Hello Friends,
As organizations grow and operate across multiple regions, personal data often moves across borders through global tools, partners, and cloud services. Managing these cross-border transfers has become essential as regulators tighten rules on where data can travel and how it must be protected. Under emerging frameworks like the DPDPA and long-standing laws such as the GDPR, companies are expected to maintain clarity on their international data flows and ensure that appropriate safeguards are in place.
Reviewing existing transfers, updating contractual protections, and assessing third party risks can help organizations stay compliant and strengthen trust with their customers. Taking early steps towards this can reduce operational risks and support smoother global operations.
Enjoy reading!
Privacy Enforcement
UK: ICO fines LastPass £1.23M for data security failures following data breach
The UK Information Commissioner’s Office fined LastPass £1.23 million after finding serious security shortcomings that led to a data breach affecting over 1.6 million UK users. The ICO concluded that LastPass failed to implement appropriate technical and organisational measures to protect personal data. The case highlights the importance of strong security controls, risk assessments and timely safeguards for password management and authentication services.
Spain: AEPD fines The Red Kiwi €30,000 for WhatsApp data breach exposing clients' health-related data.
Spain’s data protection authority, the AEPD, fined The Red Kiwi €30,000 after a data breach involving the disclosure of health-related personal data via WhatsApp. The authority found that the organisation failed to ensure appropriate security when processing sensitive information. The decision reinforces GDPR obligations to protect special category data and to carefully assess the risks of using messaging platforms for business communications.
UK: ICO fines Capita plc and Capita Pension Solutions a combined £14M following data breach.
The UK ICO imposed a £14 million fine on Capita plc and Capita Pension Solutions following a cyber incident that exposed personal data of approximately 6.6 million individuals. The regulator found inadequate security measures and weaknesses in systems used to protect sensitive information. The enforcement action underscores the need for large service providers to maintain robust cybersecurity practices, especially when handling high volumes of personal and pension-related data.
Data Breach
Coupang data breach — 33M+ customers affected.
Coupang, South Korea’s largest e-commerce platform, suffered a massive data breach affecting more than 33 million customers. Exposed information reportedly includes names, contact details and delivery data. The breach triggered significant public backlash and regulatory scrutiny, leading to the CEO’s resignation. Authorities are now investigating compliance failures, and Coupang has pledged to strengthen cybersecurity measures and improve safeguards to prevent future incidents.
Q3 2025: Over 23 million Individuals Impacted by Reported Breaches.
According to the Identity Theft Resource Centre, more than 23 million people were affected by publicly reported data breaches in the third quarter of 2025. The report highlights an increase in both the volume and sophistication of cyberattacks across sectors, including healthcare, retail and financial services. The trend demonstrates that organizations continue to struggle with securing large-scale data environments, prompting renewed calls for stronger breach prevention, monitoring and incident response practices.
Privacy in Spotlight
Personal data as a dual-use technology: Privacy professionals face new export controls
U.S. privacy professionals increasingly face national security rules treating personal data as a dual-use technology. New laws like the TikTok ban, PADFA and the DOJ Bulk Data Rule restrict access to Americans’ sensitive data by foreign adversaries and broaden enforcement powers. CFIUS actions and export control policies now regularly consider data risks. Organizations must strengthen data mapping, coordinate with cybersecurity teams, monitor evolving definitions and build national security expertise into privacy programs.
New developments in global adequacy capabilities .
Global data flows are essential for modern business, but rising privacy concerns have led many countries to restrict transfers to jurisdictions that lack “adequate” data protection. Many nations now model their laws after the GDPR and issue adequacy decisions or whitelists to enable smoother cross-border transfers. Criteria often include strong privacy laws, independent regulators and rights protections. Approaches vary widely, but growing international alignment and interoperability aims to simplify transfers, improve trust and support global data exchange.
Regulations
Gambia: National Assembly passes Personal Data Protection and Privacy Bill, 2025
The National Assembly of Gambia has passed the Personal Data Protection and Privacy Bill, 2025, marking a major step in establishing a formal data protection framework in the country. Once signed into law, it will introduce comprehensive privacy rules governing the collection, storage and use of personal data. The legislation aims to strengthen individual privacy rights, set clear compliance obligations for organisations and enhance trust in digital services across Gambia.
European Commission proposes significant reforms to GDPR, AI Act.
The European Commission released its Digital Omnibus and Digital Omnibus on AI proposals to simplify EU digital regulation and support innovation. The packages introduce targeted GDPR amendments, clarify legitimate interests for AI uses, streamline cookie choices, create a single breach-reporting portal and adjust AI Act timelines, especially for SMEs. They also expand data access and refine Data Act rules. Reactions are sharply divided, and the proposals now move into trilogue negotiations for further debate.