On 6 May 2025, the California Privacy Protection Agency (CPPA) announced an enforcement action against clothing designer Todd Snyder, Inc. to pay a fine of USD 345,178 and adopt new practices to resolve violations of the California Consumer Privacy Act (CCPA). The CPPA alleged that the retailer violated the CCPA by: (i) imposing excessive hurdles for consumer requests to opt out of third-party tracking technologies; (ii) failing to honor these requests because of misconfigurations; and (iii) failing to monitor its consent management platform.

In April, the Information Regulator published amendments to the Protection of Personal Information Act (POPIA) Regulations, significantly enhancing privacy protections for South Africans. These changes simplify the processes for objecting to data processing, requesting corrections or deletions, and obtaining consent for direct marketing. They also introduce new responsibilities for information officers and allow for administrative fines to be paid in installments.

On 19 March 2025, Hong Kong’s Legislative Council enacted the Protection of Critical Infrastructures (Computer Systems) Bill, which was gazetted as the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) on 28 March 2025. The Ordinance, which is set to take effect on 1 January 2026, aims to enhance cybersecurity standards in relation to the providers of essential services in eight sectors deemed crucial to the normal functioning of the society, namely energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services, as well as critical societal or economic activities (such as those managing major sports and performance venues, as well as research and development parks) in Hong Kong.

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) entered into force on 16 January 2023. It had to be transposed into national law by 17 October 2024. Only a small number of member states (among them Hungary, Belgium and Croatia) have transposed the provisions of the NIS2 Directive into national law so far, and it is likely that a significant number of member states will need some time.

In December 2024, privacy concerns were raised after the new Bizfile portal of the Accounting, Corporate and Regulatory Authority of Singapore displayed names and full National Registration Identity Card numbers for free in its search results.
The Personal Data Protection Commission has since clarified the appropriate use and misuse of NRIC numbers.

On 17 December 2024, the Bipartisan House Task Force on Artificial Intelligence released a report on “guiding principles, forward-looking recommendations, and policy proposals to ensure America continues to lead the world in responsible AI innovation.” The report focuses on 15 key areas, including intellectual property, data privacy, healthcare and federal preemption of state law. These principles, recommendations and policy proposals are meant to be a tool rather than the final word on AI. As such, it is anticipated that future AI legislators will use the report to craft AI policy.

Various agencies led by the Department of Trade and Industry (DTI) have signed Joint Administrative Order No. 24-03, Series of 2024 containing the Implementing Rules and Regulations (IRR) of Republic Act No. 11967, or The Internet Transactions Act of 2023 (ITA).
The ITA is intended to regulate e-commerce, protect consumer rights and data privacy, and uphold intellectual property rights.
The IRR clarifies the scope and coverage of the ITA, the enforcement powers of the DTI vis-à-vis other agencies, and the applicable procedure for imposition of fines.

On 27 June 2024, the Personal Information Protection Commission (PPC), Japan’s data protection authority, released the “Interim Report on Considerations for the Triennial Review of the Act on Protection of Personal Information” (“Interim Report”). The Interim Report summarizes discussions within the PPC on issues surrounding the Act on Protection of Personal Information (APPI) from November 2023 to June 2024. The Interim Report is in accordance with amendments made to the APPI in 2020 requiring the PPC to review the provisions of the APPI every three years.

On October 23, 2015, the Portuguese Data Protection Authority issued a statement on transfers of personal data to the US which invalidated the European Commission decision 2000/520 / EC (Safe Harbor Decision),

The Court of Justice of the European Union, following the opinion of the Advocate General, invalidated European Commission Decision 2000/520 dated July 27, 2000, which allowed transfers of personal data to US companies that self-certified under the US/EU Safe Harbor Program.