INTERNATIONAL 

UNITED STATES OF AMERICA

10. Senate passes Legislation to Regulate US Dollar-Backed Stablecoins[10]

On June 17, 2025, the Senate passed the Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (“Act”), which proposes a federal framework for regulating U.S. dollar-backed payment stablecoins. The Act was introduced in the House of Representatives on June 23, 2025, and is currently under review. The Act allows only authorised entities, such as insured banks, credit unions, their subsidiaries, and specially licensed non-bank institutions approved by the Office of the Comptroller of the Currency, to issue payment stablecoins. Each token must be backed one-to-one by safe and liquid assets like cash, insured deposits, or short-term U.S. Government securities. Issuing entities are required to submit monthly reserve reports, verified by independent auditors, and are strictly prohibited from using reserve funds for lending or investment purposes. In addition, the Act lays down robust compliance standards covering governance, cybersecurity, liquidity, and anti-money laundering. It also empowers both federal and state regulators to intervene swiftly if any stablecoin activity threatens financial stability or consumer protection.

If passed, the Genius Act would become the first comprehensive U.S. law governing fiat-backed stablecoins, offering legal clarity and stronger protections for users in the digital asset space.

11. Court orders OpenAI to preserve User Data in New York Times Copyright Case [11]

The District Court of New York directed OpenAI to retain all user-generated outputs, even those deleted at user request or under privacy laws, to preserve evidence for the case.

This order comes as a result of the New York Times Company (“NYT”) suing Microsoft and OpenAI for alleged copyright infringement. NYT claims that Microsoft is liable because it has integrated OpenAI’s models into its products like ‘Bing’ and ‘Copilot’, benefiting commercially from outputs generated using NYT content. OpenAI and Microsoft have a close commercial partnership, with Microsoft investing heavily in OpenAI and deploying its models across Microsoft platforms.

Although the matter is yet to be decided, this development underscores the challenge for AI companies in balancing legal data preservation with privacy commitments and highlights the exposure of major tech partners like Microsoft in AI copyright litigation.

12. Court upheld Age Verification for Adult Websites [12]

In a significant decision on June 27, 2025, the US Supreme Court upheld Texas’s law requiring online pornographic websites to verify that users are over 18. The case arose after Texas enacted House Bill 1181 (“Bill”) to prevent minors from accessing sexually explicit content online. In this matter, industry groups representing adult websites challenged the law, arguing that forcing users to provide Government IDs or undergo verification would violate their First Amendment rights and create a chilling effect on adults seeking lawful content. They contended that such requirements were overly burdensome, intrusive, and could discourage users from accessing legal material due to privacy concerns. However, the court disagreed. The court ruled that the Bill imposes only a minimal burden on adult users and serves a compelling state interest in protecting children from harmful content. The court reasoned that Texas was within its traditional authority to safeguard minors and that the age verification requirement did not unreasonably restrict adults’ access to legal pornography.

This decision is likely to have a ripple effect across the digital content industry, paving the way for similar age-gating laws in other states. It also raises important debates around privacy, user verification, and online freedom, signalling that platforms hosting explicit content must prepare for stricter compliance standards to continue operating legally in the US.

13. Trade Associate challenges New Arkansas’ Social Media Laws [13]

A trade association representing online businesses and advocating for free expression and open digital markets, has filed a new lawsuit challenging Arkansas’s Acts 900 and 901 of 2025, which impose new regulations on social media platforms, particularly in relation to minors. (collectively referred as “Acts”), which impose sweeping new requirements on social media platforms. These include restrictions on algorithms for minors, mandatory addiction risk audits, parental dashboards to monitor activity, and default content filters.

It has been argued that the provisions of the Acts infringe free speech, force platforms to redesign features and are vague, overbroad, and threaten platform autonomy and user privacy, however, the State is bend on

As the proceedings are ongoing, no final decision has been delivered; however, this case highlights the ongoing tension between state-level child safety laws and constitutional protections for online speech, with significant implications for how platforms design and moderate digital content.

14. Texas AI Regulations Move Forward as Federal Moratorium fails

On June 22, 2025, Texas enacted the Texas Responsible Artificial Intelligence Governance Act, 2025 (“TRAIGA”)^[14], which will take effect from January 1, 2026. TRAIGA introduces comprehensive AI-specific obligations for both state agencies and private entities, prohibiting AI systems designed to manipulate behavior, discriminate, or create harmful deepfakes. The legislation mandates disclosure of AI use by public authorities, requires consent for biometric data collection, and establishes a regulatory sandbox under the State’s Artificial Intelligence Council. Enforcement lies with the Texas Attorney General, with penalties ranging from USD 80,000 to 200,000 per violation, following a 60-day cure period. The political landscape for state AI regulation has dramatically shifted. While the House initially passed a reconciliation bill in May 2025 proposing a 10-year moratorium on state laws regulating AI systems in interstate commerce, the Senate voted nearly unanimously on July 1, 2025, to remove this moratorium provision from the federal budget bill. This decisive 99-1 vote eliminates the immediate threat of federal pre-emption that had cast uncertainty over TRAIGA’s future enforceability [15].

With the federal moratorium off the table, TRAIGA’s effective date appears secure. This development resolves the previous tension between state-level innovation and federal pre-emption, allowing Texas to move forward as a pioneer in comprehensive AI governance. The legislation’s focus on data protection, responsible system design, and ethical AI deployment can now proceed without the regulatory uncertainty that had previously surrounded state AI laws.

15. Montana amends Data Privacy Law to Strengthen Safeguards for Minors and Online Consumers [16]

Montana amended the Montana Consumer Data Privacy Act, 2023 to include new consumer rights and stronger safeguards for minors. Now, consumers must be notified when their data is collected and can access, correct, delete, and obtain their data in a portable format. Businesses must provide clear opt-out options for data sales, targeted ads, and profiling, and publish accessible privacy notices detailing data use and user rights. As far as minors are concerned, there is prohibition on processing their data for targeted advertisements or profiling without consent, restricts geolocation tracking, and bans design features that prolong online engagement. Businesses must conduct data protection assessments where there is a heightened risk of harm and implement mitigation plans. Adding to the key aspects, the Montana Attorney General retains exclusive enforcement power, with penalties of up to USD 7,500 per violation and a 60-day cure period.

Montana’s updated law reflects a growing trend among States to tailor privacy protections to digital realities, especially concerning minors’ safety and automated processing. Companies offering online services in Montana should update privacy policies, design practices, and data governance procedures to ensure compliance before the October deadline.

UNITED KINGDOM

16. Data Use and Access Regulation received Royal Assent [17]

The Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent, with phased implementation through June 2026. DUAA amends existing UK GDPR and data protection laws to create a more innovation-focused regulatory approach while maintaining privacy protections.

Key provisions include new Smart Data schemes enabling secure data sharing between organizations, enhanced data portability across sectors, and a statutory framework for Digital Verification Services. Unlike GDPR’s strict consent requirements, DUAA provides significant flexibility through exemptions for low-risk cookies (analytics, site optimization, security) from explicit consent requirements and relaxed rules around automated decision-making and legitimate interests processing. Organizations need only provide information and easy opt-out options rather than obtaining explicit consent. Organizations should prepare for the phased rollout. DUAA represents the UK’s strategic shift toward pragmatic data governance that balances commercial opportunities with robust privacy standards.

17. UK calls for Feedback on International Data Transfer Guidance [18]

On June 26, 2025, the UK Information Commissioner’s Office (“ICO”) launched a ‘Call for Views’ on its International Data Transfers: Guidance (“Guidelines”) under the UK GDPR. Open until August 7, 2025, the consultation invites businesses and stakeholders to share feedback on which parts of the Guidelines are helpful, where they face difficulties, and what tools or changes would improve compliance with data transfer rules. This consultation follows the ICO’s January 2025 letter to the Prime Minister, Chancellor, and Business Secretary, (“Letter”) where it highlighted that international data transfers support 40% of UK exports and promised to modernise data governance to boost economic growth. The ICO committed to publishing clearer guidance, streamlining adequacy assessments, and aligning with global data standards. It also outlined broader plans, including new AI regulation proposals, training programmes for SMEs, and innovation sandboxes to test emerging technologies safely. Additionally, the ICO addressed concerns in the digital advertising sector, stating it would review strict consent requirements under the privacy and electronic communications regulations that may limit adoption of privacy-preserving advertising models, and pledged to clarify low-risk use cases unlikely to trigger enforcement.

This step reflects the ICO’s wider strategy to balance regulatory certainty and innovation. By simplifying international data transfer rules while maintaining strong privacy protections, the ICO aims to position the UK as a competitive and trusted hub for global data flows.

EUROPEAN UNION

18. Belgian DPA dismisses Complaints on Cookie Banners [19]

DPA’s Litigation Chamber dismissed 16 complaints across five cases filed by None of Your Business (“NOYB”), the European privacy advocacy group, regarding cookie banners. The DPA’s Litigation Chamber found that NOYB did not have valid mandates from individual users to file these complaints. It noted that organisations like NOYB can only act with express authorisation from affected individuals and cannot file complaints unilaterally. In these cases, NOYB had used automated tools to submit complaints without securing proper consent from data subjects. The DPA noted that these complaints were part of NOYB’s internal projects, where individuals were merely instructed on how to authorise filings, and similar complaints had already been dismissed earlier without appeal. While the DPA acknowledged NOYB’s important role in advancing privacy rights, it emphasised that complaints must follow existing legal procedures. DPA also expressed support for future legislative changes that could allow privacy organisations to file complaints independently to strengthen enforcement.

This decision highlights the procedural limits faced by privacy advocacy groups under current Belgian law, underscoring the need for clear mandates when representing data subjects in regulatory complaints.

19. Spanish DPA penalises Financial Non-Profit Company Over Data Misuse and AI failures [20]

On June 7, 2025, a non-profit financial services company was penalized for disclosing a customer’s personal address in a transfer receipt. The payment followed an order issued by the Spanish Data Protection Agency (“AEPD”) on May 23, 2025, which closed the sanctioning procedure after the Company agreed to the penalty and waived its right to appeal.

The case concerned a transfer made through the company’s online banking platform, in which the complainant’s home address was visible on the receipt shared with the transaction’s recipient. The AEPD found that this data was not required for the transaction and that including it served no clear purpose. Basis this, AEPD held that the company should have limited the personal data processed to what was strictly necessary and failed to put in place proper controls to prevent unnecessary disclosure. This amounted to a breach of Article 5(1)(f) of the GDPR, which requires integrity and confidentiality of personal data. The AEPD also reviewed complaints about marketing messages managed by an AI system. Although the user had objected multiple times, the system continued to send messages because it was only programmed to respond to the word ‘UNSUBSCRIBE.’ It acknowledged the limitation but clarified that current legislations do not yet require AI systems to interpret all types of human responses. Basis this, the Company was liable to pay fine of EUR 42,000.

20. EU initiated Public Consultation on Data Retention Requirements for Criminal Investigations [21]

On June 20, 2025, the European Commission launched a public consultation and impact assessment on whether to introduce a common EU framework for retention of metadata by service providers to support criminal proceedings. This is an initiative at the assessment stage, not yet a draft guideline or legislative proposal. Currently, there is no EU-wide obligation requiring telecom companies, internet service providers, or digital platforms to retain metadata, such as IP addresses, timestamps, and subscriber details, for any specific period. As a result, critical data may no longer be available when law enforcement requests it, hindering investigations into serious crimes. Varying data retention laws across Member States further create legal and operational challenges, especially for service providers operating cross-border. Through this consultation, the Commission seeks input from a wide range of stakeholders, including telecom operators, digital platforms, law enforcement agencies, civil society groups, and EU citizens, on whether and how such data retention obligations should be designed.

Feedback can be submitted via an online questionnaire until September 12, 2025.

21. Italian Company held liable for Unlawful Use of Employee’s Private Messaging and Social Media Data [22]

Data Protection Authority (“Garante”) held Autostrade per l’Italia S.p.A., a company engaged in road infrastructure and toll highway management sector, to be in violation of the GDPR for using an employee’s private social media and messaging data in disciplinary proceedings. The company had received screenshots of the employee’s Facebook posts, WhatsApp messages, and Messenger chats from colleagues and third parties. Although ASPI did not actively collect the data, the Garante found that using it still constituted ‘processing’ under GDPR.

The company claimed it acted on a legitimate interest under Article 6(1)(f), but the Garante found the company had failed to conduct a required balancing test or consider less intrusive means. It held that the content, shared in closed or private settings, came with a reasonable expectation of confidentiality. The Garante found that ASPI had violated key privacy principles, including those requiring lawful, limited, and proportionate data use in the workplace. It imposed a fine of EUR 420,000 and emphasized that employers cannot rely on private digital communications for disciplinary action without a clear legal basis and appropriate safeguards.

This decision underscores that under the GDPR, processing is not limited to active collection. Merely being exposed to, receiving, or storing private personal data can create compliance risks if not backed by a lawful basis and necessary safeguards, especially in employment contexts.

OTHERS

22. South Korea launches Investigation into Data Leak by Global Pizza Brand [23]

On June 26, 2025, PIPC launched an investigation into Papa John’s Korea Co. Ltd, global pizza brand. The investigation was launched after the company reported a major data leak. The PIPC, South Korea’s national data protection authority, oversees enforcement of privacy laws and protection of personal information.

The company revealed that customer order data had been exposed online since January 2017 due to negligence in website source code management. The leaked data includes customers’ names, phone numbers, and addresses, raising serious privacy and security concerns. The exposure remained undetected for over eight years, highlighting systemic failures in website monitoring and data security practices. The PIPC will examine how the leak occurred, the scale of compromised data, and whether the company complied with technical and administrative security obligations under Korean privacy law. The probe will also assess if the company retained customer order information beyond the permissible retention period stated in its privacy policy. Further, PIPC has urged all businesses to strengthen website security by restricting administrator page access and managing URLs diligently, noting an increasing trend of data leaks arising from poor website management.

23. Canadian Court redefines Limits of Data Scraping and AI Training [24]

The Court of King’s Bench of Alberta upheld an enforcement order against Clearview AI Inc., a U.S.-based company offering facial recognition services built on scraped online images. The Office of the Information and Privacy Commissioner of Alberta (“Commissioner”) had found that the company collected images of individuals from public websites and social media without consent, violating Alberta’s privacy legislation PIPA. The Commissioner directed the company to stop providing services in Alberta, delete images and biometric facial arrays of Albertans, and cease further processing. Opposing this, the company challenged the order, arguing that PIPA did not apply to it as a foreign entity, and that the images were ‘publicly available’ under the PIPA. It also claimed that this interpretation infringed its freedom of expression enumerated in the Canadian Charter of Rights and Freedoms.

Finally, the court found that company had a real and substantial connection to Alberta, given its marketing to local police agencies and use of individual’s data. It upheld the Commissioner’s interpretation that social media content does not fall under the ‘publicly available’ exception. The court also dismissed the Charter challenge, finding the privacy restrictions proportionate and justified.

24. Québec’s Latest Regulation on Intimate Images comes into force [25]

Québec brought into force the Act to Counter Non‑Consensual Sharing of Intimate Images, 2024, c. 37 (“Act”), to provide individuals with legal remedies against the unauthorized distribution of intimate content. The Act seeks to protect a person’s dignity, privacy, and reputation, particularly from harm caused by rapid online dissemination. The Act defines ‘intimate image’ to include any visual or audio recording, altered or not, depicting nudity or explicit sexual activity, where there was a reasonable expectation of privacy. Sharing covers a wide range of actions such as publishing, distributing, or advertising. It clarifies that prior consent to image creation does not waive privacy rights, and allows for revocation of consent, with exceptions for certain commercial or artistic contracts. Individuals can now apply to a judge or justice of the peace to obtain urgent orders requiring anyone with control over the image to stop sharing it, destroy it, or de-index links. These orders may be issued without notifying the alleged violator and can apply to unknown persons. The court may also compel disclosure of identifying information. Further, all hearings are held in camera, and public access to records is restricted unless ordered otherwise. Non-compliance with court orders may attract daily fines or imprisonment, with higher penalties for repeat offences. Collected penalties are directed to a victims’ assistance fund. The Act also introduces a presumption of civil liability against anyone who shares or threatens to share such images without consent.