Data protection developments this quarter reflect growing regulatory attention to AI, cybersecurity, cross-border data flows, and the protection of vulnerable individuals online. In this edition of Global Data Protection Compliance FY26/01, we highlight how authorities across the EU, Poland, the Netherlands, Spain, Mexico, India, and Brazil are addressing both long-standing compliance challenges and new risks linked to emerging technologies. Across these jurisdictions, the updates point to a broader push for stronger safeguards, clearer legal frameworks, and greater accountability in an increasingly data-driven environment.

Key developments by region:

• Data protection in the EU - Integration of data protection into broader digital regulation (AI, cybersecurity) with stronger safeguards for fundamental rights; ongoing gaps in GDPR implementation, especially on the right to erasure.
• Data protection in Poland - Focus on closing gaps between GDPR and national law, including DPO independence and telecom data retention; growing concern over AI and deepfake risks requiring additional legislation.
• Data protection in The Netherlands - Emphasis on systemic risks from AI, surveillance, and large-scale data use; AI agents seen as security threats, with strong focus on effectiveness and proportionality of data-driven policies.
• Data protection in Spain - Focus on AI risks, especially images and deepfakes, highlighting both “visible” harms and “invisible” risks like data reuse and loss of control.
• Data protection in Mexico - Major reform of data protection law underway, integrating AI and cybersecurity; new data access rules raise concerns about expanded government access and safeguards.
• Data protection in India - Transition to implementation of the DPDP framework with strict timelines toward full enforcement by 2027, driving immediate operational compliance.
• Data protection in Brazil - Strengthening global alignment via EU adequacy while prioritising children’s data protection, including age verification and platform obligations.

• EDPB and EDPS support streamlining AI Act implementation but call for stronger safeguards to protect fundamental rights

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s Proposal for the ‘Digital Omnibus on AI’. The Proposal seeks to simplify the implementation of certain harmonised rules under the AI Act to ensure their effective application.

The EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the AI Act. Administrative simplification must not, however, lower the protection of fundamental rights. The Joint Opinion acknowledges the complexity of the AI landscape and welcomes efforts to ease burdens for organisations. However, certain proposed changes could undermine the protection of individuals in the context of AI. 

The Proposal would extend the possibility to process special categories of personal data (such as ethnicity or health data) for bias detection and correction to providers and deployers of any AI systems and models, subject to appropriate safeguards. The EDPB and the EDPS recommend specifying that these data may be used for bias detection and correction only in circumscribed situations where the risk of adverse effects from such bias is considered sufficiently serious.

The EDPB and the EDPS advise against the proposed deletion of the obligation to register AI systems, when they fall under the categories listed as high-risk, even if the providers deem their systems to be ‘non-high risk’. The EDPB and the EDPS consider that this change would significantly undermine accountability and create an undesirable incentive for providers to unduly claim exemptions to avoid public scrutiny.

The EDPB and the EDPS welcome the creation of EU-level AI regulatory sandboxes to promote innovation. To ensure legal certainty, the Joint Opinion recommends the direct involvement of competent Data Protection Authorities (DPAs) in the supervision of data processing within sandboxes. In addition, the EDPB should be afforded an advisory role and the status of observer at the European Artificial Intelligence Board to ensure consistency in relation to EU-level sandboxes. Furthermore, the supervisory role of the AI Office with regard to AI systems based on a general-purpose AI model should be clearly delineated in the operative part and should not overlap with the independent supervision by the EDPS of AI systems developed or used by Union institutions, bodies, offices or agencies.

• Data Protection Day 2026: keeping children’s personal data safe online

Every day, the European Data Protection Authorities (DPAs) that make up the EDPB work together to ensure the protection of individuals’ personal data. When it comes to children's data, extra vigilance is essential, particularly in today's fast-evolving digital environment where new risks emerge constantly.

Children are more at risk online than adults because they do not easily recognise dangers, tend to trust strangers too much, and may share personal data without realising. The apps they use often collect their data and, without adequate protections, they can be exposed to harmful content. These risks can follow them throughout their lives, affecting their privacy and leaving long-term digital footprints that are difficult to erase.

https://www.edpb.europa.eu/news/news/2026/data-protection-day-2026-keeping-childrens-personal-data-safe-online_en

• Making GDPR compliance easier through new initiatives: a key focus of the EDPB work programme 2026-2027

The EDPB has recently adopted its work programme for 2026-2027,  which is grounded in the four pillars of the EDPB strategy 2024-2027.

The work programme is based on the priorities set out in the EDPB strategy and it also takes into account the commitments made in the Helsinki Statement on enhanced clarity, support and engagement aimed at making GDPR compliance easier, strengthening consistency, and boosting cross-regulatory cooperation.

Easing compliance is at the top of the EDPB agenda

The work programme reaffirms the commitment of the EDPB to simplifying GDPR compliance for organisations, which includes the development of a series of ready-to-use templates for organisations. Following the public consultation on this,  the EDPB decided to develop templates for legitimate interest assessment, record of processing activities and privacy notice/policy in addition to the already announced templates for data breach notifications and data protection impact assessment.

• EDPB identifies challenges hindering the full implementation of the right to erasure

The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten (Art.17 GDPR).  The Board selected this topic as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.

The main objectives of this coordinated action are to ensure that the right to erasure is effectively exercised by individuals in Europe and understand how controllers comply with this right in practice. In addition, the EDPB identified good practices and the most important related challenges, with the aim of providing further guidance on this topic. 

Throughout 2025, 32 DPAs across Europe took part in this initiative. More specifically, 9 DPAs have initiated new formal investigations or have continued ongoing ones, and 23 DPAs carried out a fact-finding exercise. A total of 764 controllers across Europe responded to the action, ranging from small and medium-sized enterprises (SMEs) to big companies active in many different industries and fields, as well as various types of public entities.

The results of these national actions have been aggregated and analysed together allowing for targeted follow-up on both national and EU level.

• EDPB and EDPS support strengthening EU’s cybersecurity and easing compliance while protecting individuals’ personal data

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.

On 20 January 2026, the Commission published a cybersecurity package proposal to further strengthen cybersecurity in Europe while making compliance with cybersecurity laws easier for organisations. In their joint opinion, issued at the request of the Commission*, the EDPB and the EDPS address the proposed revision of the CSA and the targeted amendments to the NIS2 Directive.

• Rules on termination of employment with a DPO need to be clarified

The President of the Personal Data Protection Office states the need to introduce into the Polish legal system provisions that would directly define specific measures to protect a DPO against dismissal for the performance of his/her tasks. This would implement one of the guarantees of the independence of a DPO in the provisions of the GDPR, which is the durability of a DPO’s employment basis.

The case before the Court concerned whether Data Protection Officers could be dismissed for reasons unrelated to the performance of their tasks. Rainer Silbernagl has filed a lawsuit against the University of Liechtenstein, seeking a declaration as to whether his employment relationship as Data Protection Officer remains in force.

The polish legislation – unlike the Principality of Liechtenstein – does not provide for more precise legal provisions directly relating to the DPO, notes the President of the Personal Data Protection Office. The only regulations in this area are included in the GDPR. However, it follows from the Court’s judgment that national legislation may give concrete expression to the circumstances in which the employment relationship with the DPO may be terminated.

According to the Court, this is possible:

•    without requiring just cause, provided that the termination is not due to the data protection officer performing his tasks;

•    or with just cause, provided that such legislation does not undermine the achievement of the objectives of that regulation

• How do organizations use artificial intelligence, and what needs do they have in relation to it?

The Personal Data Protection Office presents the “Strategic Report – Study of Organizational Needs in the Field of Artificial Intelligence Use and Personal Data Protection,” prepared by the Working Group on Artificial Intelligence established within the Social Expert Team to the President of the Personal Data Protection Office (UODO). The report was developed on the basis of the results of a nationwide survey concerning the needs of institutions and organizations in the area of artificial intelligence use, as well as group interviews conducted with seven umbrella organizations representing the private sector.

The study provides the first comprehensive overview in Poland of the readiness of public and private institutions to responsibly implement artificial intelligence in compliance with the GDPR and the AI Act. It shows, among other things, that 17% of the organizations participating in the study are already using artificial intelligence. The remaining entities either do not use such solutions at all, or are at the testing stage, or are planning their implementation.

• Work on implementing regulations to protect citizens from deepfakes should be reopened

According to Mirosław Wróblewski, President of the Personal Data Protection Office, the solutions proposed by the Ministry of Digitisation regarding deepfakes are a step in the right direction, but they do not provide full protection. It is worth doing more—as other countries are doing.

The President of the Personal Data Protection Office responded to a letter from Dariusz Standerski, Secretary of State at the Ministry of Digitisation. The letter is a response to the President of the Personal Data Protection Office’s statement on the need to introduce solutions aimed at effective protection against the negative impact of deepfakes. In the opinion of the President of the Personal Data Protection Office’s, under the current legal order of the European Union, whose framework is defined, among others, by regulations such as the Artificial Intelligence Act (AI Act) and the Digital Services Act (DSA), as well as under our national regulations, such as the Civil Code, the Criminal Code, and copyright law, we are provided with only a selective and insufficient response to the multifaceted threats posed by deepfake technology. However, this can be changed. One opportunity to improve the situation is to resume work on the regulations implementing the DSA, following the recent veto by the President of Poland.

The President of the Personal Data Protection Office notes that the vetoed bill did not contain any provisions directly related to counteracting deepfakes. Now, this issue can be addressed even more effectively, possible solutions can be analysed, and a more coherent legal framework can be developed to provide effective protection against this technology and its effects.

• An inspection by the President of the Personal Data Protection Office is not equivalent to a fine

The purpose of inspections conducted by the Personal Data Protection Office at public authorities obliged to publish information in the Public Information Bulletin (BIP) is to improve the quality of personal data protection.

Recently, media reports have suggested that the sectoral inspections planned by the President of the Personal Data Protection Office, which this year will cover entities operating the Public Information Bulletin, may result in high administrative fines and undermine the transparency of the activities of local government authorities.

The obligation to anonymise documents published in the BIP is nothing new. In the past, the Personal Data Protection Office has already inspected BIPs in local government units. Those inspections showed that excessive, outdated, and sometimes inaccurate data were often disclosed in the BIP, which had a negative impact on the individuals concerned.

As a result of those inspections, the approach to protecting data processed in the BIP changed. Many local governments developed and implemented appropriate data protection policies and began conducting systematic reviews. The actions of the Personal Data Protection Office made many entities aware, among other things, that asset declarations do not have to be stored in BIPs indefinitely.

• The retention of telecommunications data must be brought into line with EU standards

Mirosław Wróblewski, President of the Personal Data Protection Office, presented a significant opinion regarding the data retention obligations of mobile network operators. The supervisory authority highlighted the issue of the incompatibility of national regulations on the retention of telecommunications data with the Polish Constitution and European Union law. The opinion, presented in case no. I C 1281/25, is intended to assist the court in interpreting and applying data protection regulations in the context of the obligation to retain telecommunications data.

The case concerns the retention of data stored by mobile network operators. Operators collect traffic and location data, such as phone numbers, SIM card and device identifiers, IP addresses, dates, times of calls, call durations, and other information. In the opinion of the President of the Personal Data Protection Office, this constitutes personal data because, when combined with other data, it allows for the identification of a specific individual. Traffic and location data, when analysed over a longer period, allow for the reconstruction of a detailed picture of a user’s activity—including their daily behaviors, social relationships, and lifestyle.

• The President of the Personal Data Protection Office intervenes regarding body-worn cameras used by ticket inspectors

The President of the Personal Data Protection Office, Mirosław Wróblewski, has written to the Minister of Infrastructure, Dariusz Klimczak, requesting that action be taken to ensure the effective application of personal data protection regulations in relation to the use of body-worn cameras by ticket inspectors.

Currently, the provisions of generally applicable law do not contain any rules regulating this matter. Meanwhile, surveillance using devices that record sound or images is an intrusive form of personal data processing and poses a threat to the rights and freedoms of individuals.

In the opinion of the President of the Personal Data Protection Office, the provisions of the Transport Law and the Act on Public Passenger Transport do not contain legal provisions that could be regarded as a comprehensive legal basis, compliant with the requirements of the GDPR, for the processing of personal data using devices employed during ticket or travel document checks. Meanwhile, the provisions of the GDPR require a clearly defined legal basis for processing that is consistent with the constitutional order, covering in particular the purpose of the processing of personal data.

 In response to a letter sent by the President of the Personal Data Protection Office, the Ministry of Infrastructure concurred with the supervisory authority’s position and acknowledged that neither the Transport Law nor the Act on Public Passenger Transport grants the carrier, organisers or persons authorised by them the right to use body-worn cameras when checking passenger and luggage transport documents.

In view of the questions and needs of public transport organisers, the President of the Personal Data Protection Office declares a willingness to cooperate with the Ministry of Infrastructure in this regard.

• AP: implementation of anti-money laundering law only responsible with demonstrable effectiveness and privacy protection

The Dutch Data Protection Authority (AP) has raised critical concerns regarding a legislative proposal for the Dutch implementation of new European anti-money laundering rules. The proposal concerns the introduction of new European rules against money laundering and terrorist financing in the Netherlands. Although the legislation offers many opportunities to improve the fight against financial crime, the new rules also lead to the collection and sharing of more sensitive personal data and to a far-reaching expansion of powers. Therefore, the AP advocates for a mandatory evaluation and sufficient safeguards.

• AP: data breaches caused by the misuse of personal data at municipalities often remain under the radar

Municipalities find it difficult to detect the misuse of personal data by their own civil servants. This concerns, for example, civil servants providing information to criminals under pressure. This type of data breach usually only comes to light when the National Criminal Investigation Department or a resident alerts the municipality. Municipalities that do discover the misuse often fail to report such a data breach to the Dutch Data Protection Authority (AP), even though they are required to do so.

• The AP in 2026: focus on mass surveillance, AI and digital resilience

The Dutch Data Protection Authority (AP) is focusing on three priorities for the period 2026–2028: mass surveillance, artificial intelligence (AI), and digital resilience. With these priorities, the AP aims to protect people even better in an increasingly digital world. The 2026 annual plan outlines the steps the AP will take this year within these priorities.

In 2026, the AP focuses, among other things, on preventing discrimination in combating mass surveillance. The AP does this, for example, by discouraging the widespread use of surveillance techniques and, where necessary, limiting them. There is also extra attention for the security domain and the balance between freedom and security within it.

• AP warns of major security risks with AI agents such as OpenClaw

The Dutch Data Protection Authority (AP) warns users and organizations against the use of OpenClaw and similar experimental systems. The reason for this is the rapid pace at which OpenClaw has become popular. These types of open-source systems quickly fail to meet basic security requirements. The use of such experimental AI agents entails significant risks, such as data breaches and account takeovers.

• International research: many apps and websites need to do more to protect children's privacy

Providers of apps and websites can do more to better protect children's online privacy. This is the conclusion of an international study (a 'sweep') by the Global Privacy Enforcement Network (GPEN), in which the Dutch Data Protection Authority (AP) also participated.

Regulators from 27 countries jointly investigated nearly 900 apps and websites used by children. This included apps and websites designed specifically for children, as well as apps and websites frequently visited by children.

• The Spanish Data Protection Agency (AEPD) warns about the visible and invisible risks of using third-party images in artificial intelligence systems.

The Spanish Data Protection Agency (AEPD) has published. An information note analyzing the implications of using third-party images in artificial intelligence systems and the risks involved even in seemingly trivial or playful contexts.

The first section of the report focuses on the visible impact of generating and disseminating images of third parties using AI. The document pays particular attention to high-risk situations, such as sexualization and synthetic intimate content, the attribution of false events with reputational effects, the decontextualization of images, and the use of content that affects minors or people in particularly vulnerable situations.

The second section addresses less visible risks, those that arise simply from uploading an image or video to an AI system, even if the result is not published. Among these, the Agency highlights the effective loss of control over the image due to the involvement of a third-party technology provider, the retention and existence of hidden copies, the involvement of multiple actors, the generation of metadata, and the risk of persistent identification in systems capable of reusing a person's features across multiple pieces of content.

Finally, the note identifies situations that are usually especially relevant for the AEPD, clarifying the limits of data protection regulations, for example, in personal or domestic settings without dissemination beyond that environment.

The Agency pays particular attention to cases where the use of third-party images or videos through artificial intelligence systems significantly increases the risks to the affected individual. This occurs, in particular, when there is an effective loss of control over one's own image, when plausible content is generated that may attribute to the person actions or behaviors that did not occur, when minors or especially vulnerable individuals are involved, when elements of sexualization, humiliation, or discrediting are introduced, or when the content is disseminated in environments where the personal, social, or professional impact could be particularly intense.

The Agency also adds that other fundamental rights, such as honor, privacy, and image rights, may be affected, and that other legal provisions, including the Criminal Code, may apply. In cases of clear evidence of a crime, action would fall to the police, the Public Prosecutor's Office, and, where appropriate, the courts, which are responsible for investigating and prosecuting these acts.

With this publication, the AEPD reinforces its preventive and awareness-raising work, offering citizens clear criteria to understand the scope of the risks associated with the use of images in AI systems, promoting responsible use that respects fundamental rights.

• The Spanish Data Protection Agency (AEPD) publishes a ten-point guide with recommendations to protect privacy when using AI tools

The Spanish Data Protection Agency (AEPD) has published the ten principles 'Be careful what you entrust to him. The document aims to provide citizens with key information to promote the safe, responsible, and conscious use of artificial intelligence and foster a digital environment that respects fundamental human rights. Its publication coincides with the upcoming International Data Protection Day.

Nearly 63% of the Spanish population believes that artificial intelligence will experience significant development in the next ten years, according to a survey published last December by the Center for Sociological Research (CIS). The Agency is aware of AI's potential and its growing use by the public, and therefore considers it important to provide a set of tips to understand and prevent the risks to personal privacy posed by its misuse.

Among the recommendations, the Agency advises against sharing personal data with AI - full name, address, telephone number, ID/NIE, images of people - or sensitive or delicate information - medical, financial or contractual details, geolocation or stays in certain places - and urges describing a fictitious case to avoid providing details that allow identification for unwanted purposes.

• The Spanish Data Protection Agency (AEPD) promotes the responsible use of AI with an initiative on deepfakes

The Spanish Data Protection Agency (AEPD) has launched the initiative 'Deepfakes are no joke' to raise awareness about the creation and dissemination of content generated using deepfake techniques .

Deepfakes are content generated using AI algorithms that can realistically replicate a person's voice, face, or gestures . This technology, which also has legitimate applications, can be misused to impersonate, humiliate, or discredit someone.

The initiative's centrepiece is an educational video that uses a practical example to demonstrate how AI can generate realistic audiovisual content from a simple photograph . The video presents a split-screen simulation and then explains that it is an AI-generated montage, created with the user's consent.

The president of the Spanish Data Protection Agency (AEPD), Lorenzo Cotino, stated that “artificial intelligence is a tool that can contribute to social progress, but its use must be accompanied by information and responsibility . Manipulating images of third parties with AI is not neutral, even in seemingly trivial contexts, and requires rigorous evaluation. This video is an invitation to reflect and act prudently in the digital environment.”

• Lawmakers Propose AI Regulation Through Data Protection Law

A federal representative introduced a legislative initiative to reform the Federal Law on the Protection of Personal Data Held by Private Parties to regulate AI. The proposal establishes a mandatory framework for all individuals and corporations that develop, commercialize, or interact with these technologies in Mexico.

In previous years, the global landscape for AI governance has shifted toward stricter oversight. To date, 144 countries have implemented privacy regulations to manage the complexities of algorithmic processing. In Mexico, however, algorithms and machine learning models operate without specific limitations, which creates significant risks for data privacy and corporate accountability.

The Transparency and Anticorruption Commission reports that the lack of a clear legal framework exposes users to potential abuses regarding the final destination of their information. Because AI systems rely on massive volumes of personal data as their primary input, they have become primary targets for cyberattacks. The absence of specific rules in the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) means that companies often operate under a patchwork of general guidelines that do not account for the unique capabilities of autonomous reasoning and automated decision-making.

Under the new definition, an AI System is a set of models and algorithms designed for learning, reasoning, and automated decision-making processes that involve the processing of personal data. This technical categorization is essential for B2B providers that offer Software as a Service (SaaS) or Infrastructure as a Service (IaaS) solutions, as it clarifies which automated processes fall under the jurisdiction of Mexican regulators.

• A new data protection law is on its way

Before the first anniversary of Mexico’s “new” data protection law, its data protection authority announced that a new data protection law applicable to “private parties” was necessary. Available information indicates that Mexico will soon be closer to GDPR standards.

January 28, 2026, the SABG organized a forum to discuss the updating of personal data protection legislation applicable to private parties, with the participation of business and social sectors. The head of the SABG emphasized the importance of including all stakeholders in the development of a modern, transparent law that is aligned with international standards.

So far, it has not been made public whether the proposed amendment entails an amendment to the LFPDPPP of 2025 or whether there are plans to issue a complete and renewed law, including some of the new components that have been announced.

In any case, it is anticipated that, before the end of 2026, Mexico will have a personal data protection law that incorporates the following concepts or obligations that have already been mandatory in other countries for several years:

1.   Privacy by design,

2.   Privacy by default,

3.   Personal Data Protection Impact Assessments,

4.   Role, functions, and position of the DPO,

5.   Right to portability,

6.   Right to restriction of processing, and

7.   Right not to be subject to a decision based solely on automated processing.

• Cybersecurity: Strategy Ahead of Statute

Federal government presented a National Cybersecurity Plan (2025–2030) and a General Cybersecurity Policy for the federal administration. Mexico remains highly exposed to ransomware, with over 150 publicly reported victims since 2019. For companies, governance is the priority: integrate cyber risk into enterprise risk management, align incident response with electronic-evidence preservation, maintain 24/7 law-enforcement contact protocols and conduct regular tabletop exercises.

• Data Access Requirements: Mexico’s New Article 30-B Framework

Article 30 B of Mexico’s Federal Fiscal Code, effective from 1 April 2026, will require certain digital platforms to grant the tax authority (SAT) permanent, real time access to transactions databases for tax verification purposes. This represents a significant departure from traditional audit mechanisms, which operate through targeted, time bound information requests. By enabling continuous visibility into operational and transactional data, the reform creates a potential risk of exfiltration of personal data relating to customers.

This real time monitoring obligation raises considerable privacy and cybersecurity concerns. Granting SAT officials unrestricted system access increases the risk of data misuse, unauthorised extraction, or cross referencing of sensitive information for purposes unrelated to tax compliance. To mitigate these risks, companies should deploy strict technical and procedural controls, such as compliant platforms, detailed access logs, and mandatory on screen notices reminding officials of their legal duties and liabilities.

For digital businesses operating in Mexico, Article 30 B will require a comprehensive compliance strategy. Organisations must ensure that tax verification access is tightly constrained, auditable, and compatible with their confidentiality obligations. This includes implementing protective controls, updating internal policies and reassessing how high volume data environments are monitored. Ultimately, the proposal signals a shift towards far more intrusive digital economy enforcement, and companies will need to balance tax compliance expectations with robust protections for user data and corporate systems.

• USMCA and the UN Cybercrime Convention

The USMCA Digital Trade Chapter continues to anchor Mexico’s cross-border data strategy. The first joint review, scheduled for July 2026, is expected by many observers to increase discussions regarding cybersecurity co-operation, AI governance and automated decision-making transparency. Even in the absence of immediate binding outcomes, supervisory expectations and contractual standards often evolve in parallel with these reviews.

• India’s New Data Privacy Rules Are Here: 8 Steps for Businesses as Key Compliance Deadlines Approach

India’s Digital Personal Data Protection (DPDP) Act of 2023, and the DPDP Rules – which were finalized in November 2025 – create India’s first comprehensive framework governing the collection, processing, storage, and transfer of digital personal data. While some provisions took effect immediately, most day-to-day employer compliance obligations, such as notice and consent operations, breach notification, and individual rights handling, will become enforceable during an 18-month implementation phase, with full compliance required by mid-May 2027. Several key deadlines come into effect later this year, making 2026 a critical “build year” for employers with Indian operations or India-linked data flows.

The DPDP Act applies broadly to businesses that:

• Process digital personal data related to goods or services offered to individuals in India, regardless of the business location; or
• Process digital personal data within India, including data initially collected in non-digital form and later digitized.

Phased Implementation Timeline

India opted for a phased implementation to allow organizations time to prepare:

• November 2025 (Immediate): The Data Protection Board (“DPB”) was established to handle administrative duties and oversight.
• November 13, 2026: The Consent Manager Framework becomes operational. Organizations may register as third-party intermediaries to manage user consent and permissions. The DPB will handle registration.
• May 13, 2027: Full compliance deadline. All covered businesses must comply with the DPDP Act and Rules, including core obligations applicable to Data Fiduciaries.

Penalties for Violations Will Be Steep: A Data Fiduciary may be fined up to ₹250 crore (about $30 million USD) for failing to maintain reasonable security safeguards. Failure to notify the DPB or affected individuals of a personal data breach or violations of minor-related rules can result in penalties of up to ₹200 crore (about $25 million USD). Any other violation by a Data Fiduciary may be penalized up to ₹50 crore (about $6 million USD).

• Brazil and the European Union acknowledge mutual adequacy in matters of personal data protection

Brazil and the European Union (EU) take a historic step in the protection of personal data and cooperation. international. At a ceremony in the Planalto Palace, the reciprocal recognition of the adequacy of the levels of personal data protection adopted by the two jurisdictions will be announced. 

In practice, this means that Brazil and the European Union recognize that their laws guarantee equivalent protection for personal data, allowing  this  information  to circulate between the two sides in a direct, secure, and simplified manner, without the need for special mechanisms additional transfer fees. 

The ceremony will be attended by the Vice-President of the Republic, Geraldo Alckmin, the European Commissioner for Democracy, Justice, Rule of Law and Consumer Protection, Michael McGrath, the Director-President of the ANPD (National Data Protection Authority), Waldemar Gonçalves, other members of the ANPD's Board of Directors, and Brazilian and European authorities.

• ANPD concludes the leveling phase of the Sandbox Project

The National Data Protection Agency (ANPD) concluded the levelling phase of the Regulatory Sandbox Project in Artificial Intelligence and Data Protection. This stage is mandatory and foreseen in the call for proposals, preceding the start of the testing phase of the selected projects.  

The levelling process aimed to standardize the technical, legal, and regulatory knowledge of the participants, ensuring a common basis for the safe and responsible development of projects in the experimental  sandbox environment . The activities were carried out with the support of the University of São Paulo (USP), an institutional partner of ANPD in this stage. 

Over four months, lectures, practical workshops, and assessment activities were conducted on essential topics for the regulatory experimentation of artificial intelligence systems. Among the subjects covered, the introduction and contextualization of the  regulatory sandbox, its purposes, structure , and methodology, as well as national and international experiences in the use of this tool, stood out.   

Key aspects of artificial intelligence systems governance were also addressed, including algorithmic transparency, explainability, and the right of data subjects to review decisions made solely based on automated processing, as provided for in Article 20 of the General Data Protection Law (LGPD), in addition to modules focused on risk assessment and mitigation, impact analysis, reliability of AI systems, incident scenarios, and cybersecurity, with guidance on assessment, regulatory safeguards, and communication with data subjects and other stakeholders. 

In the final stage of the levelling process, participating institutions developed practical activities related to the creation of a  sandbox plan , including defining monitoring strategies, testing, and discontinuation plans. These plans were presented and discussed collectively, promoting their technical improvement.     

• Decree published detailing the protection of children and adolescents in the digital environment

The President  of the Republic,  Luís Inácio Lula da Silva ,  signed, in a ceremony at the Planalto Palace, three decrees related to the Digital ECA, one of them, 12.880, regulates Law No. 15.211/2025, which  provides for the protection of children and adolescents in digital environments . The act  also established  the  National Policy for the Protection of the Rights of Children and Adolescents in the Digital Environment, establishing guidelines for coordinated action between the public authorities and economic agents operating in the virtual environment.   

In his speech , President Lula declared  that, with the Digital ECA (Statute of Children and Adolescents), " We are ensuring that our young people can be online safely  and, at the same time, we are putting an end to  criminals who physically and mentally threaten children and adolescents. "   

The National Data Protection Agency (ANPD), responsible for overseeing and regulating the Digital ECA (Statute of the Child  and Adolescent ), was represented at the ceremony by its Director-President, Waldemar Gonçalves, and Directors Lorena Coutinho,  Miriam Wimmer, and Ia Gê Miola.

• ANPD publishes preliminary guidelines and a timeline for age verification in the digital environment

The National Data Protection Agency (ANPD) published preliminary guidelines for the adoption of reliable age verification mechanisms by suppliers of information technology products and services aimed at children and adolescents, or likely to be accessed by this public. The measure is part of the Agency's efforts to ensure that the digital environment is safer for children and adolescents. 

The guidelines present initial parameters for the implementation of the mechanisms foreseen in Law No. 15.211/2025 (Digital ECA), in force since March 17, as well as in Decree  No. 12.880, of March 18,  2026, providing predictability and legal certainty to the regulated agents at this initial moment of  entry into force of the new legislation.    

At the same time, they seek to ensure that the implementation of these mechanisms is compatible with  the rights to  privacy and  the protection  of personal data of children and adolescents. The document reflects the ANPD's institutional position and will serve as a reference for the Agency's monitoring activities until the publication of definitive guidelines, after consultation with society.

• ANPD conducts international mission in London and advances bilateral cooperation agenda on data protection and AI governance

The Brazilian National Data Protection Agency (ANPD) conducted an institutional mission in London, United Kingdom, between March 23 and 25, 2026, with the participation of the Director-President Waldemar  Ortunho  Junior and the General Coordinator of Technology and Research, Lucas Anjos. The delegation held bilateral meetings with the main British digital regulatory authorities and participated in the  Global Government Forum Innovation.

• Bilateral meetings with ICO and Ofcom

On the 23rd, the  ANPD delegation held a bilateral meeting with the  Information Commissioner's  Office   (ICO), the British authority for the protection of personal data. The meeting was led by  Deputy Commissioner  Emily  Keaney  and focused on the regulatory challenges arising from the implementation of the Digital ECA (Law No. 15.211/2025), which established the legal framework for the rights of children and adolescents in digital environments in Brazil. The topics of age verification, protection of young users on digital platforms, and the ICO's experience with the regulation of social networks were particularly discussed.  

The parties explored the possibility of establishing structured channels for technical cooperation, including the sharing of information and inspection methodologies. The ongoing adaptation decision between Brazil and the United Kingdom, coordinated by the Department for Science, Innovation and Technology (DSIT) of the British government, was also discussed as a matter of common strategic interest. 

Following this, the delegation met with representatives from the  Office  of  Communications  (Ofcom), the British regulator of communications and  online safety . Present were Oliver Griffiths (Group Director, Online  Safety) and Almudena Lara (Online  Safety Director  –  Children), among other representatives. The meeting highlighted points of convergence between the regulatory agendas of the two authorities, especially regarding the protection of children in digital environments, platform design, and international coordination in enforcement actions. The  British Online  Safety Act   , in force since 2023, has been referenced as a  relevant benchmark  for the ANPD's ongoing regulatory actions within the scope of the Digital ECA (Brazilian Statute for Children and Adolescents).

If you have any questions, please send us an email to datasecurity@catts.eu