top of page
Search

Global Privacy Watchdog Compliance Digest: June 2025 Edition

Updated: Jun 26


🌍Introduction

Your trusted monthly briefing on the frontlines of global artificial intelligence (AI) governance, data privacy, and data protection. Each edition delivers rigorously verified, globally sourced updates that keep AI governance, compliance professionals, data privacy, and data protection practitioners ahead of fast-moving legal, regulatory, and enforcement developments.


In this June 2025 issue: The “Topic of the Month” examines the expanding role of smart city infrastructure and predictive sensors in urban data ecosystems, revealing how real-time monitoring poses new privacy and surveillance risks. The use of these technologies raises challenges around consent, re-identification, and governance gaps. We also provide a comprehensive global roundup of new AI governance, regulatory trends, cross-border enforcement activities, data privacy, and data protection laws and regulations.


🌍 Topic of the Month: Privacy in Predictive Infrastructure – Smart City Sensor Data and Public Trust

🧭 The Governance Dilemma

Public infrastructure frequently operates in a regulatory gray zone when it comes to data governance. Private-sector systems are typically held to strict standards under laws and regulations, such as the European Union’s General Data Protection Regulation (EU GDPR) or Singapore’s Personal Data Protection Act. Cities often face a regulatory void in terms of data protection when implementing digital infrastructure. They are not always subject to the same obligations as national governments or private entities (Organization for Economic Cooperation and Development, 2023; Tonsager & Ponder, 2023; Wernick & Artyushina, 2023b).


Sensor networks in smart cities are often installed without conducting data protection impact assessments (DPIAs), privacy impact assessments (PIAs), or similar privacy risk assessments (Vandercruysse et al., 2020). There is also no engaging in meaningful public consultation (Christofi, 2023; European Data Protection Board, 2021). These systems collect behavioral, biometric, and environmental data. When aggregated or correlated with auxiliary sources, they can enable invasive forms of profiling without public awareness or accountability (Fabregue & Bogoni, 2023; Happer, 2025).


A primary concern lies in public-private partnership models, where municipal governments outsource smart infrastructure to technology vendors. These arrangements often lack enforceable clauses around data ownership, use, storage, or monetization. They often leave residents subject to commercial data processing with minimal redress (Pavel, 2022).

This opacity erodes civic trust and blocks the exercise of legally protected rights, including access, correction, erasure, or objection to processing. In many cities, there is no precise mechanism for individuals to discover what infrastructure is collecting their data. They do not know who controls it or how long it will be retained (Nougreres, 2022; United Nations Human Rights Office of the High Commissioner, 2022a).


To address these governance gaps, legal scholars and policy institutions recommend a set of concrete measures tailored to smart city deployments: sensor-specific DPIAs, public registers of sensor infrastructure, and privacy-by-design requirements in procurement contracts. While not yet universally mandated, these tools are gaining traction as best practices that can elevate municipal data systems to the accountability standards expected of digital platforms (Christofi, 2023; Organization for Economic Cooperation and Development, 2023).


🔍 Sensor-Based Profiling and Re-Identification

At first glance, many smart city systems appear privacy-neutral. However, even “anonymized” sensor datasets, from traffic or pollution monitors, can be re-identified when linked to auxiliary sources (e.g., mobile phone signals, utility logs) (Clarence, 2020; Mah, 2022). This risk has been documented in smart city privacy reviews (Happer, 2025). Re-identification of smart city sensor data can exacerbate existing inequities, disproportionately impacting individuals and communities that are less able to contest pervasive surveillance (Pavel, 2022; United Nations Human Rights Office of the High Commissioner, 2022b).


This enables latent profiling, which is a form of silent surveillance. It reconstructs behavioral patterns, including routines, frequented locations, and inferred demographics. These risks are increasingly recognized in the context of public space data collection by organizations like the Organization for Economic Cooperation and Development and the United Nations.

Moreover, anonymization is no longer sufficient (Ji et al., 2024). Anonymized sensor data is increasingly vulnerable to re-identification. Studies have shown that machine learning (ML) models can extract identifying features from video feeds, environmental sensors, and Internet of Things (IoT) metadata. It can occur even when personally identifiable information has been removed (Ji et al., 2024).


Moreover, anonymization alone is increasingly ineffective. Advanced AI techniques have proven capable of re-identifying individuals from datasets previously considered anonymous. Examples include call logs and sensor recordings, which have enabled the retrieval of identities with accuracy in some cases (Ji et al., 2024). Without robust re-identification risk assessments, strict retention limits, and usage controls, public infrastructure is sliding toward unregulated surveillance.

To counteract this, urban stakeholders must:

  1. Conduct re-identification risk assessments before data release.

  2. Enforce strict data retention and alignment with intended purposes.

  3. Audit vendor access and algorithmic logging.

  4. Engage impacted communities in decisions about public data exfiltration.


Without such guardrails, surveillance risks can become normalized and invisible when powered by re-identification. They can erode civic trust and undermine ethical urban development.


⚠ Core Privacy and Ethical Risks 

Smart cities promise real-time efficiency, but they also introduce a new layer of ethical complexity. One that intersects infrastructure, surveillance, and digital rights. Below are three critical risk categories that define the data governance challenge in urban environments:

  1. Consent and Transparency

a.    In urban public spaces, meaningful notice or consent is rare. Sensors operate silently, tracking movement, behavior, and environmental changes, with no signage, disclosure, or recourse for residents. Unlike online platforms where users encounter consent banners or opt-out options, the physical world offers no such transparency. This creates "false neutrality": an assumption that presence equals consent. This invisibility undermines individual agency and erodes democratic trust.

b.    Academic studies confirm this opacity:

i. In Norval & Singh’s 2024 paper, the authors highlight a key transparency

A challenge in IoT environments. “As our physical environments become

ever‑more connected, instrumented, and automated, it can be increasingly

difficult for users to understand what is happening within them and why" (p.

7583).

               ii. A 2025 U.S. Government Accountability Office report on smart-city technology emphasized the need to provide individuals with information about the benefits and risks associated with using innovative technologies. (United States Government Accountability Office, 2025). It also highlights the fact that individuals are often unaware of the potential risks associated with the misuse of their data (United States Government Accountability Office, 2025).


Without clear disclosure, individuals cannot participate meaningfully in debates over data collection limitations and data minimization. Public spaces become invisible surveillance zones, thereby reducing civic voice and accountability.


Accountability Gaps

Smart city data governance is frequently fragmented. Municipal departments, public utilities, private vendors, and third-party processors all touch data systems. However, no single entity holds end-to-end responsibility. This fragmentation allows misuse through mechanism drift, unauthorized sharing, or algorithmic bias to slip through policy cracks.

Procurement contracts in smart city initiatives often fail to meet the expected level of data diligence.


A 2023 paper by the SPECTRE project (Vandercruysse et al., 2020) found that many public–private agreements do not clearly define roles or responsibility for data governance. They also do not grant audit rights, enforceable privacy standards, or breach notification protocols. These governance voids mean residents lack formal recourse when civic data deployments harm privacy or security.


The Organization for Economic Cooperation and Development’s “Smart City Data Governance” report (2023) highlights the systemic nature of this issue. It notes that urban data flows often exceed the capacity of municipal data management. Limited resources, insufficient regulatory provisions, and absent oversight frameworks leave smart city systems vulnerable to misuse and public distrust. They require robust contractual mandates, operational clarity, or regulatory oversight. Otherwise, these communities face a governance vacuum that erodes trust and limits their options for redress.


Security Vulnerabilities

Urban infrastructure is increasingly proliferated with IoT technologies of every type. However, many of these devices lack basic security protocols, such as encryption, patch management, or robust access controls (Moore, 2020; TrustArc, n.d.). This insecurity leaves smart-city systems exposed to cyberattacks, personal data breaches, and service disruptions.


These threats are not theoretical. Cybercriminals have already leveraged hijacked municipal devices to launch ransomware against critical services, including water systems and power grids, alongside widespread sensor manipulation, data theft, and distributed denial-of-service campaigns (Chauhan, 2024; Institute for Defense and Business, n.d.; Rambus, n.d.). For instance, poorly secured smart meters and environmental sensors were identified as entry points in municipal cyberattacks. These security gaps highlight that insecure IoT devices compromise both individual privacy and urban resilience.


These core risks will not resolve themselves. They create security vulnerabilities because of the lack of deliberate legal regulation, secure technical design, and continuous institutional oversight. These issues will only worsen over time as smart city technologies become more ubiquitous in everyday life.


🌐 Emerging Urban Data Frameworks 

While smart city data systems pose growing risks, a global wave of initiatives from 2022 to 2025 demonstrates that governments worldwide are actively embedding privacy, transparency, and equity into urban data governance. These actions are not theoretical; they are real-world models reshaping public-tech norms.


Long Beach, California – Digital Rights Platform (2024): In early 2024, Long Beach launched a Digital Rights Platform, detailing smart city systems in a public-facing portal. The initiative includes real-time deployment maps, transparent explanations of data use, and community feedback mechanisms. It is one of the first U.S. cities to operationalize large-scale civic data transparency (Kurtzman, 2025). One standout example is the following case study developed from Long Beach’s 2024 initiative, which illustrates what civic transparency looks like in action.

  1. Overview: In 2024, the City of Long Beach launched one of the first U.S. municipal platforms dedicated to smart city data transparency.

  2. Core Features:

    1. Interactive map of sensor deployments

    2. Plain-language data use descriptions

    3. Community feedback integration

    4. Advisory council for digital equity and privacy

  3. Why It Matters: Long Beach’s initiative turns smart city data governance into a public-facing system. It operationalizes transparency, enables resident input, and sets a replicable precedent for U.S. cities pursuing privacy-by-design in civic infrastructure.

  4. Link: https://longbeach.gov/smartcity/


OECD “Smart City Data Governance” Report (2023): This study series report outlines seven pillars for robust municipal data systems, highlighting ongoing efforts in cities such as Aizuwakamatsu, Japan; Curitiba, Brazil; and Vienna, Austria. It recommends clear data roles, public registries, and interoperable infrastructures, pushing local governments to align civic technology with human-centric and rights-based design practices (Lee, 2025; Organization for Economic Cooperation and Development, 2023).


UN-Habitat “World Smart Cities Outlook”: Published by UN-Habitat (2024), this report promotes implementing citywide civic consultations, open data governance frameworks, and ethical sensors labelling. It features pilot projects in Santiago and Nairobi, where residents co-design sensor placements and retention protocols. It shows that shared civic infrastructure can respect local norms and rights (UN-Habitat, 2024).


The Long Beach portal, the Organization for Economic Cooperation and Development guidance, and UN-Habitat's participatory pilots demonstrate that smart cities can deliver efficiency and inclusivity without sacrificing transparency or privacy. Far from tradeoffs, these initiatives offer proven frameworks for cities seeking to embed governance by design in public technology.


⚠Table 1 highlights how leading cities and frameworks are operationalizing principles of transparency, accountability, and civic participation in smart city deployments. While each model varies in scope, all represent emerging approaches to embedding digital rights into public infrastructure through policy, design, and community oversight.


Table 1: Governance Features Matrix

City/Framework

Public Sensor Registry

Real-Time Data Use Disclosure

Citizen Feedback Mechanism

Governance-by-Design Tools

Vienna (OECD case)

✔ Yes

❌ No

✔ Yes

✔ Yes

Long Beach, CA

✔ Yes

✔ Yes

✔ Yes

✔ Yes

Nairobi (UN-Habitat)

✔ Yes

✔ Yes

✔ Yes

✔ Co-design protocols

Santiago (UN-Habitat)

✔ Yes

✔ Yes

✔ Yes

✔ Consent-informed zoning

Note. Table 1 reflects forward-looking analysis based on current regulatory guidance, institutional reports, and municipal pilot initiatives. Source materials include the OECD’s Smart City Data Governance report (2023), the EDPB–EDPS Joint Opinion on the AI Act (2021), the UN-Habitat World Smart Cities Outlook (2024), and city-level frameworks implemented in Helsinki, Long Beach, and Singapore between 2023 and 2025. While grounded in credible documentation, the projections are interpretive and do not represent binding legal obligations as of June 2025.


🧭 Legal and Regulatory Outlook

 Smart city governance is shifting rapidly. As predictive infrastructure and sensor networks become embedded in public space, regulators are moving from voluntary guidance to enforceable rules. Cities are now expected to demonstrate not only innovation. They must also demonstrate rights-based accountability in how they collect, share, and govern civic data.

✅ DPIAs Are Becoming a Municipal Baseline: The EDPB–EDPS Joint Opinion on the EU AI Act confirms that high-risk AI systems in public space must undergo DPIAs under the EU GDPR’s Article 35 (European Data Protection Board, 2021). This applies whether cities or private vendors operate the technology, especially when opt-out or transparency mechanisms are absent.


✅ OECD Sets Global Governance Expectations: The Organization for Economic Cooperation and Development’s Smart City Data Governance Report (2023) outlines seven pillars of municipal accountability, including sensor registries, open data use disclosures, and civic oversight. These are increasingly treated as the foundation for future-ready smart city lawmaking.

✅ UN-Habitat Calls for Rights-Centered Urban Policy: The UN-Habitat World Smart Cities Outlook (2024) advocates for cities to integrate pre-deployment privacy and human rights assessments into all urban technology projects. It advocates for it, especially where data collection could reinforce social inequities. It promotes inclusive sensor placement strategies and co-governance with civil society.


🔍 Examples of Evolving Practice (2023–2025)

As regulatory frameworks mature, several cities have moved beyond pilot programs to implement operational models that integrate privacy, transparency, and community oversight into smart infrastructure. These initiatives demonstrate how forward-thinking municipalities are aligning with rights-based governance. They are often able to anticipate national mandates or supranational guidance. The following examples reflect practical, scalable steps toward embedding accountability in urban data ecosystems:

1.    Helsinki has developed a Smart Data Permit model to align sensor use with EU GDPR standards (Wernick et al., 2023a).

2.    Long Beach, California, launched a digital rights platform that maps public tech, offers plain-language data notices, and includes a resident advisory council.

3.    Singapore’s 2024 Model AI Governance Framework requires risk classification and governance controls in all municipal AI deployments.


📈 What to Expect Through 2027

⚠ Table 2 reflects forward-looking analysis based on current policy trends, expert recommendations, and municipal pilot programs. These developments are projected. They are not codified or universally mandated as of June 2025.


Table 2: Anticipated Policy Trends in Urban Data Governance (2025–2027)

Regulatory Focus Area

Projected Trend (2025–2027)

DPIAs for municipal AI/sensors

From encouraged → mandated in EU, UK, SG

Sensor registries

Pilots are evolving into legal requirements.

Procurement privacy clauses

Standardized across national grant programs

Resident oversight mechanisms

Enshrined in municipal digital charters

Note. Table 2 is based on publicly available documentation and pilot program reports from municipal governments and international policy bodies. Feature classifications reflect operational practices and published initiatives in Vienna (via OECD, 2023), Long Beach (City of Long Beach Smart City Program, 2024), Nairobi and Santiago (UN-Habitat World Smart Cities Outlook, 2024). Entries indicate the presence of formal policies or tools such as sensor registries, real-time transparency mechanisms, community feedback integration, and privacy-by-design features as implemented between 2022 and 2025. The table is descriptive, not evaluative, and does not imply legal compliance or certification.


🔚 Summary

The regulatory direction is clear: DPIAs, public engagement, and legal transparency are fast becoming prerequisites for smart city legitimacy. Cities that fail to operationalize these protections risk more than reputational harm. They risk noncompliance and public resistance in an increasingly rights-aware era.


đŸ§© Implications for Stakeholders

The regulatory momentum around smart cities makes one thing clear: no stakeholder can afford to be passive, whether public or private, technical, or administrative. Every actor involved in deploying urban technology shares responsibility for its outcomes. Legal compliance, public trust, and ethical resilience depend on more than checklists. They demand active, cross-sectoral participation. Below are key actions each group must consider as part of a responsible and forward-looking smart city strategy:

1.    Citizens & Civil Society: Apply scrutiny to proposed infrastructure projects. Demand participatory DPIAs, PIAs, or other privacy risk assessments that involve local communities and include redressable design changes.

2.    City Authorities: Publish full DPIA. PIA, or similar privacy risk assessment results, sensor maps, opt-out pathways, and grievance procedures prior to launch. Stakeholders should not wait until after they have received public backlash for inaction.

3.    Urban Planners: Integrate sensor-system DPIAs, PIAs, or other privacy risk assessments into all stages from procurement and deployment to post-implementation review. Ensure privacy risk assessments consider social equity, re-identification risk, and human oversight.


❓ Questions for Reflection 

As smart cities embed data collection into the very fabric of urban life, the stakes for ethics and governance grow higher. These systems are not simply passive tools; they shape power, influence behavior, and redefine what privacy means in public space. For leaders, policymakers, and technologists, this moment calls for a more in-depth examination. This inquiry should examine not only what smart cities can do, but also what they should do. The following questions are designed to prompt critical reflection and inform action.


📌 Questions That Demand Action

  1. Who truly governs the data generated by urban infrastructure, and are those governance structures visible, accountable, and just?

  2. Can privacy rights survive in environments where individuals are unable to opt out of surveillance without opting out of society?

  3. Are existing vendor contracts and procurement frameworks strong enough to enforce ethical data use on a scale?

  4. What liability frameworks exist, or need to exist, when public-private AI systems cause harm or erode civil liberties?

  5. Will future generations inherit civic systems built for empowerment, or for quiet control?


🚹 Why It Matters 

For those responsible for compliance, governance, or public trust, smart cities pose a critical challenge. These environments generate massive data flows, which are often captured passively, without the knowledge or meaningful consent of the people involved. This is not a theoretical concern. Governments and organizations are already making decisions that could normalize silent surveillance or strengthen systems rooted in transparency and accountability. The opportunity to embed enforceable rights, auditability, and ethical design is becoming increasingly limited. Those who act now will determine whether smart cities empower citizens or quietly erode their freedoms.


🌍 References 

  1. Chauhan, G. (2024, December 27). What are the security implications of IoT devices in smart cities. HyperSecure. https://www.hypersecure.in/community/question/what-are-the-security-implications-of-iot-devices-in-smart-cities/

  2. Christofi, A. (2023). Privacy Impact Assessments for Smart Urban Systems: Limitations and Proposals. Technology in Society, 75, 102334. https://doi.org/10.1016/j.techsoc.2023.102334

  3. Clarence, J. (2020, May 25). Anonymous no more? Make it a crime to re-identify personal data. Australian Strategic Policy Institute: The Strategist. https://www.aspistrategist.org.au/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data/

  4. DECODE Consortium. (2022). DECODE: Giving people ownership of their data. European Union’s Horizon 2020 Programme. https://decodeproject.eu/

  5. European Data Protection Board. (2023, January 2023). 2022 coordinated enforcement action: Use of cloud-based services by the public sector. https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_cef_cloud-basedservices_publicsector_en.pdf

  6. European Data Protection Board. (2021, June 18). EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and the Council lay down harmonized rules on artificial intelligence (Artificial Intelligence Act). https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-52021-proposal_en

  7. Fabregue, B.F.G., & Bogoni, A. (2023, February 10). Privacy and security concerns in the smart city. MDPI. https://doi.org/10.3390/smartcities6010027

  8. Happer, C. (2025, May). Privacy risks and data governance in smart cities: Balancing innovation with citizen rights. ResearchGate. https://www.researchgate.net/publication/391428649_PRIVACY_RISKS_AND_DATA_GOVERNANCE_IN_SMART_CITIES_BALANCING_INNOVATION_WITH_CITIZEN_RIGHTS

  9. Institute for Defense & Business. (n.d.). What are the cybersecurity risks for smart cities. https://www.idb.org/what-are-the-cybersecurity-risks-for-smart-cities/

  10. Ji, X., Zhu, W., & Xu. W. (2024). Sensor-based IoT data privacy protection. Nature Reviews Electrical Engineering, 1, 427-428. https://www.nature.com/articles/s44287-024-00073-2

  11. Kurtzman, R. (2025, April 4). City of Long Beach publishes technology planning and partnerships 2024 annual report. City of Long Beach. https://www.longbeach.gov/press-releases/city-of-long-beach-publishes-technology-planning-and-partnerships-2024-annual-report/

  12. Lee, S. (2025, April 18). A practical guide to smart city public policy. Number Analytics. https://www.numberanalytics.com/blog/practical-smart-city-public-policy-guide.

  13. Mah, P. (2022, January 31). AI can identify people even in anonymized datasets. CDO Trends. https://www.cdotrends.com/story/16165/ai-can-identify-people-even-anonymized-datasets

  14. Moore, M.T. (2020). Smart cities: An inspection of cybersecurity vulnerabilities and prevention. University of Virginia Department of Engineering and Society. https://libraetd.lib.virginia.edu/downloads/jm214p637?filename=3_Moore_Matt_STS_Research_Paper.pdf

  15. Norval, C., & Singh, J. (2024, January 19). A room with an overview: Towards meaningful transparency for the consumer internet of things. arXiv. https://doi.org/10.1109/JIOT.2023.3318369

  16. Nougreres, A.B. (2022, January 13). Privacy and personal data protection in Ibero-America: A step towards globalization. United Nations General Assembly. https://docs.un.org/en/A/HRC/49/55

  17. Organization for Economic Cooperation and Development. (2023). Smart city data governance: Challenges and the way forward. OECD Urban Studies. https://doi.org/10.1787/e57ce301-en

  18. Pavel, V. (2022, November 17). Rethinking data and rebalancing digital power. Ada Lovelace Institute. https://www.adalovelaceinstitute.org/report/rethinking-data/

  19. Rambus. (n.d.) Smart cities: Threats and countermeasures. https://www.rambus.com/iot/smart-cities/

  20. Taylor, L. (2023). Smart cities and the risk of infrastructure bypass. AI & Society, 38(4), 823–835. https://doi.org/10.1007/s00146-022-01439-x

  21. Tonsager, L., & Ponder, J. (2023, March). Privacy frameworks for smart cities. University of Michigan MCity and Covington. https://mcity.umich.edu/wp-content/uploads/2023/03/Privacy-Frameworks-for-Smart-Cities_White-Paper_2023.pdf

  22. TrustArc. (n.d.). Protecting personal data in smart cities: The role of privacy tech. https://trustarc.com/resource/protecting-personal-data-in-smart-cities/

  23. UN-Habitat. (2024). World Smart Cities Outlook 2024. https://unhabitat.org/world-smart-cities-outlook-2024

  24. United Nations Human Rights Office of the High Commissioner. (2022a, October 2022). Privacy and data protection: Increasingly precious assets in digital era says UN expert. https://www.ohchr.org/en/press-releases/2022/10/privacy-and-data-protection-increasingly-precious-asset-digital-era-says-un

  25. United Nations Human Rights Office of the High Commissioner. (2022b, August 4). A/HRC/51/17: The right to privacy in the digital age. https://www.ohchr.org/en/documents/thematic-reports/ahrc5117-right-privacy-digital-age

  26. United States Government Accountability Office. (2025, April). Technology assessment: Smart cities – Technologies and policy options to enhance services and transparency. https://www.gao.gov/assets/gao-25-107019.pdf.

  27. Vandercruysse, L., Christofi, A., Kanevskaia, O., & Wauters, E. (2020). Public procurement of smart city services – Matching competition and data protection. A report in the framework of the SPECTRE research project. SPECTRE Consortium. https://spectreproject.be/

  28. Wernick, A., Banzuzi, E., & Morelius-Wulff, A. (2023a, March 31). Do European smart city developers dream of GDPR-free countries? The pull of global megaprojects in the face of EU smart city compliance and localization costs. Internet Policy Review. https://doi.org/10.14763/2023.1.1698

  29. Wernick, A., & Artyushina, A. (2023b, March 31). Future-proofing the city: A human rights-based approach to governing algorithmic, biometric, and smart city technologies. Internet Policy Review. https://doi.org/10.14763/2023.1.1695


🌍 Country and Jurisdiction Highlights

🌍 Africa

Kenya: Kenya Parliament Passes Proposed 2025 Finance Law

Summary: Kenya’s parliament struck down a proposal granting tax authorities full access to taxpayer records, reaffirming constitutional privacy protections. The decision underscores the judiciary's pivotal role in striking a balance between state surveillance and individual data rights. For data protection professionals, this is a precedent-setting victory for legislative oversight in financial privacy.

🧭 Why It Matters: This decision reinforces the primacy of individual privacy rights even in tax compliance contexts and signals a trend toward stronger judicial oversight of intrusive data access policies.


Regional: AI Readiness Key to Africa’s Future, Say Experts at African Development Bank Side Event

Summary: During a high-profile side event at the AfDB’s 2025 Annual Meetings in

Abidjan, Bank leaders and Google AI Research convened around the theme, “The

AI Revolution: How Will AI Support the Delivery of the African Development

Bank’s 2024‑2033 Strategy?” Panelists emphasized that youth empowerment,

data infrastructure, localized datasets, and digital sovereignty are essential for AI

to drive sustainable development and inclusive growth across the continent.

🧭 Why It Matters: This event reflects a regional consensus that AI is a

developmental imperative—not a luxury—and highlights the need to embed data

governance, infrastructure investment, and culturally aligned ethical norms into

national AI strategies.


Nigeria: NDPC Issues GAID – Key Compliance Insights

Summary: On June 3, 2025, Nigeria’s Data Protection Commission released the GAID under the NDPA 2023, which operationalizes the law with practical guidance on registration thresholds, Compliance Audit Reports (CARs), Data Protection Officer credentialing, audit/DPI schedules, and cross-border transfer mechanisms. The directive also supersedes the earlier NDPR and applies extraterritorially to entities that process Nigerian data, establishing new compliance timelines.

🧭 Why It Matters: GAID transitions Nigeria from a conceptual to an enforceable data protection regime, introducing mandatory accountability structures and widening jurisdictional scope, which significantly heightens compliance expectations for both local and foreign data handlers.


Rwanda: Rwanda Charts a Course for Government Data Sharing

Summary: Rwanda’s phased plan (2025–2029) prioritizes governance frameworks ahead of full-scale public-sector data interoperability. This approach minimizes risk while building trust in national digital transformation. Privacy officers should treat it as a model for implementing data sharing that does not compromise privacy.

🧭 Why It Matters: This strategic rollout model offers valuable lessons on how to scale civic tech and data governance responsibly across developing jurisdictions.


South Africa: South Africa Mandates e-Portal Breach Reporting Under POPIA

Summary: Mandatory breach reporting via a centralized portal strengthens regulatory responsiveness and incident transparency. The move aligns South Africa with international norms while placing additional responsibility on processors. Security and legal teams must review internal breach detection protocols for compliance.

🧭 Why It Matters: By automating breach reporting, South Africa is enhancing regulatory efficiency and improving public accountability in data security incidents.


🌏 Asia-Pacific

Australia: Privacy Gets Teeth – Australia’s New Statutory Tort and How It Might Look in Practice

Summary: Effective 10 June 2025, Australia’s Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort granting individuals the right to sue for serious invasions of privacy, including intrusive surveillance or misuse of information. The framework establishes five elements—privacy invasion, reasonable expectation, intentional or reckless conduct, seriousness of harm, and public interest balancing—without requiring proof of economic damage.

🧭 Why It Matters: For the first time, Australians can seek damages directly for privacy harms, significantly raising corporate exposure and necessitating immediate policy adaptations around data handling, monitoring, and legal risk mitigation.


China:

How Some of China’s Top AI Thinkers Built Their Own AI Safety Institute

Summary: A cohort of China’s leading AI researchers, many previously aligned with government projects, launched an independent AI Safety and Development Institute. Its mission was to study “frontier model risks” like hallucinations, misalignment, and emergent behavior. The institute is legally registered as a non-governmental entity and aims to advise policymakers while drawing inspiration from OpenAI, the UK's AI Safety Institute, and the alignment community.

🧭 Why It Matters: This marks a rare instance of civil society involvement in China’s AI ecosystem, expanding the space for technical safety dialogue beyond state-led frameworks. It could potentially shape both domestic policy and China’s alignment with international governance norms.


Promoting AI Security – Privacy Commissioner Publishes “Hong Kong Letter”

Summary: On 9 June 2025, the PCPD published a “Hong Kong Letter” emphasizing the importance for employers to adopt internal policies governing generative AI, supported by its March 2025 Checklist on Guidelines for the Use of Generative AI by Employees. Topics covered include input and output data handling, device access, user accountability, incident reporting, and organizational governance structures to reduce data privacy risks.🧭 Why It Matters: With fewer than 30% of organizations having Gen AI policies, this guidance fills a critical compliance gap by setting clear expectations that align with the Personal Data (Privacy) Ordinance, helping employers manage AI-driven risks proactively.


India:

Google Opens Asia-Pacific (APEC) First Safety Center in Hyderabad; To tackle AI Fraud, Cybercrime; CM Revanth Reddy Hails Telangana’s Tech Rise

Summary: The new center will address cybercrime and AI safety challenges across the region. It symbolizes the alignment between the public and private sectors in tech governance. Organizations should explore collaborative threat-sharing and governance initiatives to enhance their security posture.

🧭 Why It Matters: This move reflects how large tech actors can reinforce national cybersecurity infrastructure and privacy norms through regional hubs.


India Publishes Consent Management Rules Under DPDP Act        

Summary: India’s MeitY released a Business Requirements Document outlining technical and functional specifications for Consent Management Systems under the DPDP Act. Although non-binding, it details essential components of the consent lifecycle. These essential components include dashboards, notifications, user controls, and grievance redress features used to guide future compliance.

🧭 Why It Matters: This early guidance provides practical clarity on GDPR-like consent tools and readies businesses for the upcoming enforcement of India’s data protection regime. 


Regional:

APAC: Emerging Silent AI Risks in Asia-Pacific

Summary: Kennedy's Law outlines how insurers and banks across the APAC

region are encountering hidden (“silent”) AI risks in underwriting, business

interruption, compliance, and reputational realms under legacy insurance

policies not designed for AI-related exposures. As AI integration in financial

services accelerate, organizations must reassess their governance frameworks

to explicitly manage algorithmic risk, data privacy, and regulatory compliance.

🧭 Why It Matters: This signals that AI adoption in financial sectors brings

unanticipated liability and data protection challenges. Executives must

proactively update policies and risk management tools to capture AI-driven

exposures per applicable local and international regulations.


🌏 European Union

Data Protection: Council and European Parliament Reach Deal to Make Cross-Border [EU] GDPR Enforcement Work Better for Citizens

Summary: The Council and European Parliament reached a provisional agreement to streamline the enforcement of cross-border GDPR complaints. It standardizes admissibility rules and creates fast-track procedures to resolve cross-border privacy violations more efficiently.

🧭 Why It Matters: This long-awaited procedural reform reduces bottlenecks and improves citizen access to remedies across EU jurisdictions—an overdue upgrade to GDPR enforcement.


European Commission Hints at Delaying the AI Act

Summary: The European Commission is considering postponing the August 2, 2025, deadlines for general‑purpose AI (GPAI) rules, delaying the Code of Practice and necessary technical standards due to stakeholder pressure and industry concerns.

🧭 Why It Matters: A potential “stop‑the‑clock” on GPAI provisions introduces regulatory uncertainty but may be needed to align technical readiness with policy rollout, balancing innovation risks with implementation feasibility.


European Data Protection Board (EDPB) Publishes Final Version of Guidelines on Data Transfers to Third Country Authorities and SPE Training Material on AI and Data Protection

Summary: The EDPB adopted final guidelines clarifying how controllers should handle third-country access requests under GDPR Article 48, emphasizing court-approved channels and rejecting unilateral foreign access. The board also released AI-focused compliance training tools to support regulators and industry.

🧭 Why It Matters: This guidance strengthens cross-border transfer protections and adds much-needed operational tools for managing AI governance under the EU GDPR.


EU Launches EU-Based, Privacy-Focused DNS Resolution Service

Summary: The EU has officially launched DNS4EU, a privacy-first DNS resolution service that supports DNS-over-HTTPS/TLS, specialized filtering, regional threat intelligence, and full GDPR compliance. Developed by an ENISA-backed consortium led by Czech firm Whalebone, it offers public, government, and telecom-grade options to enhance European digital sovereignty.

🧭 Why It Matters: DNS4EU offers a trusted EU-based alternative to non-EU services (e.g., Google, Cloudflare), ensuring GDPR compliance, reducing data leakage risks, and underpinning pan-European cyber resilience by keeping DNS queries within the EU's jurisdiction.


EU Commission Consultation on High-Risk AI Systems: Key Points for Life Sciences and Health Care

Summary: The European Commission opened a targeted stakeholder consultation to refine the classification and regulation of high‑risk AI systems under the [EU] AI Act, focusing on life sciences and healthcare applications. It invites input on risk management, data governance, transparency, human oversight, and alignment with existing regulations governing medical devices.

🧭 Why It Matters: The outcome will define essential compliance standards across the health and life sciences sectors. It is vital for organizations using AI in regulated industries to prepare for imminent enforcement and harmonized EU-level obligations.


🌎 Eurasia

Kazakhstan’s New AI Law Charts Ambitious Course Inspired by EU

Summary: Kazakhstan’s draft AI law prohibits the use of fully autonomous systems without human oversight and introduces a risk-based classification scheme like the EU AI Act. It outlines strict bans on manipulative AI, proposes sanctions for large-scale violations, and plans to establish a centralized AI platform.

🧭 Why It Matters: Kazakhstan is emerging as a regulatory leader in Central Asia by adopting internationally aligned, human-centric AI norms, which shape future cross-border data governance. It also sets the tone for regional convergence with EU standards.


Russia: The 16-Kilobyte Curtain: How Russia’s New Data-Capping Censorship is Throttling Cloudflare

Summary: Roskomnadzor dramatically intensified its censorship regime in April 2025 by threatening to block VPN providers and critical services, such as Cloudflare, that facilitate circumvention of its restrictions. The agency also references heavy fines and the blocking of authorities under Russia's Personal Data Law, which is now actively enforced.

🧭 Why It Matters: With enhanced blocking and fining powers, Roskomnadzor's tightened oversight creates operational risks for infrastructure providers and international services, warranting reassessment of Russian-connected data flows, localization, and platform strategies.


TĂŒrkiye: TĂŒrkiye’s Cross-Border Data Transfer Regulation

Summary: TĂŒrkiye now mandates SCCs in Turkish with no room for modification. Consent is no longer valid for international data transfers. This demands immediate compliance program adjustments.

🧭 Why It Matters: These rigid requirements redefine how multinationals manage lawful data transfers into and out of TĂŒrkiye, raising the stakes for compliance missteps.


🌍 Middle East

Gulf Cooperation Council:

GCC: AI Companies Should be Wary of Gulf Spending Spree

Summary: The framework introduces four risk tiers for evaluating cross-border transfers. It highlights national security and geopolitical filters. Legal teams must embed these into compliance reviews.

🧭 Why It Matters: The guidelines bring formal clarity and national interest considerations into Saudi Arabia’s maturing data governance framework.


UAE:

Data Privacy Laws in the UAE [2025]: Everything You Need to Know

Summary: A comprehensive guide explains the UAE PDPL requirements, including consent, transparency, data subject rights, breach notification, and cross-border transfer rules. It highlights enforcement penalties and DPO obligations.🧭

Why It Matters: This serves as the first major UAE deep dive in June. It is essential reading for global entities to align with new federal data safeguards and governance standards.


How to Foster AI Implementation and Adoption (UAE)

Summary: The UAE has established national AI sandboxes and policy incubators, released its first Arabic language model (Falcon LLM), and approved an AI ethics curriculum for schools. These steps strike a balance between innovation and citizen trust, as well as cultural context.

🧭 Why It Matters: The UAE’s approach to incremental, values-centered AI adoption offers a replicable model for ethical and culturally aligned innovation across the MENA region.


Rockwell Study: Middle East Manufacturers Lead in Generative AI Adoption

Summary: Rockwell Automation reports that 98% of manufacturers in the UAE and KSA are currently using or planning to use AI/ML tools for quality, cybersecurity, or energy optimization. The region leads globally in practical, ROI-driven AI applications over the next 12 months.

🧭 Why It Matters: Highlights how industrial sectors are implementing generative AI at scale and underscores associated privacy, security, and governance implications for sensitive operational data.


What Comes Next After Trump’s AI Deals in the Gulf

Summary: This article examines the geopolitical, governance, and data sovereignty implications of AI infrastructure deals between former U.S. President Donald Trump and Gulf states such as the UAE and Saudi Arabia. It highlights concerns about surveillance capabilities, legal asymmetries, and the long-term effects of hosting U.S.-controlled AI systems on Gulf soil. The analysis raises concerns about the insufficient contractual safeguards for data access, model transparency, and enforceable rights.

🧭 Why It Matters: These high-profile deals set precedent for public-private AI partnerships in fragile legal contexts, raising urgent questions about long-term data control, accountability, and cross-border governance in one of the world’s most rapidly advancing AI regions.


🌍 North America

Canada

Privacy Commissioner of Canada Hosts Successful Meetings of G7 Data Protection and Privacy Authorities Roundtable

Summary: Canada’s Privacy Commissioner convened the annual G7 Data Protection & Privacy Authorities Roundtable in Ottawa, bringing regulators from all seven nations together to align on AI governance, cross-border privacy concerns, and enforcement cooperation. Discussions included joint approaches to regulating algorithmic risk, facilitating trustworthy AI, and harmonizing Data Free Flow with Trust (DFFT) principles for global interoperability.

🧭 Why It Matters: As a hub for G7 collaboration, Canada is leading international coordination on emerging AI and data governance issues. This signals Canada’s heightened regulatory alignment and elevated expectations for cross-border privacy standards.


Quebec Law 25: What Canada’s New Privacy Law Requires

Summary: This comprehensive guide outlines the final phase of Quebec's Law 25 implementation, including enhanced consent mechanisms, mandatory Privacy Impact Assessments (PIAs), data minimization, breach notification obligations, and a private right of action for individuals. It also notes that the law applies extraterritorially, affecting any organization that handles the personal data of Quebec residents, regardless of their location.

🧭 Why It Matters: Law 25 raises the bar for privacy protections in Canada while aligning it with global standards (like the EU GDPR, etc.). It requires businesses nationwide to implement robust governance frameworks to manage consent, data subject rights, and accountability for breaches.


What Is New with Artificial Intelligence Regulation in Canada and Abroad?

Summary: This article reviews current AI governance trends across Canada, the U.S., and EU, highlighting Canada’s evolving federal and provincial guidance in the absence of binding national AI legislation. It explores risks of fragmentation and emphasizes the need for coordinated oversight mechanisms to address the use of high-impact systems.

🧭 Why It Matters: Without enforceable federal AI laws, Canadian organizations must navigate compliance through voluntary codes and sector-specific rules, requiring adaptive, risk-based governance aligned with international benchmarks.


Mexico:

Mexico Implements New Federal Data Protection Framework

Source           

Summary: Mexico’s newly enacted federal data protection law replaced the 2010 regime on March 21, 2025. The overhaul abolishes INAI, consolidates authority under the Ministry of Anti-Corruption and Good Governance, codifies ARCO-style data subject rights and stricter handling for sensitive data, mandates encryption and audits, and creates specialized courts for data disputes.

🧭 Why It Matters: This represents a major structural and institutional shift. It requires doubling down on centralized oversight, expanding individual rights, and substantially increasing compliance obligations and fines (up to MXN 48.5 million) for data-handling organizations in Mexico.

 

🌍 United Kingdom

Data (Use and Access) Act 2025

Summary: The [UK] Data (Use and Access) Bill received Royal Assent on 19 June 2025, officially becoming the Data (Use and Access) Act 2025. This landmark legislation modernizes UK data protection by introducing recognized legitimate interests, overhauling rules for automated decision-making, easing cookie consent requirements, and establishing frameworks for “smarter data” sharing and digital identity. It also enhances ICO powers, with increased enforcement capabilities and new investigatory authorities.

🧭 Why It Matters: The Act marks a shift toward innovation-friendly privacy laws, striking a balance between individual rights and business utility. It requires organizations to revise internal data governance, update consent and cookie policies, and reassess compliance across digital services.


DNA Testing Firm 23andMe Fined £2.3 million by UK Regulator for 2023 Data Hack

Summary: The ICO fined 23andMe ÂŁ2.3 million after a massive credential-stuffing attack exposed sensitive genetic data of over 150,000 UK users. The firm has since strengthened its authentication protocols and committed to not commercializing genetic data in the event of future ownership changes.

🧭 Why It Matters: This is the first significant UK enforcement action in the fast-growing genetics sector, signaling expanded regulatory scrutiny into ultra-sensitive personal data.


New Guidance to Help Smart Product Manufacturers Get Data Protection Right

Summary: The ICO published its first guidance for IoT manufacturers, emphasizing the importance of privacy-by-design principles across smart speakers, fridges, fertility trackers, and other devices. It urges transparency, data minimization, and robust deletion processes, warning of enforcement action for non-compliance.

🧭 Why It Matters: As consumer IoT proliferation accelerates, this set of guidelines marks a proactive regulatory push to embed data protection in everyday connected devices.


PM Unveils AI Breakthrough to Slash Planning Delays and Help Build 1.5 Million Homes: 9 June 2025

Summary: A new AI-driven tool utilizing Google's Gemini model will accelerate planning permission processes, enabling the review of hundreds of documents in seconds. It aims to reduce administrative bureaucracy and support the government’s housing targets.

🧭 Why It Matters: The integration of AI in public administrative systems highlights the need for transparency, data governance, and fairness in automated decision-making processes.


UK’s First Permanent Recognition Cameras Installed in London

Summary: The Metropolitan Police is deploying the UK’s first permanent facial recognition cameras on Croydon high streets, with data deleted for non-matches and compliance with ethical standards promised. However, privacy advocates warn that the potential normalization of surveillance could occur without strong oversight.

🧭 Why It Matters: As facial recognition becomes part of everyday public life, accountability frameworks must evolve to balance security utility with civil-liberties protections.


UK Organisations Stand to Benefit from New Data Protection Laws

Summary: On 24 June 2025, the ICO released detailed guidance to help UK businesses prepare for compliance with the DUAA, covering lawful basis reforms, automated decision-making rules, and enhanced PECR enforcement. The document includes transition checklists and sector-specific examples.

🧭 Why It Matters: The guidance provides practical clarity for organizations navigating the complex changes introduced by DUAA and supports smoother implementation across sectors.

United States:

Amazon, Google, Microsoft, and Meta Come Together to Fight the US State Government’s AI Restrictions

Summary: Amazon, Google, Microsoft, and Meta are lobbying Congress for a decade-long federal moratorium on AI regulations imposed by individual states, calling for a unified national framework to prevent a fragmented regulatory landscape. The proposal has sparked debate within the tech industry and the Republican Party, highlighting tensions around innovation, consumer protection, and federalism.

🧭 Why It Matters: If enacted, this could hinder state-led AI privacy initiatives and diminish local oversight, underscoring the importance of advocacy at both state and federal levels to strike a balance between safety and innovation.


The Proposed AI Moratorium Will Harm People with Disabilities. Here is How.

Summary: The article warns that a blanket federal moratorium on state AI laws may inadvertently limit AI innovations designed to assist people with disabilities, such as speech recognition, accessibility tools, and personalized learning systems. It argues that state-level experimentation drives innovation and leads to more inclusive AI solutions tailored to the needs of individuals with disabilities.

🧭 Why It Matters: This perspective highlights an important equity dimension. Overly restrictive nationwide policies could hinder advancements in assistive technologies, underscoring the need for nuanced regulatory approaches that both foster innovation and safeguard rights.

 

🌍 Reader Participation – We Want to Hear from You!

Your feedback helps us remain the leading digest for global data privacy and AI law professionals. Share your feedback and topic suggestions for the July 2025 edition: https://www.wix-tech.co/

 

🌍 Editorial Note – June 2025 Closing Reflections

Kenya is blocking fiscal surveillance. The EU is redefining AI transparency. Canada is advancing child privacy dialogues. Gulf states are racing toward AI sovereignty. The message is clear: data governance is no longer about compliance; it is a geopolitical imperative. The tension between acceleration and regulation has never been sharper.


Today, jurisdictions assert control through frameworks, enforcement, legal, and regulatory enforcement. Consequently, organizations must move beyond mere compliance with checkboxes toward anticipatory ethics, interoperable design, and structural accountability.

If “data is the new oil,” then privacy is now the operating system of global trust.

The AI governance, data privacy, and data protection landscapes are no longer defined by what is to come; it is determined by what is already here.


— Chris Stevens


“Privacy is the claim of individuals... to determine for themselves when, how, and to what extent information about them is communicated to others.”— Alan F. Westin, Privacy and Freedom, 1967

 

 
 
 

Comments

bottom of page