In our last article, we dove into the latest data protection updates shaking up the United States. Now, we’re turning our focus to six major updates that came out in Europe, Oceania, and the Arabian Gulf at the end of July 2025. These regulations are set to reshape how we handle personal data, and at Privacy Evolved, we’re here to break down the technical details and show you why compliance is your key to building trust and staying competitive. From protecting kids online to navigating new legal risks, these changes are a big deal. Let’s explore what’s new and how we can help you stay compliant!

1. EU’s Digital Services Act (DSA) Guidelines: Protecting Minors Online

What’s New? On July 14, 2025, the European Commission released final guidelines under Article 28 of the Digital Services Act (DSA) to safeguard minors on online platforms. Developed after consultations with 331 stakeholders and 150+ youths, these non-binding guidelines align with the UN Convention on the Rights of the Child and set a high standard for privacy and safety.

Technical Breakdown:

• Private-by-Default Accounts: Platforms must set minors’ accounts (typically under 18) to private, restricting visibility and interactions to authorized users. This requires updating backend user management systems to enforce default privacy settings based on age data.
• Age Verification Systems: Robust mechanisms are needed to block access to inappropriate content (e.g., pornography). This involves integrating technologies like biometric authentication, ID verification APIs, or behavioral analysis, all while adhering to GDPR’s data minimization principle (Article 5).
• Content Moderation Enhancements: Platforms must deploy AI-driven content filtering (e.g., machine learning models for text and image analysis) to detect and remove harmful content like cyberbullying or exploitative ads. Child-friendly reporting tools need accessible interfaces with simplified language and WCAG 2.1 compliance.
• Annual Risk Assessments: Platforms must perform yearly risk assessments using frameworks like ISO 31000 to identify vulnerabilities (e.g., data leaks, harmful content exposure). This involves mapping data flows, assessing third-party integrations, and documenting mitigation plans.

Why Compliance Matters: These guidelines signal stricter DSA enforcement. Non-compliance risks reputational damage and potential fines under EU laws. Our team can design age-verification systems, enhance content moderation, and conduct risk assessments to keep your platform safe and compliant.

2. UK’s Data (Use and Access) Act 2025: Simplifying with New Risks

What’s New? The UK’s Data (Use and Access) Act 2025 (DUAA), enacted on June 19, 2025, amends the UK GDPR, Data Protection Act 2018, and PECR. Backed by the Information Commissioner’s Office, it simplifies data rules while introducing new compliance challenges, with phased implementation through June 2025.

Technical Breakdown:

• Statutory Tort for Privacy Breaches: By June 10, 2025, individuals can sue for serious privacy invasions (e.g., unauthorized data disclosures). Organizations need real-time monitoring (e.g., SIEM systems) and intrusion detection systems (IDS) to log access and detect breaches, minimizing liability under Article 82 of the UK GDPR.
• International Data Transfers: The act lowers the “essential equivalence” standard to “not materially lower,” easing cross-border data flows. Businesses must revise Data Transfer Agreements (DTAs) and Standard Contractual Clauses (SCCs), ensuring encryption (e.g., AES-256) and secure protocols (e.g., SFTP or HTTPS).
• Research Data Simplification: Simplified rules allow broader data use for scientific and commercial research. Organizations must implement pseudonymization (e.g., SHA-256 hashing or tokenization) and role-based access controls to comply with data minimization and purpose limitation (Articles 5 and 6).
• Automated Decision-Making (ADM): Reduced requirements limit protections to special category data (e.g., health, ethnicity). ADM systems (e.g., AI for loan approvals) must provide explainability (e.g., via SHAP or LIME models) and ensure “meaningful human involvement” under Article 22.

Why Compliance Matters: The tort introduces legal risks, while relaxed rules offer opportunities—if managed correctly. Our compliance audits can secure your data transfers, implement pseudonymization, and ensure transparent ADM to mitigate risks and drive innovation.

3. EU GDPR Amendment Proposal: Relief for Smaller Businesses

What’s New? On July 9, 2025, the European Data Protection Board (EDPB) and Supervisor (EDPS) endorsed a proposed GDPR amendment to simplify record-keeping under Article 30(5), part of the EU’s fourth simplification package. Formal consultation is pending.

Technical Breakdown:

• Expanded Exemption: The proposal exempts organizations with fewer than 750 employees (up from 250) from maintaining detailed records of processing activities (e.g., data categories, purposes, recipients), except for high-risk processing like large-scale profiling or health data processing. Other GDPR obligations (e.g., data subject rights, security) remain.
• Technical Implementation: Exempted businesses can reduce documentation but should maintain internal data inventories for accountability (e.g., using tools like OneTrust or DataGuard). High-risk processors need automated Data Protection Management Software to track processing activities, ensuring compliance with Articles 5 (principles) and 25 (data protection by design).
• Risk Assessment: Organizations must evaluate “high-risk” status using EDPB guidelines (e.g., processing sensitive data or affecting 10,000+ individuals). This requires Data Protection Impact Assessments (DPIAs) under Article 35, including risk scoring and mitigation plans.

Why Compliance Matters: This offers SMEs relief but keeps strict rules for high-risk activities. Our GDPR experts can assess your risk profile, streamline documentation, and implement DPIAs to ensure compliance without excess burden.

4. Australia’s Privacy Act 2024: Tougher Rules, Higher Stakes

What’s New? The Privacy and Other Legislation Amendment Act 2024, effective December 10, 2024, reforms Australia’s Privacy Act 1988, implementing 23 of 25 proposals from the 2023 Privacy Act Review. Key provisions, like the statutory tort, take effect by June 10, 2025.

Technical Breakdown:

• Statutory Tort: By June 2025, individuals can sue for serious privacy invasions (e.g., data misuse). Organizations need intrusion detection systems (IDS) and audit logs (e.g., Splunk or ELK Stack) to track data access, ensuring compliance with Australian Privacy Principles (APPs) 11 (security) and 12 (access).
• Increased Penalties: The Office of the Australian Information Commissioner (OAIC) can impose penalties up to AUD 50 million or 30% of annual turnover. Businesses must adopt ISO 27001-compliant security frameworks, including encryption (e.g., TLS 1.3) and multi-factor authentication (MFA).
• Automated Decision-Making (ADM): By December 2026, ADM systems must provide transparency, including logic explanations and opt-out options. This requires explainable AI models (e.g., LIME) and user interfaces for data subject requests under APP 1 (openness).
• Children’s Online Privacy Code: By December 2026, the OAIC will enforce a code for online services, mandating age-appropriate privacy notices and parental consent mechanisms. Businesses need OAuth-based consent flows and age verification APIs (e.g., Yoti or Veriff).

Why Compliance Matters: With hefty penalties and legal risks, proactive compliance is essential. Our team can implement security frameworks, transparent ADM systems, and child-focused privacy solutions to keep you compliant and trusted.

5. Dubai (DIFC) Data Protection Amendments: Global Alignment

What’s New? On July 8, 2025, the Dubai International Financial Centre (DIFC) amended its Data Protection Law (No. 5 of 2020) via DIFC Laws Amendment Law No. 1 of 2025, effective July 15, 2025, following a February 2025 consultation.

Technical Breakdown:

• Private Right of Action: Data subjects can sue in DIFC courts for material or non-material damages (e.g., distress from a breach). Organizations need Data Loss Prevention (DLP) tools (e.g., Symantec DLP) and incident response protocols to minimize liability under Article 6.
• Extraterritorial Scope: Article 6 applies to entities processing DIFC residents’ data, even if based outside. Businesses must map data flows (e.g., using Collibra) and implement Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for compliance.
• Data Sharing Rules: Article 28 clarifies adequacy criteria for third-country transfers, requiring end-to-end encryption (e.g., AES-256) and Data Processing Agreements (DPAs) with clear liability clauses.
• Penalties: Fines up to US$50,000 for failing Data Protection Impact Assessments (DPIAs) and US$25,000 for missing annual notifications. Automated compliance tools (e.g., OneTrust) are needed to track DPIAs and submit notifications via DIFC’s portal.

Why Compliance Matters: DIFC’s GDPR-like standards demand robust compliance to avoid fines and lawsuits. We can help you map data flows, conduct DPIAs, and secure transfers to meet these requirements.

6. Dubai’s Additional Data Protection Amendments: Empowering Individuals

What’s New? On July 17, 2025, Dubai announced further amendments to its data protection law, reinforcing DIFC’s framework and strengthening individual rights.

Technical Breakdown:

• Private Right of Action: Individuals can sue for breaches, requiring real-time monitoring (e.g., SIEM systems like Splunk) and encryption (e.g., AES-256) to reduce risks and liability.
• Extraterritorial Scope: The law applies to entities processing Dubai residents’ data, regardless of location. Businesses need data flow audits (e.g., via Dataiku) and compliance mechanisms like SCCs or BCRs.
• Data Sharing Rules: Updated standards mandate technical safeguards (e.g., TLS 1.3 for transfers) and contractual agreements (e.g., DPAs) to align with global standards like GDPR.

Why Compliance Matters: Dubai’s global alignment increases scrutiny on data handlers. Our experts can audit your data flows and implement secure transfer protocols to ensure compliance and trust.

Compliance: Your Key to Trust and Success

These new regulations aren’t just about avoiding fines—they’re about earning customer trust, protecting your reputation, and staying competitive in a data-driven world. From the EU’s focus on kids’ safety to Australia’s hefty penalties and Dubai’s global standards, the technical demands—age verification, encryption, DPIAs, and transparent AI—are complex but critical.

At Privacy Evolved, we make compliance simple. Our audits, risk assessments, and tailored programs ensure you meet these global standards while focusing on your business goals. Whether you’re a global platform or a local SME, we’re here to help you navigate this new landscape.

Let’s Connect: Which regulation is your biggest challenge? Drop a comment or DM us to discuss how we can turn compliance into your biggest advantage! Visit www.privacyevolved.com

#Privacy #DataProtection #Compliance #GDPR #GlobalRegulations