The new year will bring continued focus on the EU digital omnibus, GDPR reform in the U.K. and EU, AI governance, and cross-border data transfers, privacy lawyers predicted.
Cross-Border Data and Transfers
Cross-border data transfers are a flashpoint in global privacy law, particularly between the EU and U.S. Mechanisms like the EU-U.S. Data Privacy Framework and Standard Contractual Clauses face ongoing scrutiny by courts and regulators as global corporate operations must sync with divergent national regulatory environments. This legal uncertainty has pushed companies to adopt more rigorous transfer impact assessments and contractual safeguards. This page tracks regulatory developments, enforcement actions, and emerging requirements for international data flows.
Vietnam's new Law on Personal Data Protection (PDP Law), expected to take effect Jan. 1, is part of the country's "sweeping transformation of its data protection and governance framework," the Future of Privacy Forum (FPF) said in an issue brief Friday. It urged businesses to start preparing to comply.
The European Commission renewed its two decisions allowing personal data flows between the EU and the U.K., it said Friday. It found that Britain's data protection legal framework is essentially equivalent to the EU's.
Concerns about whether proposed changes to the GDPR in the European Commission's digital omnibus package could harm data flows between the EU and the U.K. are a "storm in a teacup" aimed at pressuring the EC's proposals, Shoosmiths privacy lawyer Alice Wallbank emailed us Monday.
Privacy professionals expected more states to enact comprehensive privacy laws this year, but none of the bills introduced this year crossed the finish line, they said Thursday on a TrustArc webinar. Instead, states passed narrowly tailored privacy legislation or amendments to existing laws. In addition, several court decisions and enforcement actions drilled deep into top privacy issues, the privacy pros said.
As lawsuits over tracking technologies increase rapidly, some courts have managed to narrow the scope of older statutes, countering the litigation wave, said panelists during an Interactive Advertising Bureau (IAB) webinar Wednesday. But other courts remain split on the reach of these laws, they added.
Shadow AI remains a significant challenge for businesses, said panelists during a Practising Law Institute webinar Monday. They discussed an IBM Cost of a Data Breach 2025 report that focused on the problem of employees using AI platforms that aren't sanctioned by the workplace.
India's detailed Digital Personal Data Protection Act (DPDPA) will potentially be a substantial compliance burden for companies, Kochlar & Company technology attorney Stephen Mathias said in a Hogan Lovells podcast Thursday.
A service for making AI-generated apps said it’s embracing privacy by design by integrating an AI-powered code scanner.
BigID added data mapping using agentic AI to its privacy compliance software, the vendor said Wednesday. The feature automates and visualizes personal data flows, it added. “BigID uses agentic AI to interpret Record of Processing Activities (RoPA) details and dynamically map data collection, use, transformation, and transfers -- surfacing risky or unintended flows to help mitigate the risk of compliance issues or audit failures.”