Malaysia - JPDP publishes DPO and Breach Notification Guidelines
On 31 July 2024, the PDPA Amendment Act introduced (among other things): (i) a mandatory requirement for organisations to appoint one or more Data Protection Officers (DPOs) and (ii) a mandatory requirement for controllers to notify the Department of Personal Data Protection (JPDP) and affected individuals in the event of a personal data breach. These requirements will come into force on 1 June 2025 and the JPDP has now published detailed guidelines on both issues.
The DPO guidelines cover the appointment, roles, and responsibilities of a DPO and obligations for organisations to ensure the effective implementation of the DPO role. The breach notification guidelines cover the definition of a personal data breach, the threshold for notification, information to be included, timelines and methods for notification, and various other requirements and considerations.
Switzerland - new critical infrastructure requirements
From 1 April 2025, operators of critical infrastructure will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. The obligation is the result of an amendment to the Information Security Act (ISA) which was made in September 2023. Only an initial notification needs to be made within 24 hours. Once this is submitted, operators will have 14 days to complete and submit a more comprehensive report. Failure to notify a cyberattack within this timeframe could result in the operator incurring a fine.
The relevant reporting forms will be made available on the NCSC's "Cyber Security Hub", although organisations that have not yet registered on the platform can also submit a form via the NCSC website. In addition, the "Cybersecurity Ordinance" will come into effect on 1 April. The Ordinance contains the implementing provisions for the reporting obligations and importantly also covers exemptions to the obligations.
Turkey - New incident response obligations under Cyber Security Law
On 19 March 2025, a new Cyber Security Law was published in the Official Gazette in Turkey, the aim of which is to enhance cyber security protection in Turkey. The Cyber Security Law applies to all organisations operating in “cyberspace”, which has a broad definition that effectively encompasses all activities using digital technology. Under the Cyber Security Law, organisations are required to notify the Cybersecurity Presidency without delay of vulnerabilities and cyber incidents detected. Organisations are also responsible for taking measures to ensure cyber security, for the purposes of protecting national security and public order, and cyber security companies will require approval and certification.
Although the Cyber Security Law has been passed, secondary legislation is required to fully implement it (which is expected to be enacted within a year). The Cybersecurity Presidency is also not yet operational, so it is not yet possible to notify incidents and vulnerabilities.
The Cyber Security Law is available here (in Turkish)
Norway - Datatilsynet publishes FAQs on EU-US data transfers
On 26 February 2025, the Norwegian data protection authority, Datatilsynet, published FAQs on the rules for transfers of personal data to the US following recent developments under the new Trump administration. The FAQs explore the current adequacy regime under the EU-US Data Privacy Framework, how it could be impacted by recent changes in the US, and what businesses should be thinking about. They also touch on the use of US cloud services in the EU and flag that such services may also be adversely affected if the Data Privacy Framework is invalidated. Datatilsynet recommend that businesses have an “exit strategy” in case personal data can no longer be transferred in the same way it has been to date.
The FAQs are available here (in Norwegian)
Israel - New guidance on the use of Privacy-Enhancing Technologies
On 23 February 2025, the Israeli Privacy Protection Authority published a guide to the use of Privacy-Enhancing Technologies (PETs). The guide has been published in light of the new challenges and risks that have emerged as a result of advances in technology. The guide provides an overview of common PETs and includes specific examples and recommendations for implementing PETs as part of wider privacy compliance. The guide covers the different stages of the information lifecycle, including preparation, use and control of information. It does not require a technical background and is aimed at DPOs and IT/IS product and project managers.
The guide is available here (in Hebrew)
China - Security Measures for Facial Recognition Technology issued
The Cyberspace Administration of China (CAC) and the Ministry of Public Security have issued Security Measures for the Application of Facial Recognition Technology, which will come into effect on 1 June 2025. The Measures set out basic requirements for the use of facial recognition technology, including that organisations comply with laws and regulations, uphold morality and ethics, not endanger national security or damage public interests, and not infringe on the rights and interests of individuals. There are specific provisions on processing of personal information, including in relation to purpose limitation, necessary safeguards, reliance on consent, restrictions on transfer to third parties, conduct of impact assessments, and storage limitation. The Measures also include specific requirements on safety, as well as supervisory and management responsibilities.
The press release is available here (in Chinese)
Sanctions. We're keeping count.
79. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2025. It amounts to over 31,940,000 US dollars in penalties and numerous other reprimands and corrective actions.
Not seen our Enforcement Tracker yet? Ask us for a demo.
United States - California - Regulator publishes first Annual Report
On 26 February 2025, The California Privacy Protection Agency (CPPA) published its first ever Annual Report. The 2024 Annual Report is largely backward-looking and sets out analysis of action taken and complaints received by the CPPA throughout 2024, with 3,797 consumer complaints being processed in that time. The CPPA also used the 2024 Annual Report to reinforce its enforcement priorities, which are: the review of privacy notices and privacy policies; the implementation of consumer requests; the right to delete; the selling or sharing of personal information without proper notice or an opt-out mechanism; dark patterns / deceptive design; and violations that affect vulnerable communities and groups.
The Annual Report is available here
Switzerland - New guidelines on cookies
The Swiss Federal Data Protection and Information Commissioner (FDPIC) has issued guidelines on data processing when using cookies and similar technologies. The guidelines provide an overview of the Swiss legal framework and include helpful details on how the FDPIC interprets key requirements.
Among other things, the guidelines explain the circumstances in which the use of cookies and similar technologies can lead to the potential identification of individuals. The guidelines also cover transparency obligations, circumstances where placement of non-essential cookies are permitted, and situations where consent must always be obtained (as well as requirements for obtaining consent). There is also a risk matrix that divides various types of cookies into different risk buckets and sets out what kind of consent (e.g. mandatory opt-out or compulsory opt-in) is required - if any.
The guidelines are available here
CNIL updates its document containing key decisions and opinions
The French data protection authority, the CNIL, has published an updated version of its "Data Protection Tables" (the Tables). This is a very detailed document that summarises what the CNIL considers the most important decisions and opinions that show the CNIL's approach to key data protection themes. Importantly, the Tables include (redacted) decisions and responses (e.g. to complex legal consultations) otherwise not made public. The Tables were first published in 2023 and have now been updated for 2024. The decisions and responses are organised by theme and include sections on general GDPR principles (such as lawful bases and data retention) and data subject rights. Accompanying the Tables, the CNIL has published the "Computer and Freedom Notebooks" which contain the key 2024 doctrine points. They are essentially an extract of the Tables and focus on last year only.
United States - Oregon - Enforcement Report published
The Oregon Department of Justice has published its first Enforcement Report, titled “The Oregon Consumer Privacy Act (2024), The First Six Months”. The report sets out information on consumer complaints received (and early enforcement actions taken) under the Oregon Consumer Privacy Act (OCPA), which took effect on 1 July 2024. While enforcement actions have begun, it is important to note that there is currently a cure period in place for violations of the OCPA, which expires on 1 January 2026. This means that, if the Department of Justice believes that violations can be fixed, then the relevant entity is given 30 days to remedy (or cure) the violation. There is no private right of action in Oregon, and so enforcement falls solely to the Privacy Unit within the Attorney General's office.
The Enforcement Report is available here
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
