Key Global Data Privacy Developments You Might Have Missed (But Rulefinder Data Privacy Hasn’t)
United States - State privacy law round-up
The start of the year has been marked by some major developments for US state privacy laws.
On 1 January 2026, new US state privacy laws came into effect in Indiana, Kentucky, and Rhode Island. The laws are generally similar to other state privacy laws currently in force and their applicability thresholds are set out below.
Law | Applicability | Exemptions | Notes |
|---|---|---|---|
Indiana Consumer Data Protection Act (ICDPA) | The ICDPA will apply if an organisation: | Broad exemptions, including for information processed in the employment context and for non-profits. | In December 2025, the Indiana Attorney General published a Consumer Data Protection Bill of Rights. The Bill of Rights is a detailed, practical summary of rights granted to Indiana residents under the ICDPA, which may also be helpful to organisations preparing for the new law. |
Kentucky Consumer Data Protection Act (KCDPA) | The KCDPA will apply if an organisation: | Broad exemptions, including for information processed in the employment context. | In March 2025, the KCDPA was amended to broaden the categories of data which are exempt from its provisions, particularly in relation to protected health information. |
Rhode Island Data Transparency and Privacy Protection Act (DTPPA) | The DTPPA will apply if an organisation: | Broad exemptions, including for information processed in the employment context and for non-profits. |
|
Also this month, amendments to the Oregon Consumer Privacy Act have come into effect, including in relation to geolocation data, children’s data, and opt-outs, as well as an end to the 30-day cure period.
Finally, large parts of the California Consumer Privacy Act regulations came into effect on 1 January 2026, including obligations relating to risk assessments, requests to opt out, know, and correct data, withdrawal of consent, privacy policies, and sensitivity of youth data. See high-level guidance from CalPrivacy on these obligations.
Vietnam - New Personal Data Protection Law and supporting Decree come into force
The new Personal Data Protection Law (New PDP Law) has come into force in Vietnam with effect from 1 January 2026. The New PDP Law replaces Decree 13 which previously regulated the handling of personal data in Vietnam. Key supporting legislation, Decree No. 356/2025/ND-CP guiding the New PDP Law (New PDP Decree), was approved by the Vietnamese Government on 31 December 2025 and also took effect on 1 January 2026.
Key changes include a requirement to appoint a data protection officer, new requirements relating to consent including how consent can be obtained, keeping records of consent and consent being provided separately for each processing purpose, a broader definition of Sensitive Data together with new measures to protect it, new timeframes to respond to individual requests, a requirement to conduct a DPIA where an organisation uses platforms located outside Vietnam to process Personal Data collected in Vietnam, a requirement to notify an affected individual of a data breach where it involves a breach of location data or biometric data and specific terms to include in a data transfer agreement. Certain existing obligations, for example in relation to privacy notices and records of processing activities, are not expressly stated under the New PDP Law, although our local counsel in Vietnam recommend that organisations continue to follow their current processes in these areas.
South Korea - AI Act takes effect
The "Framework Act on the Development of Artificial Intelligence and Establishment of Foundation for Reliability" (the AI Act), which was passed by South Korea's National Assembly on 26 December 2024, came into force on 22 January 2026.
The AI Act sets a foundation for the development of AI systems in South Korea, and broadly has the following three main objectives:
to launch new bodies including a National AI Committee and an AI Safety Research Institute who will be tasked with developing and promoting policies, and an AI Policy Centre which will be responsible for carrying out the tasks necessary to implement such policies
to support initiatives to promote AI development such as to encourage research and development, promote academia by securing experts and support infrastructure such as AI data centres
to develop safe and reliable basic regulations in relation to High-Risk AI Systems, to minimise any potentially detrimental effects on society
South Korea's Ministry of Science and ICT (MSIT) issued a press release highlighting the significance of the AI Act (in Korean), and South Korea's data protection authority (the PIPC) has emphasised that supporting South Korea’s AI transformation is a key priority for 2026.
Egypt - Executive PDPL Regulations published
The government of Egypt has published the long-awaited Executive Regulations accompanying the Egyptian Personal Data Protection Law (the PDPL). The PDPL was originally passed in 2020 but could not come fully into effect until the passage of the Executive Regulations, which take the PDPL from being a principles-based set of rules to a clear and detailed legal framework. There is a grace period for compliance until 31 October 2026 and, given delays in publication of the Executive Regulations in the Official Gazette, our local counsel in Egypt expect the regulator to show flexibility on the deadline and to focus initially on larger-scale handlers of personal data.
Controllers and Processors are obliged to obtain a general ongoing license or a permit from the PDPC for processing personal data, with a specific license or permit also required for: the processing of sensitive personal data; cross-border data transfers; video surveillance; and electronic direct marketing. International transfers must be limited to countries identified in the initial authorisation, protected with appropriate security measures, documented in detailed records, and based on data subject consent. Our local counsel has confirmed that the publication of a so-called whitelist for adequate jurisdictions is pending, and further guidance from the regulator is anticipated. There are also new obligations to appoint a data protection officer and, in the case of foreign entities, a local representative.
Sweden - Cybersecurity Act comes into force
On 15 January 2026, the Cybersecurity Act came into force in Sweden, which implements the NIS2 Directive. Practical information about the Act is available on the Swedish civil defence and resilience agency (MSB) website. The Act applies to a broad range of organisations across the 18 sectors set out in the Annexures to the NIS2 Directive, with certain sectors in Annex I considered to be of high criticality (which includes, for example, banking, financial market infrastructure, health, and digital infrastructure).
In general, the Act applies to organisations that are at least medium-sized, although some organisations are covered regardless of size (for example, providers of public electronic communications networks, or where the organisation is the sole provider of an essential service for critical societal or economic activities). It is important to note that the Act applies to the entire operations or an entity, rather than just the part of the entity that falls within the regulated activity. There is a distinction between “essential” and “important” entities, which include larger sized organisations that are considered high criticality (as well as certain other specified entities). Key obligations include registration with the MSB, appointment of representative, implementation of security measures, and incident reporting.
China - Requirement to complete audits on children's personal information
On 29 December 2025, the Cyberspace Administration of China (CAC) issued a notice that requires organisations to submit audit reports on the protection of children’s personal information for the previous year by the end of January each year. This means that organisations need to submit their reports for 2025 by 31 January 2026.
The requirement stems from the Regulations on the Protection of Minors Online and the Measures on the Administration of Personal Information Protection Compliance Audits and the CAC’s notice clarifies the procedure. Audits may be conducted either internally or by an appropriate professional institution and must cover the organisation’s compliance with laws and regulations in handling minor’s personal information. Compliance reports must be submitted to the municipal cyberspace administration department where the organisation is based.
Read the notice (in Chinese)
United Kingdom - Updated Guidance on International Transfers published
The UK data protection authority (the ICO) has published updated guidance on international transfers as part of its commitment to provide regulatory clarity with a view to increasing innovation in the UK. As part of the update, the guidance now features: a summary of international transfer essentials for fast understanding; a new FAQs section; a three step test to help organisations assess whether certain activity amounts to a restricted transfer; references to new case law to reflect recent judgments and their impact on organisations in scope; and specific requirements for controllers and processors, including due diligence expectations.
The updated guidance is part of a bigger project of the ICO in relation to international transfers. It also plans to update other sections of the existing guidance, including on Transfer Risk Assessments, the International Data Transfer Agreement, and cloud services. Finally, it intends to publish an interactive tool to assist organisations in determining whether they are making a restricted transfer and issue more examples and case studies.
Saudi Arabia - General Rules for Secondary Use of Data published
The Rules were published by the Saudi Data & AI Authority (SDAIA). They apply primarily to data sharing between public institutions, although they also provide clarity on the secondary use of personal data in the context of data sharing between government and private entities for the purposes of the public interest and fostering research, development, and innovation. The document may therefore be relevant for any commercial organisation that works, or has dealings, with the Saudi state.
In the Rules, "Secondary Use of Data" is defined as "The utilisation of data for purposes other than those for which it was initially collected, including its processing in activities pertaining to research, development, or innovation, and the operations and activities conducted by government entities in pursuit of public interest objectives". The Rules set out the motivations behind their publication (primarily to provide clarity and incentivise data sharing) and list six Principles of Secondary Use. Organisations must ensure: (i) rules are complied with; (ii) responsible use; (iii) data quality; (iv) ethical use; (v) data security; and (vi) that public interest prevails. The Rules then set out controls including ensuring that the data sharing purpose is legitimate and the principle of data minimisation is complied with. Licenses are required where private entities request data sharing from government entities.
See the complementary Data Sharing Policy issued by the SDAIA
Spain - AEPD revamps is FAQs to help SMEs and privacy professionals
The Spanish data protection authority, the AEPD, has revamped its frequently asked questions (FAQs) in order to better support data controllers, particularly SMEs, and privacy professionals. The new-look FAQs improve the presentation of the topics covered thereby making them more accessible, provide practical content and include new categories focusing on: basic data protection concepts; data controllers’ obligations, particularly in relation to SMEs, including helpful tools (e.g. in relation to records of processing activities (ROPAs); and template clauses and forms, such as in relation to the provision of privacy information, CCTV signage and ROPAs.)
The initiative forms part of the AEPD's Strategic Plan 2025-2030 and the FAQs address the topics raised by more than 200 queries from data controllers and members of the public.
Read the AEPD’s press release
Australia - Guidance on managing cybersecurity risks of AI
On 14 January 2026, the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) published guidance on managing cybersecurity risks of artificial intelligence. The guidance aims to explain the key cybersecurity risks of small businesses adopting cloud-based AI technologies and how to mitigate them, for example in relation to: (i) data leaks, (ii) privacy breaches, (iii) reliability of AI outputs, and (iv) supply chain vulnerabilities.
The guidance makes a number of recommendations for organisations to manage the key risks, such as: (i) documenting internal AI usage policies, (ii) providing appropriate staff training on the responsible and safe use of AI, (iii) removing or anonymising personal details before uploading data to an AI application, (iv) conducting due diligence on 3rd party providers and supply chain, and (v) ongoing monitoring of outputs and human oversight, especially in decision-making processes for high-stakes operations. In addition, the guidance provides a practical example of secure deployment of AI chatbots and a checklist for organisations to work through and use to verify data ownership, evaluate AI vendor security compliance frameworks such as ISO 27001, and establish incident response mechanisms for AI-related cybersecurity events.
Read the latest ASD press release
How Rulefinder Data Privacy can help
Our subscribers hear about these and other privacy law developments as soon as we cover them
