top of page
Search

Global Privacy Watchdog Compliance Digest: April 2025 Edition

Enjoy!
Enjoy!

Welcome! The "Global Privacy Watchdog Compliance Digest" is a monthly compliance digest for data privacy and protection professionals interested in global data privacy and protection issues and topics. It compiles paramount data privacy and protection legal and regulatory changes, enforcement actions, and consultations from credible, jurisdiction-specific sources. All entries are fact-checked, cited, and aligned with current laws and regulations.


🇹🇼 China

Personal Information Protection Law (PIPL)


CAC Q&A on Cross-Border Data Transfers: On April 9, 2025, China's Cyberspace Administration released a Q&A that clarified cross-border data transfer rules, including security assessments, standard contracts, and certification mechanisms, to guide foreign businesses on data exports and compliance (china-briefing.com).


Draft Regulation on Certification: China published draft regulations on certification for cross-border data transfers, outlining eligibility criteria, requirements, and procedures for personal information protection certification, offering a tangible compliance route for data controllers (privacymatters.dlapiper.com).


🇪🇺 European Union

General Data Protection Regulation (EU GDPR)


EDPB Annual Report: The European Data Protection Board (EDPB) released its 2024 annual report, outlining key priorities and actions to strengthen and modernize data protection across Europe, including consistently enforcing the GDPR and addressing emerging challenges (edpb.europa.eu).


Proposed EU GDPR Reforms: The European Commission proposes simplifying GDPR compliance, particularly for small and medium-sized enterprises (SMEs), aiming to reduce administrative burdens while maintaining robust data protection standards (politico.eu).


EU AI and EU GDPR


EU AI & EU GDPR Monthly Update: Dentons published its April 2025 update, covering new AI regulations, opinions, court decisions, and implementation use cases across the EU. The update highlights the intersection of artificial intelligence and data protection laws (dentons.com).


🇸🇦 Saudi Arabia

Personal Data Protection Law (PDPL)


Draft Controls for Data Protection: On April 27, 2025, SDAIA released draft controls governing commercial, professional, and non-profit activities related to personal data protection, seeking public feedback to shape the future of data protection in the Kingdom (bytebacklaw.com).


Public Consultation on Implementing Regulations: On April 23, 2025, the Saudi Data and AI Authority (SDAIA) opened a public consultation on proposed amendments to the PDPL's Implementing Regulations, focusing on controller obligations and definitions. The consultation period is open until May 14, 2025 (bytebacklaw.com).


Draft Global AI Hub Law


  • Consultation Open: Saudi Arabia’s Communications, Space and Technology Commission (CST) opened a public consultation on a draft "Global AI Hub Law" to create sovereign AI/data infrastructure.


  • Three AI Hub Models: The draft law proposes that private, extended, and virtual AI hubs be governed by the laws and regulations of guest countries and designated foreign governments via digital embassies and data centers.


  • Key Feature: The law enables foreign entities to host data in Saudi Arabia under their national legal regimes, with potential diplomatic-like privileges.



🇬🇧 United Kingdom

Cyber Security and Resilience Bill


Policy Statement Released: On April 1, 2025, the UK government published a policy statement outlining the proposed Cyber Security and Resilience Bill, which aims to strengthen the UK's cyber defenses and secure critical infrastructure. The bill will expand the regulatory framework, enhance incident reporting, and empower regulators to improve oversight (gov.UK).


🇺🇸 United States

California Privacy Protection Agency (CPPA)


Collaboration with UK ICO: On April 29, 2025, the CPPA and the UK's Information Commissioner's Office (ICO) signed a Declaration of Cooperation to enhance privacy protections through collaboration and information sharing (cppa.ca.gov).


First Enforcement Action: On March 12, 2025, the CPPA announced its inaugural enforcement action under the California Consumer Privacy Act (CCPA), settling with an automaker for $632,500 over alleged violations, including failure to honor consumer opt-out requests (klgates.com).


Public Comment on DROP Regulations: On April 25, 2025, the CPPA opened a public comment period for proposed regulations concerning the Delete Request and Opt-Out Platform (DROP), aiming to streamline consumer requests to delete personal information. The comment period is open until June 10, 2025 (cppa.ca.gov).


US Federal Developments


DOJ Rule on Cross-Border Data Transfers: Effective April 8, 2025, the U.S. Department of Justice restricted U.S. businesses from transferring specific bulk sensitive personal data to entities in countries of concern, including China, Russia, and Iran (lathropgpm.com).


Privacy Act Modernization Act of 2025: In response to concerns over government data collection practices, Democratic Senators introduced legislation to update the 1974 Privacy Act to enhance privacy protections and limit misuse of personal data by federal agencies (wired.com).


Thank you for reading the April 2025 Global Privacy Watchdog Compliance Digest edition. We welcome you to review our next issue in May, where we’ll continue tracking the evolving data privacy and data protection legal and regulatory landscape worldwide with verified, actionable insights.


-Chris Stevens





 
 
 
bottom of page