Expanded Enforcement Powers for Privacy Authorities

EU privacy enforcement just got teeth. Real ones. BUT WHY? After 7 years of GDPR complaints disappearing into bureaucratic black holes, Brussels finally admitted what we all knew: the system was broken. The numbers tell the story. Major tech companies faced 1,000+ complaints. Resolution time? Years. Sometimes never. Some Data Protection Authorities became the graveyard where privacy cases went to die. Yesterday changed everything. The EU Council and Parliament agreed on binding deadlines: • 15 months maximum for investigations • 12 months for simple cases • Extensions only for complex matters But here's what matters for your business: Uniform admissibility standards mean no more jurisdiction shopping. Every complaint gets evaluated the same way, whether filed in Dublin or Dresden. Early resolution mechanisms let you fix issues fast. Address the problem, satisfy the complainant, avoid the full procedure. Procedural safeguards guarantee your right to review findings before decisions drop. No more surprise penalties. This isn't just about Big Tech anymore. Every company processing data across EU borders faces a new reality. Faster investigations. Stricter timelines. Consistent enforcement. The one-stop-shop mechanism that protected multinationals? Gone. The delays that buried complaints? History. Smart companies will audit their cross-border data flows now. Before the regulation takes effect. Before authorities test their new powers. Privacy compliance just shifted from optional to urgent. What's your move? ------------------------- Follow Kaustubh Shakkarwar and be fellow privacy nerd.

𝐓𝐡𝐞 𝐅𝐞𝐝𝐞𝐫𝐚𝐥 𝐁𝐮𝐝𝐠𝐞𝐭 𝐢𝐬 𝐡𝐞𝐫𝐞 - and the OAIC enforcement train continues its charge ahead. I’ve just finished scrambling through the budget papers with my privacy hat on, and here’s the standout: 𝐭𝐡𝐞 𝐎𝐀𝐈𝐂 𝐡𝐚𝐬 𝐛𝐞𝐞𝐧 𝐡𝐚𝐧𝐝𝐞𝐝 𝐚𝐧 𝐞𝐱𝐭𝐫𝐚 $𝟖.𝟕 𝐦𝐢𝐥𝐥𝐢𝐨𝐧 𝐭𝐨 𝐬𝐮𝐩𝐩𝐨𝐫𝐭 𝐢𝐭𝐬 𝐞𝐧𝐟𝐨𝐫𝐜𝐞𝐦𝐞𝐧𝐭 𝐚𝐜𝐭𝐢𝐯𝐢𝐭𝐢𝐞𝐬 over the next three years. That might not sound like a lot in the context of the whole budget - and it's not - but it's something and it matters. It reinforces a growing trend: privacy non-compliance is becoming riskier and more expensive. We now have: 1️⃣ An invigorated regulator looking to make its mark as a serious enforcement body 2️⃣ New civil penalties and infringement notices at their disposal 3️⃣ New rights for individuals to piggyback on OAIC actions and take direct legal action 4️⃣ And now—some funding in the bank to back it all up 𝐁𝐮𝐭 𝐥𝐞𝐭’𝐬 𝐛𝐞 𝐜𝐥𝐞𝐚𝐫—𝐢𝐭’𝐬 𝐧𝐨𝐭 𝐞𝐧𝐨𝐮𝐠𝐡. To put it in perspective: the decision to freeze the beer excise will save punters about 𝐨𝐧𝐞 𝐜𝐞𝐧𝐭 𝐩𝐞𝐫 𝐦𝐢𝐝-𝐬𝐭𝐫𝐞𝐧𝐠𝐭𝐡 𝐩𝐢𝐧𝐭, and cost taxpayers $𝟗𝟓 𝐦𝐢𝐥𝐥𝐢𝐨𝐧 over four years. Thats 𝐨𝐯𝐞𝐫 𝟏𝟎 𝐭𝐢𝐦𝐞𝐬 the amount allocated to our privacy regulator to enforce our privacy law. Don’t get me wrong - I love a brew as much as the next person - but when we’ve got a regulator tasked with a mammoth job and still battling chronic underfunding, you have to wonder if the priorities are in the right place. I’ve long been vocal about the need to adequately and sustainably fund the OAIC through long-term budget cycles. The regulator’s job is only getting harder as privacy risks escalate, digital ecosystems expand, and AI breaks the internet, the workplace - and basically everything else. And it’s all well and good for governments to roll out bold privacy reforms, but without a regulator that’s properly resourced to enforce them, it’s only half the puzzle. A modern regime needs modern enforcement to back it. That said—right now, the OAIC has more money, more tools, and more appetite for enforcement. And it’s pretty simple: the cost of doing nothing is rising. Now’s the time to get clear on where your organisation sits on the privacy maturity curve—and to start investing in smart, business-aligned compliance measures that reduce risk and deliver value. Oh and by the way.... there is no extra money at all for AI.... #Privacy #CyberSecurity #FederalBudget #OAIC #RegulatoryRisk #Compliance #DigitalTrust #artificialintelligence

Dear Reader, It is the season of digital transformation, and across Africa’s bustling digital ballrooms, data has become the most coveted currency of all. Mobile money moves faster than whispers at a soirée, biometric systems promise certainty with a glance, and artificial intelligence courts both efficiency and excess. Yet, as with all great transformations, not everyone has been minding their manners. As we reflect on the past year this Privacy Day, Africa’s regulators are no longer mere observers of the spectacle. They have stepped onto the floor firm, deliberate, and increasingly assertive reminding governments and global technology giants alike that privacy is not a polite suggestion, but a legal right. One thing is clear, data protection in Africa has entered its enforcement era. Across the continent, Africa’s digital transformation is accelerating from mobile money to digital IDs, AI systems, health platforms, and cross-border digital trade. With this transformation comes an unavoidable truth, data protection is no longer an aspirational policy, it is a legal and regulatory imperative. We are also witnessing a shift in regulatory confidence and maturity. With recent enforcement actions telling a powerful story. Here are some highlights: 📌 Kenya’s High Court decision in Republic v Tools for Humanity (2025) reaffirmed that biometric and AI-driven systems require valid consent, DPIAs, and accountability. 📌 Nigeria’s NDPC enforcement against Meta (2025) demonstrated that African regulators will assert jurisdiction over global platforms and impose significant penalties. 📌 Uganda’s PDPO determination against Google (2025) confirmed that foreign tech companies processing African data must comply with local laws. 📌 South Africa’s Information Regulator action against the Department of Justice (2025) sent a strong message, public institutions are not exempt from privacy obligations. Equally important is the emergence of cross-border regulatory cooperation. Collaboration between DPA’s such as Kenya’s ODPC and Uganda’s PDPO in handling cross-border complaints signals the future of enforcement in a continent defined by regional integration and digital trade. As we go into 2026, here are my reflections: 📌 Africa is no longer a passive recipient of global privacy norms it is shaping its own enforcement narrative. 📌 Big Tech and public institutions alike must be accountable. 📌 AI, biometrics, and large-scale data systems are now central regulatory priorities. 📌 Collaboration among African DPAs will define the next phase of effective enforcement. As we look ahead, Africa’s data protection story is one of agency, constitutional grounding, and growing regulatory power. The challenge and opportunity is ensuring that innovation continues with trust, dignity, and rights at its core. Privacy is not a barrier to Africa’s digital future. It is its foundation. Happy International Privacy Day. #dataprotection #dataprivacy #compliance

Why the EU's New GDPR Cross-Border Enforcement Proposal Matters for Data Privacy On June 27, 2025, the Permanent Representatives Committee of the Council of the European Union approved the text for a Proposal for a Regulation that establishes additional procedural rules for the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. This proposal is significant as it outlines the procedures for handling complaints and conducting investigations by supervisory authorities, ensuring that enforcement of GDPR is consistent across member states. Key provisions include: - Guidelines for efficient complaint handling and decision-making. - Requirements for the admissibility of complaints, including necessary content and procedures for rejection. - Cooperation procedures among supervisory authorities, including timelines for decisions and information exchange. - Rights for parties involved in investigations to be heard. - Established dispute resolution processes, including referrals to the European Data Protection Board (EDPB). - Transitional provisions that delay certain rules' applicability for 15 months after the regulation's entry into force. The next steps involve the Presidency addressing the European Parliament, which will review the proposal. Staying informed about this regulatory development is crucial for businesses and organizations operating in the EU, as it will impact compliance strategies and data protection practices. Monitoring the progress of this proposal will help stakeholders prepare for potential changes in enforcement and operational requirements related to data privacy. For further details, you can read the letter from the Committee and the approved text of the proposal (attached).

India has now entered the next phase of its privacy journey. The Digital Personal Data Protection Rules 2025 have been formally notified, and we finally have clarity on commencement timelines and compliance sequencing. Several Rules are already in force, with others taking effect after one year and eighteen months. The Data Protection Board has also been constituted, which means the enforcement architecture is now fully in motion. The Final Rules differ substantially from the draft. Definitions have been expanded, notices are more structured, consent managers are subject to deeper scrutiny, security safeguards are significantly more technical, breach reporting has a clear 72 hour requirement, and retention and erasure obligations are now explicit and time bound. The treatment of children’s data and verification mechanisms is more detailed, and cross border transfers will flow only through notified government channels. Significant Data Fiduciary classification works similarly to GDPR. Each organisation must determine for itself whether it triggers higher obligations and whether it needs a Data Protection Officer and a Data Protection Impact Assessment. A DPIA under the 5Rs framework now examines Rationale, Risks, Rights, Remedies and Residual Risk before any high impact processing begins. A much needed clarity has also come on penalties. The Rules operationalise the penalty process under the Act, specifying that the Board will evaluate harm, severity, repetition, intent, mitigation steps and reporting behaviour before determining financial consequences. This means penalties will be evidence based and proportionate instead of automatic. For quick reference, I have added a comparison table summarising the differences between the draft and the final Rules. The compliance clock has officially started, but the runway is clear. With the Act, the Rules, the Board, the timelines and the schedules now in place, India’s privacy regime finally has regulatory completeness. #DPDP #DPDPA #India #DataProtection #PrivacyLaw #Compliance #TechLaw #Governance #RegulatoryUpdates #DigitalIndia #CyberSecurity #RiskManagement #SDF #DPIA #NCII #DataBoard

Chinese authorities will adopt new rules on 1 August to standardize and strengthen the enforcement of personal data protection, privacy and cybersecurity requirements! Last week, the Cyberspace Administration of China (CAC) issued new rules, aiming at regulating and aligning enforcement practices by CAC authorities across the country. Some important aspects worth noting: The new rules introduce a structured approach to enforcement discretion by CAC regulators. They will consider multiple factors, including facts of the matter, nature and circumstances of the violation, severity and harm caused, and the violator’s intent and level of fault. The new rules lay down 4 levels of enforcement discretion: 1) No Penalty Penalties may be waived if: violation is minor, promptly corrected, and caused no harm violator provides evidence showing no malicious intent first-time violation with only minor impact that was promptly addressed. 2) Reduced Penalty, if: violator actively mitigated or eliminated harmful consequences violator was induced or coerced by third parties violator voluntarily reported previously unknown violations violator fully cooperated with the investigation. 3) Normal Penalty - No aggravating or mitigating factors 4) Increased Penalty, if: violation seriously harms cybersecurity, data security, or personal information protection violation involves children’s personal information violator has illegally collected personal information or failed to comply with other PIPL requirements causing significant harm violator has committed the same type of offense twice or more there was obstruction of the investigations or destruction of evidence violation caused widespread harm or significant negative social impact. In case of administrative fines in a range provided in laws/regulations, CAC authorities have power to decide whether to impose a reduced fine (30% of the statutory range or below), normal fine (30%-70% of the statutory range), or increased fine (70% of the statutory range or above). Local CAC authorities may adjust the fines up or down by 10%, considering local economic, social, case-specific circumstances, enforcement practice and past precedents. Key Takeaways • Chinese data regulators are expected to continue rigorous enforcement and investigations. • These rules give local CAC offices clearer guidelines, helping to reduce arbitrary or inconsistent enforcement decisions. • Compliance is the KING! Companies must treat compliance as a core risk management practice, not just a legal obligation. • First-time or minor violations, if addressed promptly and cooperatively, may lead to no or reduced penalties. • Repeat or serious violations face tougher consequences. #dataprotection #privacy #personaldata #compliance #law #enforcement #penalty #China #APAC

*Israel’s new privacy law has almost reached the finish line.* A significant amendment to Israel’s Privacy Protection Law is expected to be enacted into law imminently, following the completion of hearings on that amendment in the Knesset’s Constitution, Law and Justice Committee. Here are a few key highlights from the new law: ·  Teeth: The הרשות להגנת הפרטיות Privacy Protection Authority (the “Authority”) will finally be granted significant enforcement powers, including the power to impose monetary sanctions, that could amount (depending on the violation and scope thereof) to millions of shekels. ·   DPO: many organizations will now be required to appoint a data protection officer. This requirement will apply to organizations that are primarily engaged in the processing of sensitive information on a significant scale (such as banks, insurance companies, credit institutions, medical institutions, etc.), organizations whose primary activities involve the systematic and regular monitoring of individuals, their behavior, location, etc. (e.g., cellular providers), and data brokers. ·   Farewell, database registration: most organizations will no longer be required to register databases with the Authority. The registration requirement will be limited to data brokers processing data on more than 100K data subjects. Databases containing sensitive data on a large scale will still be required to submit a notification with the Authority. ·   New disclosure requirements. Notices to data subjects will now be required to specifically mention data subject rights (right of access, right to demand correction), and the name of the organization’s DPO. ·   GDPR-ization of terms: the definitions of personal data, sensitive data, database controller and database holder will be amended in a manner that corresponds with similar definitions under the GDPR and other modern privacy laws. This is a landmark moment for Israeli privacy law, which has the potential of significantly impacting compliance in that field. The Ministry of Justice is concurrently working on another amendment to the Privacy Law, which will include a deeper reform, addressing data subject rights, legal bases for processing, data protection impact assessments and more. Gornitzky & Co #privacylaw #privacy #dpo

🔎 The German Federal Data Protection Commissioner (#BfDI) issued a statement welcoming the #EU #AIAct and discussing the role of data protection authorities (DPAs) with regard to the AI Act. It concludes that the EU AI Act expands the role of DPAs, which will play a crucial part in overseeing the development and deployment of AI systems. According to the BfDI, 𝗻𝗲𝘄 𝗸𝗲𝘆 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗮𝗻𝗱 𝘁𝗮𝘀𝗸𝘀 𝗼𝗳 𝗗𝗣𝗔𝘀 under the AI Act include: ◽ 𝗔𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻: DPAs will have access to documentation that organizations need to prepare for AI Act compliance, enabling effective oversight (e.g. Art. 18 AIA). DPAs may also take insight into the EU database for high-risk AI systems (cf. Art. 71 AIA). Special requirements apply for certain high-risk AI systems, esp. for law enforcement. ◽ 𝗖𝗼𝗹𝗹𝗮𝗯𝗼𝗿𝗮𝘁𝗶𝗼𝗻 𝘄𝗶𝘁𝗵 𝗻𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗺𝗮𝗿𝗸𝗲𝘁 𝘀𝘂𝗿𝘃𝗲𝗶𝗹𝗹𝗮𝗻𝗰𝗲 𝗮𝘂𝘁𝗵𝗼𝗿𝗶𝘁𝗶𝗲𝘀: DPAs may request technical audits trough market surveillance authorities (cf. Art. 70 AIA) and will be informed about serious incidents related to AI systems. ◽ 𝗔𝗜 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝘀𝗮𝗻𝗱𝗯𝗼𝘅𝗲𝘀: When personal data is processed in an AI regulatory sandbox, DPAs must be involved to protect data privacy rights (cf. Art. 57 ff AIA). These tasks 𝘀𝘂𝗽𝗽𝗹𝗲𝗺𝗲𝗻𝘁 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝗰𝗼𝗺𝗽𝗲𝘁𝗲𝗻𝗰𝗶𝗲𝘀 𝗼𝗳 𝗗𝗣𝗔𝘀, which also remain the primary contact point for complaints of individuals with concerns about data privacy infringements related to AI. Finally, the BfDI highlights that the overall 𝘀𝘂𝗽𝗲𝗿𝘃𝗶𝘀𝗼𝗿𝘆 𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝘂𝗻𝗱𝗲𝗿 𝘁𝗵𝗲 𝗔𝗜 𝗔𝗰𝘁 𝗶𝘀 𝗰𝗼𝗺𝗽𝗹𝗲𝘅, given the overlaps of the competencies e.g. between the Commission's AI Office for certain AI systems, national market surveillance authorities, and other supervisory authorities under sector-specific laws (e.g. financial or automotive sectors). Specifically in 𝗚𝗲𝗿𝗺𝗮𝗻𝘆, the federal system will lead to a high number of authorities that will be involved in AI supervision. #AI #Governance #GDPR #Privacy Hogan Lovells https://lnkd.in/exteyQYc