Hello Friends,

As organizations increasingly rely on cross-border data flows, conducting Transfer Impact Assessments (TIAs) has become a critical part of modern data protection programs. TIAs help organizations evaluate whether personal data transferred outside a jurisdiction remains protected against access, misuse, or conflicting legal requirements in destination countries.

With evolving regulatory expectations under frameworks such as the GDPR and emerging global data transfer regimes, organizations are expected to assess legal risks, implement appropriate safeguards, and document decision-making processes. A structured approach to TIAs enables organizations to reduce compliance risks, demonstrate accountability, and maintain trust while supporting global business operations.

Enjoy reading!

Privacy Enforcement

New York: Senate passes bill on additional protections for sensitive health information

The New York State Senate approved Senate Bill 1633A, amending the state’s Public Health Law to strengthen privacy protections for sensitive health information. The legislation requires health information networks, electronic health record (EHR) systems, and healthcare providers to give patients a right to restrict disclosures of their private health data. It expands definitions around sensitive health information and mandates clearer safeguards for how it’s shared outside healthcare entities, reflecting growing concerns around consumer control and data privacy in health ecosystems. The bill’s passage underlines heightened legislative focus on health data privacy rights at the state level. Read More

South Korea: MOIS announces Public AI Act passes National Assembly

South Korea’s legislative landscape saw a major shift with the passage of its Public AI Act, marking a significant step toward formal AI regulation in the country. The act establishes a regulatory framework for the development, deployment, and oversight of artificial intelligence systems, emphasizing trust, transparency, safety, and accountability. Key provisions define obligations for AI operators, including risk mitigation and transparency standards, particularly around high-impact AI applications. This law signals South Korea’s intent to balance rapid AI innovation with robust governance, setting expectations for ethical and privacy-aware AI practices across both public and private sectors. Read More

Taiwan PDPC Preparatory Office Announces Draft Regulations for Public Consultation

Taiwan’s Preparatory Office of the Personal Data Protection Commission (PDPC) issued a public notice announcing draft Regulations Governing Security Maintenance and Management of Personal Data Files, marking a key step toward strengthening personal data governance. The draft proposes baseline security requirements for data controllers and processors, clarifies obligations related to safeguarding personal information, and invites public and private sector feedback during a consultation period. This initiative reflects Taiwan’s efforts to build out detailed regulatory frameworks under its evolving PDPA regime and signals heightened expectations around data security and compliance standards ahead of the PDPC’s full establishment. Read more

Data Breach

Italy: Garante Fines Pioneer Hi-Bred €120,000 for Unlawful Employee Monitoring

Italy’s data protection authority, the Garante, fined Pioneer Hi-Bred Italia Sementi €120,000 for unlawfully monitoring staff communications and IT usage without a legal basis or proper transparency. The investigation found the company collected and processed employees’ personal data beyond what was necessary for legitimate operational purposes, breaching core GDPR principles including purpose limitation and transparency. The Garante’s action underscores European regulators’ growing scrutiny of workplace surveillance practices and highlights the need for employers to ensure any monitoring complies with strict data protection requirements and provides clear employee notice. Read More

UK: ICO Fines Two Firms £125,000 for Nuisance Marketing Breache

The UK Information Commissioner’s Office (ICO) slapped a combined £125,000 fine on Allay Claims Ltd and ZMLUK Limited for sending unlawful marketing communications without valid consent. The enforcement stemmed from breaches of UK privacy and electronic communications rules, which require organizations to obtain explicit consent before sending direct marketing messages or contact attempts. The decision reinforces that privacy regulators continue targeting unsolicited communications and consent failures, even among smaller businesses, underlining the importance of strict adherence to consent and electronic marketing standards to protect individuals’ data and privacy preferences. Read More

Privacy in Spotlight

Finland: Traficom Publishes Guidance on AI Agent Cybersecurity

Finland’s Transport and Communications Agency Traficom published an article highlighting information security and cybersecurity risks related to AI assistants and similar automated systems. The guidance outlines potential vulnerabilities in how AI agents communicate, access networks, and process data, and it provides practical recommendations to manage those risks in organizational settings. Traficom stresses the importance of assessing and mitigating threats that can arise from AI-enabled tools — especially where they interact with sensitive information or critical systems. This publication signals regulators’ increasing focus on combining AI innovation with robust security and privacy safeguards. Read More

UK: Cyber Security and Resilience Bill — Key Points for Organisations

Finland’s Supreme Administrative Court upheld a lower court decision confirming that insurance companies may process health data to assess applications before a contract is in place without breaching data protection law. The ruling clarified that such processing, when necessary and proportionate for claims handling, does not violate GDPR principles, and reinforced the compatibility between the Finnish Traffic Insurance Act and EU data protection standards. This decision offers important guidance on the lawful use of sensitive health information in insurance contexts. Read More

Regulations

UK: Cyber Security and Resilience Bill — Key Points for Organisations

The UK’s proposed Cyber Security and Resilience Bill represents a significant shift toward more stringent cyber risk management. This legislative proposal would create enhanced requirements for businesses and critical infrastructure operators to identify, mitigate, and respond to cyber threats. Key elements include mandatory incident reporting, stronger governance expectations, and extended oversight of supply chain and digital service providers. The Bill aims to improve organizational resilience by ensuring proactive cyber defenses, structured risk governance, and clear accountability lines. Privacy and data protection professionals should prepare for greater alignment between cyber security frameworks and regulatory expectations under this evolving regime. Read More

EU AI Office Publishes First Draft Code of Practice

The European Union’s new AI Office released its first Draft Code of Practice for Trustworthy Artificial Intelligence, signaling practical steps toward aligning AI deployments with data protection and privacy principles. The draft code outlines recommended practices for transparent, secure, and fair AI system design, with particular emphasis on risk assessment, data quality, privacy safeguards, and documentation throughout the AI lifecycle. It serves as a complementary governance tool to existing AI and data protection laws, offering organizations a framework to operationalize ethical AI principles and prepare for forthcoming regulatory requirements. Public consultation will inform the final version  Read more