Global trends in data privacy regulation put preparedness in focus

In September, the Australian Government introduced the first tranche of its long-awaited amendments to The Privacy Act 1988.¹ In a speech introducing the legislation, Attorney-General Mark Dreyfus said, “We must be vigilant in ensuring that evolving technology does not erode our ability to protect information about who we are (and) what we believe is being misused”.²

This is the latest example of governments and regulators around the world hardening their stance on data privacy through new legislation, stronger rhetoric, and increased corporate obligations.

With the increased focus on data privacy popping up around the world, FTI Consulting’s global team of Cybersecurity and Data Privacy communications experts break down some notable trends across geographies, and share key considerations for organisations looking to best position themselves to navigate the future of data privacy.

European Union (EU)

The trailblazing General Data Protection Regulation (GDPR) is now well-established and remains the key data privacy standard, both in the EU and globally. The GDPR came into force in 2018 and applies to any organisation which collects or processes personal data related to individuals in the EU. Organisations found in breach of GDPR may be fined up to €20 million, or up to 4% of annual worldwide turnover, whichever is greater.³

The European Commission publishes a report every four years on the application of GDPR. The 2024 report found a significant uptick in enforcement by data protection authorities, noting the substantial fines imposed on big tech companies in what are described as “landmark cases”.⁴ However the report also noted enforcement issues, something which the European Parliament has already voted to improve in April this year.⁵

This year, the new Digital Markets Act (DMA) and Digital Services Act (DSA) came into effect – they are focused on regulating big tech platforms impose additional data-related obligations.⁶ In particular, the DSA prohibits online platforms from using targeted advertisements based on special categories of data (such as sexual orientation, ethnicity or religious beliefs) and knowingly targeting advertising at minors.⁷

The EU AI Act, the world’s first comprehensive law on artificial intelligence, also aims to align with GDPR. All AI systems must adhere to GDPR principles and there are strict guidelines on the use of data in high-risk systems, such as those that use AI systems to evaluate people’s creditworthiness. AI systems must also be transparent with their users regarding how their personal data is being processed. Breaches of the AI act could be costly for organizations, with possible fines nearly double those under GDPR.⁸

Australia

Australia experienced a spate of high-profile data breaches in 2022 and 2023, which put millions of Australians’ personal information at risk and brought data privacy practices into sharp focus. Since these events, which affected organisations across telecommunications, healthcare, financial services, and the legal sector, there has been a clear response from Australian government and regulators.

In 2024, the Office of the Australian Information Commissioner (OAIC) has continued its work to enforce fundamental privacy principles in the evolving technology landscape. This was seen recently in their filing of civil penalty proceedings in the Federal Court against Medibank, which underscored companies’ responsibility to protect citizens’ data to a high standard.⁹ The OAIC alleged Medibank failed to take reasonable steps to protect customers’ personal information, and noted that fines could theoretically exceed AU$21.5 trillion.

In September 2024, the Australian Securities and Investment Commission (ASIC), revealed it is reviewing legal action against some unnamed directors who have failed to adequately prepare for or respond to cyberattacks. The chairman of the corporate regulator, Joe Longo said, “ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses.”¹⁰

The Australian government is exploring a number of key issues relating to data privacy, including regulation of social media platforms, children’s privacy, biometrics and the use of AI. Most recently, it has introduced the Privacy and Other Legislation Amendment Bill 2024, designed to bring privacy regulation into the digital age.¹¹ The reforms include: a new statutory tort to address serious invasions of privacy; a Children’s Online Privacy Code; greater transparency of automated decisioning; streamlined information sharing in emergencies with appropriate data protection; and stronger enforcement powers for the Australian Information Commissioner. The Bill also introduces new criminal offences to outlaw doxxing, the malicious release of personal data online.

United States (U.S.)

At all levels, America’s government is evaluating new rules to help guide the public and private sectors, including through the Biden-Harris Administration’s 2023 National Cybersecurity Strategy.¹² The strategy puts the onus on large organisations that have the resources and capability to reduce broader cybersecurity risks for the general public and smaller businesses, and creates incentives to encourage longer-term investments in cybersecurity.

While there isn’t a nationwide data privacy framework at this stage, there are certain more narrow, issue-specific acts gaining momentum and relevance. The Children’s Online Privacy Protection Act (COPPA) 2.0 passed the U.S. Senate in July 2024 and notably addresses the impact of technology and social media usage and institutes more significant protections for those under 17.¹³ Additionally, the Health Insurance Portability and Accountability Act (HIPAA) established a standard to protect the privacy of medical records and other protected health information at the turn of the millennium.

Looking towards the future at the federal level, the bipartisan proposal for the American Privacy Rights Act (APRA) would establish a comprehensive data privacy and security framework if successful – though the chances remain unlikely.¹⁴ It would establish a uniform approach to privacy across the country, providing individuals more control over the use of their personal information. The matter of overriding state law will continue to be a hotly debated issue among policymakers. Even if APRA does not prevail, new federal proposals introduced each year continue to refine the potential for bipartisan consensus and help establish the parameters for future success.   

At the state level, the California Consumer Privacy Act (CCPA) significantly altered the United States data privacy landscape in 2020,¹⁵ and since it’s institution, 18 additional states have followed suit, with Rhode Island most recently establishing the Data Transparency and Privacy Protection Act in June 2024.¹⁶ CCPA provided individuals in California more knowledge about and control over their data, including being informed about what personal information is collected by organisations  and how it may be used, as well the right to delete the information that is collected about them – with exceptions – in addition to other important privacy-related rights.

United Kingdom (UK)

The UK’s data privacy framework is anchored by the Data Protection Act 2018 (DPA 2018)¹⁷ and the UK General Data Protection Regulation (UK GDPR)¹⁸, which are both designed to protect the personal data of individuals. While a proposed Data Protection and Digital Information (DPDI) Bill was written to update and streamline these regulations, it was not carried over to the new Parliament following the summer’s snap election, leaving the future of data protection reform uncertain.

The new Labour government has signaled a shift in focus towards enhancing cyber resilience of national critical infrastructure, with the Cyber Security and Resilience Bill set to align the UK’s cyber framework with the EU’s NIS2 Directive.¹⁹ However, UK remains committed to addressing the privacy implications of new technologies while promoting digital innovation.

Proposed AI regulation ensures that, in accordance with the UK’s established data protection laws, organisations respect individual rights and data protection principles when processing personal data in AI systems.²⁰ Meanwhile, the Online Safety Act includes reference to upholding data protection legislation, especially in relation to the processing and retention of user data.²¹ Taken together, it is evident that while the UK is working to build out a national cybersecurity program, data privacy for individuals, especially in an age of ever-emerging technologies, remains a priority.

India

Data Privacy has become a key area of focus for India due to rapid digitisation, which has made it an attractive target for cyberattacks. The country’s legislative framework it is set to be transformed with the deployment of The Digital Personal Data Protection Act 2023 (DPDPA), which came six years after the Supreme Court ruled that privacy was indeed a fundamental right.

The DPDA is the first cross-sectoral law on personal data protection in India, empowering and protecting the rights of Data Principals. Factors such as accountability, transparency, data minimization, fairness, accuracy, and lawful processing of personal data have been reflected in the DPDP Act. While the final rules are awaited, the legislation gives the central government some potentially arbitrary discretionary powers.

Since cybersecurity is a cross-cutting issue, India has a complex inter-ministerial and inter-departmental institutional framework for cybersecurity, with several ministries, departments and agencies performing key functions. Several other regulators / authorities including the Telecom Regulatory Authority of India, Central Drugs Standard Control Organization, Reserve Bank of India etc. either presently regulate or are seeking to regulate the data which may fall within their respective domains (such as subscriber data, payments data, and e-commerce user data). As Indian corporations grapple with rising cyber incidents, these regulations offer a structured approach to fortify defenses and protect critical data assets.

Latin America

Latin America faces a significant challenge as cyberattacks become more frequent and sophisticated, and countries like Mexico and Brazil being targeted by cybercriminals.²² While the region lacks a harmonised data privacy regulation framework, some countries have implemented their own robust data protection laws.

Brazil introduced its General Data Protection Law (LGPD) in 2020,²³ which broadly aligns with the EU’s GDPR, offering a comprehensive approach to individual rights and international standards. Its alignment with the GDPR makes the LGPD rigorous in terms of international data transfer mechanisms and consent frameworks. This law applies to both the public and private sectors.

In contrast, Mexico has two separate laws: the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and the General Law on Data Protection for Public Entities (LGPDPPSO).²⁴ While this system provides sector-specific regulations, it can lead to inconsistencies in how data protection principles are applied between entities in both sectors. There is still work to be done but there is growing recognition of the need for collaborative action between national security agencies and the private sector.

Almost all countries in Latin America are working to enhance supply chain security, as they advocate for regulatory standards and rights protection, and engage with other stakeholders to improve best practices. For instance is Argentina recently reaffirmed its status as a country suitable for the free cross-border flow of personal data with the EU.²⁵ This decision, following a review process initiated in 2018, acknowledges Argentina’s efforts to align its data protection regulations with international standards.

Key lessons for business

As reliance on personal data grows, organisations must continue to innovate against this backdrop of enhanced privacy regulation, and changing consumer privacy expectations.

This is a profoundly complicated regulatory, reputational and operational data privacy risk environment. With data privacy regulations changing and evolving across the globe, organisations operating across these jurisdictions, and in jurisdictions likely to enact similar rules, must consider steps to strengthen their commitment to data privacy and create a culture of data privacy throughout their organisations. These are the top three basic elements organisations should understand:

1. Businesses stand to face significant implications, including penalties, for failing to implement appropriate cybersecurity controls or take adequate steps to protect sensitive data.

2. Managing data risk is a boardroom issue. Organisations should recognise cybersecurity and data protection as a strategic business issue that can impact entire industries and economies.

3. To be best prepared, businesses must also consider their incident response protocols, including crisis management, crisis communication, and reputation management plans, should they be impacted by a data privacy issue.