gambling, among others
Netherlands: 2026-28 strategic priorities set out, covering: AI, mass surveillance (such as CCTV and facial recognition) and digital resilience for essential services
Connecticut, US: 2026 priority enforcement topics announced, including privacy notices; opt-out rights / deceptive patterns; universal opt-out preference signals; genetic data; consumer health data; chatbots; and children’s privacy
| Implications Align privacy programmes with regulator priorities; strengthen DPO and compliance roles; and monitor areas like AI, mass surveillance, and children’s data. |
Stay ahead of regulatory change with Rulefinder Data Privacy
We’ll help you track, interpret and act on global developments – with confidence. Learn more and request you free trial today
