Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't).
South Korea - EU now 'adequate' destination for international transfers
As of 16 September 2025, it is possible for companies and public institutions located in South Korea to transfer personal information (eg employee and customer information) to branches or other companies located in the European Union (EU) without additional requirements such as obtaining consent.
This is the result of the so-called "equivalence recognition" (often referred to as an "adequacy decision") issued by the Personal Information Protection Commission (PIPC) which has recognised that the level of personal information protection in the EU is practically the same as in South Korea.
As a result, together with the EU's adequacy finding for South Korea, which has allowed the free transfer of personal information from the EU to Korea since December 2021, this means that personal information can now flow freely in both directions between South Korea and the EU. The PIPC will keep its equivalence recognition under periodic review, with its first review due in 2028.
New Zealand - Privacy Amendment Act 2025 receives Royal Assent
On 23 September 2025, the New Zealand Privacy Amendment Act 2025 received Royal Assent. The main substantive change in the Act is the introduction of a requirement to take reasonable steps to provide privacy information to individuals when data is collected indirectly. Organisations are currently only required to provide such information where data is collected directly. This provision of the Act will come into force on 1 May 2026.
Other amendments include the ability of the Office of the Privacy Commissioner (OPC) to designate blocs of jurisdictions as adequate (rather than just individual jurisdictions) for the purpose of international data transfers, as well as technical amendments such as refinements to certain exemptions. The OPC is currently considering its Codes of Practice, which may be updated in line with the new Act.
China – Artificial Intelligence Security Governance Framework 2.0
During the 2025 National Cybersecurity Publicity Week, the Cybersecurity Administration of China released version 2.0 of the Artificial Intelligence Security Governance Framework. The updated framework is designed to build on the first edition by accounting for the latest developments in AI technology, updating risk tracking and classification, and providing a new list of technical measures to manage risk.
The new framework contains core principles for AI governance, namely: inclusivity, risk-oriented agile governance, combining technology with risk management, open cooperation and sharing, and using trusted applications to prevent loss of control. Risks are categorised into three broad buckets:
- Inherent risks (eg unreliable outputs)
- Security risks from applications (eg supply chain security)
- “Derived” risks, or what might be termed secondary risks (eg impacts on jobs and education)
Recommended countermeasures are set against each category of risk, and the framework contains an appendix on classifying risk, with five different tiers identified.
EU Member States – EDBP guidelines on GDPR and DSA
On 12 September 2025, the European Data Protection Board (EDPB) adopted draft guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The DSA regulates online intermediaries and platforms such as content-sharing platforms, online marketplaces, social networks and app stores, aiming to prevent illegal or harmful online activities. Certain provisions within the DSA relate to the processing of personal data by intermediary service providers and, in so doing, make use of GDPR definitions and concepts.
The EDPB guidelines aim to support the consistent application of the DSA and the GDPR across areas such as: transparency of online advertising; the prohibition of profiling-based advertising using sensitive (''special category'') data; and notice-and-action systems (to report illegal content).
The guidelines are subject to public consultation until 31 October 2025.
Brazil and the EU – work progressing on mutual adequacy
The European Commission has published a draft adequacy decision in relation to Brazil, recognising that Brazil provides an adequate level of personal data protection for the purposes of international data transfers. Once formally adopted, this adequacy decision will allow for the transfer of personal data from the European Union to Brazil without the need for additional safeguards, such as standard contractual clauses, binding corporate rules, or specific authorisations, significantly simplifying international data flows. The draft decision now goes to the European Data Protection Board to give its view.
In parallel, the Brazilian data protection authority (the ANPD) has initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU. This process is in its final stage of technical analysis and, after legal review, will be submitted to the ANPD’s Board of Directors for final deliberation.
United Kingdom – final guidance on encryption published
On 2 September 2025, the ICO published the final version of its guidance on encryption. The guidance is comprehensive and covers matters such as the definition of encryption and how encryption fits in with the wider UK data protection compliance framework. It specifically covers encryption in data storage and data transfer contexts. Each of these can require a different approach to encryption; for example, HTTPS is an encryption method specifically used to protect data in transfer.
The guidance provides practical recommendations for encryption implementation and has a number of encryption scenarios which will help organisations understand what may be required in certain specific circumstances. For instance, the scenarios cover: encrypted emails; encryption in the cloud; and encryption and the internet of things (IoT).
Poland - UODO publishes activities report for 2024
The Polish data protection authority, the UODO, has published a report on its activities in 2024. The report sets out the most important findings on the UODO's workload during the year, which included: examining complaints, carrying out inspections, issuing opinions on draft legal acts, receiving reports of data breaches, and taking action. The UODO had a busy year and received 8,065 complaints and 14,842 reports of personal data breaches (both higher than in 2023).
The report explores areas of future focus, such as the challenge in balancing the benefits that the digitalised world can bring, particularly with the advent of new technologies, with ensuring that individual rights are protected, including the right to privacy.
View the press release (in Polish)
View the full report (in Polish)
Singapore - PDPC FAQs on NRIC numbers
Singapore's data protection authority (the PDPC) has updated its FAQs on the use of National Registration Identification Card (NRIC) numbers. The updated FAQs follow the PDPC’s response to media and public queries on the use of NRIC numbers in December 2024 and a joint advisory from the PDPC and the Cyber Security Agency of Singapore against using NRIC numbers for authentication in June 2025.
The FAQs cover a wide range of issues and confirm the PDPC’s position in relation to the handling of NRIC numbers, including:
- That organisations should not generally collect, use or disclose an individual's NRIC number unless it is required under the law, an exception applies, or it is strictly necessary to achieve a high verification standard
- Circumstances where an organisation may not be deemed to have collected an NRIC number
- Confirmation that NRIC numbers should not generally be used for authentication
- Factors to determine whether authentication is necessary
Denmark - Increased visibility into personal data breaches
The Danish data protection authority, Datatilsynet, has expanded the statistical information it publishes on data breach notifications to now encompass "unintentional events" and breaches in the public sector. This is due to feedback asking for greater detail. Datatilsynet started publishing data breach statistics in 2023 on its dedicated webpage as part of the national strategy for cyber and information security.
"Unintentional events" covers, for example, sending information to the wrong recipient, lost post, or unintentional disclosure of information. Most of the data breach reports that Datatilsynet receives fall into this category. Datatilsynet hopes that the increased level of detail can help companies implement the right technical and organisational measures to prevent this type of personal data breach.
View the press release (in Danish)
Oregon – AG publishes enforcement report
The Oregon Attorney General has published an enforcement report titled: The Oregon Consumer Privacy Act, The First Year. The Oregon Consumer Privacy Act (OCPA) came into effect in July 2024, and the report describes both the first year of enforcement and the Oregon Department of Justice’s compliance expectations. It is worth noting that the OCPA is currently in its cure period (until 1 January 2026), meaning that where a violation can be remedied by the relevant organisation, the Department of Justice must give a 30-day period to allow the violation to be cured.
As well as detailing the volume and type of complaints received, the report also helpfully outlines key upcoming events that will be effective from 1 January 2026, including (i) a prohibition on selling geolocation data and children’s data (and a ban on using children’s data for targeted advertising and profiling); and (ii) an obligation to comply with requests to opt out of the sale of personal data or the use of it for targeted advertising.
Sanctions. We're keeping count.
833 that's the total number of regulatory sanctions around the world that Rulefinder Data Privacy has tracked so far in 2025.
It amounts to over $2,953,620,000 US dollars in penalties and numerous other reprimands and corrective actions.
Not seen our Enforcement Tracker yet? Ask us for a demo
How Rulefinder Data Privacy can help
Our subscribers hear about these and other privacy law developments as soon as we cover them
