Top 5 Data Protection Trends to Watch in 2025

Wendy Spires, Privacy Lead, European Privacy Solutions at Datavant, sets out five key data protection trends to watch for over the course of 2025, with particular focus on developments in sensitive data use, anonymity and Artificial Intelligence.

1. From data subjects to data sovereigns

The term “data subject” is often lamented by those in the privacy space due to the tendency for the word “subject” to connote subservience or a loss of control (data subject meaning, of course, an individual whose data is being collected and used). While the term may persist since it is entrenched in the actual wording of regulations, 2025 will mark a further shift towards the notion that the data subject is, or very much should be, sovereign over their own information.

As individuals continue to wake up to their data protection rights through observing regulatory action, legal cases and the growth of privacy-conscious technologies, we can expect growing pressure on organisations to be maximally open and transparent about their data processing activities. We are also likely to see more emphasis on fair value exchange when it comes to data use (and re-use). Zero-party data exchange platforms, where individuals voluntarily and proactively share their data with a business, are shaping up to be a key part of modern marketing strategies in what many now see as the post-cookie era.

Relatedly, but far more important for society, is the rise of the ‘data donor’ concept. In a health context, for instance, individuals might choose to donate their medical records, wearables readings and even genetic data for research purposes. Naturally, securing and sustaining such altruism is going to call for immaculate compliance practices from the organisations wishing to benefit. The 2024 Edelman Trust Barometer found that health sector companies had a trust rating of just 73%, highlighting the opportunity for organisations placing trust by design at the centre of all they do.

‍

2. Stronger enforcement, even bigger fines

Data Protection Authorities have been stepping up their enforcement efforts year on year throughout the 2020s, and the midpoint of the decade is set to both continue this trend and open up new frontiers in regulatory oversight. 

In the European Union alone, the CMS GDPR Enforcement Tracker Report for 2024 recorded a total number of 2,086 fines amounting to €4.48 billion for 2024, up by 510 cases/€1.71 billion when compared to 2023. As many big techs are located in Ireland for its low tax rates, its Data Protection Commission has led the charge with headline-grabbing fines in the hundreds of millions (its average fine being a massive €110 million). However, a look down the enforcement league table shows few countries proving to be slouches. The Spanish Data Protection Authority’s average levy may be only €96,000, but it topped the charts in numbers by meting out a huge 802 fines for the year.

Whether DPAs tend towards higher fine volumes or values, organisations will know that successful regulatory enforcement actions are a force multiplier as supervisory authorities become better resourced and public awareness of data protection rights and requirements grows. This compounding effect may be even more pronounced in jurisdictions like the US states which allow for private rights of action. Class action and state lawsuits related to data privacy can also be expected to gather greater pace given the truly gargantuan settlements recently seen. In 2021 Meta paid $650 million to settle class action claims it had violated the Illinois Biometric Information Privacy Act (BIPA) by using facial-recognition technology without consent, only to go on to pay $1.4 billion to the State of Texas in 2024 over claims it had processed the biometric identifiers of millions of Texans without consent.‍

‍

3. Right to be forgotten will come to the fore

The European Data Protection Board (EDPB) has selected the implementation of the right to erasure ("the right to be forgotten") by data controllers as its fourth Co-ordinated Enforcement Action (CEF), planning to launch early in 2025 a study of how the right is implemented in practice across the EU. 

The GDPR Art. 17 right to be forgotten is one of the most frequently exercised data protection rights and the one about which national regulators most frequently receive complaints, the EDPB says. The CEF will no doubt lead to increased scrutiny and enforcement actions related to inadequate handling of deletion requests. More discussion about how this right intersects with an explosion in the use of Artificial Intelligence can also be expected to ensue. 

The right to be forgotten presents several significant challenges for AI systems, particularly around model retraining. It may be a serious technical challenge for organisations to locate and remove individuals’ data from complex and opaque AI systems in the first instance; then, data depletion has the potential to degrade the accuracy and performance of models, with the introduction of biases being a particular concern. Further complicating matters is the fact that many of the most socially useful AI systems will focus on special category or sensitive data, such as for health or finance. For companies like Datavant focusing on high-value, high-risk data, these are going to be busy times!

‍

4. Greater debate around data anonymisation 

Anonymisation standards and techniques have always been high on the data protection agenda, as a risk mitigation measure if not a means to take certain processing activities out of the scope of regulations like the EU/UK GDPR altogether.  The meteoric rise of AI systems, and big data analysis generally, will ensure even greater debate around anonymisation in 2025 and beyond. 

The interplay between AI and data anonymisation is going to be particularly difficult for organisations to unpick without expert guidance. On the one hand, if organisations are able to meet the standard for anonymisation in their relevant jurisdictions they may be able to unlock greater potential for AI training and development from their datasets, heading off concerns about deletion requests, data retention and re-use and so on. However, at the same time, they will also need to take account of AI-powered methods for re-identification emerging as a risk.

Even aside from the AI angle, anonymisation is one of the most fiendishly complex areas of data protection and we can expect a flurry of legal challenges and rulings in 2025 on this topic. The European Data Protection Board recently said that for an AI model to be considered anonymous, the likelihood of extracting personal data from model outputs must be "insignificant"; by necessity, that determination has to be made (and evidenced) contextually on a case-by-case basis.  

‍

5. Gearing up for real AI governance, globally

Europe may once again be leading in regulation with the EU AI Act, but authorities all around the world are legislating in this area at a furious pace. Rule-makers at the US state level are busy and in the UK guidance and rules are being issued from sector bodies ranging from the Financial Conduct Authority to Ofcom at pace. If they have not already done so, organisations need to see 2025 as the year to get a real grip on AI governance issues.

No organisation – whether in the private or public sector - can afford to fall behind in AI adoption, but nor can they afford to fall afoul of regulatory scrutiny over which models they deploy and how. The potential fines at stake may be just as great as those for data protection infractions, and it could well be the case that those making missteps in AI could offend against a number of regulations simultaneously. And, if the data is particularly sensitive, or the data subjects concerned may be considered vulnerable, poor AI governance could plunge organisations into immense regulatory pain.  

Responsible innovation in AI will be a key theme for the year, with organisations facing the tricky task of keeping on top of both lightning-speed technological developments and an increasingly dynamic regulatory ecosystem.

The takeaway is that there is a lot to keep abreast of on the data protection front as 2025 gets underway (and looking beyond). The dynamic regulatory environment will present challenges, but opportunities abound for organisations to wring maximum value from the data they have - and to secure more - through transparent and risk-conscious practices. Please book your free consultancy call to discuss developments relevant to the projects and countries you have under consideration.

Datavant’s European Privacy Solutions team offers a full suite of end-to-end privacy governance solutions across sectors, with a particular specialism in helping life sciences companies, clinical research organisations and their partners achieve compliance confidence in all their research efforts. Read our case studies to see how we have helped organisations maximise the value of health data, including with the UK’s National Health Service, or get in touch to discuss which strands of our consultancy and wider data logistics offering could best facilitate your projects.

This article should not be taken as legal advice.

‍