Against the backdrop of privacy in 2025, we’re noting important data protection/privacy developments globally, including new privacy laws coming into force, revisions to existing regimes and the potential for more class actions following a recent ruling in the EU.
US: New State Privacy Laws Keep Coming
Absent the certainty and standardisation a future comprehensive US federal privacy law might bring, state laws continue to rapidly proliferate in 2025.
Already this year we have seen comprehensive privacy laws enter into force for Delaware, Iowa, Nebraska, and New Hampshire (on 1 Jan) and New Jersey (on 15 Jan). By the end of 2025, new comprehensive state privacy laws will also have gone into effect in Tennessee, Maryland, and Minnesota, bringing the total in effect to 19 (and that’s not counting Florida’s more limited Digital Bill of Rights) and an estimated coverage by these laws of 43 percent of the US population. More state privacy laws are scheduled to be enacted in 2026, too.
While reflecting an admirable commitment to privacy rights by state legislatures, this patchwork of laws can be immensely challenging for organisations due to the often divergent requirements (and frames of reference) of these laws – not to mention, states also legislating in specific areas such as health/consumer health data and AI. Washington’s My Health My Data Act (MHMDA) is a case in point. Organisations dealing with consumer health data will also want to keep a close eye on New York Health Information Privacy Act (New York HIPA), which passed the State legislature on 22 Jan and is headed for the New York governor’s signature. The New York law could prove even more restrictive than MHMDA.
EU: US Data Transfer Case Could Open the Floodgates for Class Actions
On 8 January 2025, the European General Court (which hears cases brought against the EU institutions) awarded a plaintiff €400 in damages after their data was transferred to the US via an EU Commission website in the transition period between the demise of the EU-US Privacy Shield and the go-live of the EU-US Data Protection Framework, meaning that the transfer therefore did not have adequate protections. While only representing a nominal sum, it is no great leap to see that the ruling might have significant ramifications in setting the course for future class actions.
The General Court’s ruling gave credence to the concept of ‘intrinsic harm,’ as opposed to material damages, and both lawyers and activists are likely to now smell an opportunity – particularly since Max Schrems’ NOYB (None of Your Business) group was recently granted leave to bring collective redress actions in both Ireland and Austria. (Max Schrems is the firebrand privacy activist who is responsible for the invalidation of the US Privacy Shield transfer mechanism on the basis that US surveillance laws were not compatible with EU data protection standards. This is known as the Schrems II case, following the defeat of the Safe Harbor framework in Schrems I.)
There are already potential threats to the EU-US Data Privacy Framework (DPF) in play — including recent actions taken by US President Trump that may impact support mechanisms of the DPF, along with NOYB’s longstanding commitment to challenging the European Commission’s adequacy decision in the courts — and we might brace ourselves for a Schrems III case in the not-too-distant future.
Organisations should always have a thorough understanding of the robustness of their data transfer mechanisms internationally, right across their data custody chains. Mapping these is a core element of Datavant Privacy Solutions expertise. Threats to the DPF could bring US transfers right back to centre stage, and organisations will need to react quickly to any changes to international transfer requirements.
UK: Industry, researchers (and government) eagerly eye GDPR reforms
The UK has gone through extensive travails in attempting to reform its data protection regulations, UK GDPR being on the statute books as retained EU legislation. Industry (and in particular the research community) now eagerly awaits further progress for the Data Use and Access Bill (DUAB), which is sitting with the House of Lords (Parliament’s upper chamber) in the committee stage at which detailed scrutiny of a bill takes place.
A key aim of the DUAB’s reforms is the facilitation of data sharing for research purposes, particularly where special category data is concerned. It would give the Secretary of State powers over the use of this information, as well as grant researchers the right to seek broad consent from individuals so that their data might be used for scientific enquiry in ways perhaps unforeseen at the point of data collection. The DUAB would also broaden the legal basis for the use of technology based on automated decision-making in a bid to boost AI development in the UK (although still preserving individuals’ right to challenge automated decisions made about them).
Now eager for growth amid a stalling economy, it is easy to see why the fairly recently installed Labour government would want to liberalise its data protection regime to fuel investment. However, it will need to tread a careful path to maintain equivalency with the EU. The European Commission will review the UK's regime in summer 2025 to maintain its 'adequate' status, to ensure that data transfers from Europe to the UK continue on an unrestricted basis.
Rest of the World: Ongoing Evolution of Privacy Laws, Particularly in the Face of AI
The data protection landscape is dynamic globally, to say the least, with countries all around the world busily unveiling and amending their privacy laws on a constant basis – particularly to take account of AI-enabled technologies. Here are just a handful of key developments:
- India’s Digital Personal Data Protection (Act) Rules, 2025, which dictate the operationalisation of the rules set forth in its 2023 Digital Personal Data Protection Act, are expected to be finalised soon after public consultation ends on 18 February 2025
- We can soon expect enforcement actions for Australia’s Privacy and Other Legislation Amendment Bill 2024, which largely passed immediately into effect in November upon royal assent. The creation of a statutory tort for serious privacy invasion is one very noteworthy development.
- Also passed in November 2024 and now in effect is Peru’s Regulation of Law No. 29733, the Data Protection Law, which significantly enhances data protection in the country to align with global standards.
Maximize the Value of Health Data without Compromising on Privacy
While this piece highlights only a small selection of the global privacy and health data developments ogoing, it’s clear that staying ahead in today’s data privacy environment is critical to success. The most future-ready organizations are designing adaptable, principle-based privacy frameworks that can evolve alongside regulations.
Datavant’s International Privacy Solutions team offers a full suite of end-to-end privacy governance solutions across sectors, with specialty in enabling life sciences companies, clinical research organisations, and their partners achieve compliance confidence in all their research efforts.
Our expert team prepares customers for what’s next and maximize the value of health data with a privacy-first approach.
This article should not be taken as legal advice.
.svg)
