EDPB: Published its 2025 Work Programme emphasising coordinated enforcement of cross-border data flows, AI systems, and children's data. Announced a new coordinated enforcement action targeting connected vehicles and mobility data.

ICO (UK): 2025 annual report confirmed record reprimand activity and increased monetary penalty notices. Key themes: data brokers, employee monitoring, and adtech. ICO has expanded its enforcement against non-UK controllers processing UK residents' data.

FTC (US): Issued multiple orders under the US Health Breach Notification Rule. Key 2025 action: enforcement against data broker practices (precise geolocation data sales). Note the shift under new administration toward consent-based framework review.

SEC (US): Continued enforcement of cybersecurity disclosure rules under Reg S-K Item 106 and Form 8-K/6-K incident disclosure. FY2025 saw first enforcement actions for material omissions in cyber incident disclosures.

CAC (China): Record 847 enforcement actions in 2025. Top violations: unlawful data collection in mobile apps (42%), failure to provide opt-out mechanisms (28%), cross-border transfer violations (18%).

Headline Findings (Jan 2025 edition): Total GDPR fines in 2024 reached EUR 1.2 billion (USD 1.26B / GBP 996M) across Europe. Cumulative fines since 2018: EUR 5.88 billion. Ireland remains the preeminent enforcer with EUR 3.5 billion since May 2018 — more than 4× the second-placed Luxembourg. Average daily breach notifications: 363/day in 2024, up from 335 the prior year.

Headline Finding (Feb 2026 update): Between 28 January 2025 and 27 January 2026, average daily breach notifications surged to 443/day — a 22% rise from 363. "This is the first time since 2018 the average daily breach notifications have exceeded 400." Contributing factors: geopolitical tensions, "abundance of new technologies available to threat actors," and new notification obligations under emerging laws.

Top 3 countries for breach notifications: Netherlands (33,471), Germany (27,829), Poland (14,286).

DLA Piper's stated theme: "Big tech companies and social media giants continue to be the primary targets for record fines," but 2024 enforcement expanded into financial services and energy sectors. DPA scrutiny of AI technologies and their alignment with privacy laws is increasing.

DLA Piper prediction: "2025 may well be the year that regulators pivot more to naming and shaming and personal liability to drive data compliance."

Bird & Bird characterises China's 2025 landscape as entering "a new stage of accelerated evolution — from institutional construction to systematic operation, and from principle-based norms to in-depth governance."

Key 2025 legislative developments:

• The Cybersecurity Law (CSL) underwent its first systematic amendment, formally adopted 28 October 2025. The amended CSL optimised linkage mechanisms with the Civil Code and PIPL; clarified legal liabilities for network operators and critical information infrastructure (CII) operators; added provisions on artificial intelligence governance.
• The Regulations on Network Data Security Management (NDSM) formally took effect.
• CAC issued the Measures for the Administration of Personal Information Protection Compliance Audits (February 2025), establishing a mandatory audit framework for large-scale personal information processors.

Bird & Bird's characterisation of enforcement shift: China is moving from "issuing the rules" to "enforcing the rules at scale." Compliance audits under the new Measures are expected to become a primary enforcement mechanism alongside the existing app rectification campaigns.

Outlook for 2026: AI governance provisions embedded in the amended CSL are expected to be fleshed out through implementing regulations. Cross-border data transfer rules under the NDSM continue to generate practical compliance challenges for multinational groups.

Sidley's stated scope: Provides an "incisive global overview of the legal and regulatory regimes governing data privacy and security," covering data processors' obligations, data subject rights, data transfers and localisation, best practices for minimising cyber risk, and public and private enforcement.

Key themes identified by Sidley in H1 2025:

• Increased regulation of teen data and social media platforms — multiple jurisdictions introducing age verification and parental consent requirements
• Enhanced restrictions on collection and sale of geolocation and biometric data — US states leading, with sector-specific federal guidance following
• Simplified opt-out mechanisms for tracking technologies — Global Privacy Control (GPC) recognition requirements expanding
• Broader obligations concerning consumer health data and data minimisation — FTC Health Breach Notification Rule as primary enforcement vehicle

Financial services-specific themes (Jan 2025 publication): AI-related cybersecurity obligations intersecting with operational resilience requirements (DORA in EU, SEC cyber rules in US). Sidley was named 2025 "Cybersecurity & Privacy Practice Group of the Year" by Law360 for high-stakes national security, cybersecurity, privacy, and quantum computing matters.

White & Case's overarching theme: "New and amended state laws, increased regulatory scrutiny and evolving enforcement priorities are shaping the way businesses manage personal data and respond to cyber threats."

Specific developments White & Case highlights:

• COPPA Rule amendments (FTC): Final amendments published April 22, 2025, effective June 23, 2025. Expanded requirements for website/online service operators collecting personal information from children under 13: implementing a written children's personal information security program; providing parents with greater control over data collected about their children.
• New state privacy laws effective January 1, 2025: Delaware, Iowa, Nebraska, and New Hampshire — each with distinct definitions and thresholds.
• Colorado SB 24-041 (effective October 1, 2025): Significantly amended the Colorado Privacy Act with heightened obligations for entities processing minors' data, including prohibition on processing a minor's data for targeted advertising and a requirement for data protection assessments.
• Minnesota CDPA: Took effect July 31, 2025.
• California CPPA enforcement: Record $1.35 million settlement announced September 30, 2025 with Tractor Supply Company for CCPA violations related to failure to properly notify consumers and job applicants of their privacy rights.

Skadden's IAPP Summit theme (May 2025): Regulators from EU, UK, and US emphasised "growing cross-sector and cross-jurisdiction collaboration on data privacy and artificial intelligence regulation." As new US state data privacy laws take effect, "organizations must adapt their compliance programs to meet nuanced requirements." Significant regulatory activity across Asia-Pacific on both data privacy and AI governance.

Skadden's July 2025 enforcement alert — specific cases:

• California AG (July 1, 2025): $1.55 million settlement with Healthline Media. Skadden notes this imposes "novel restrictions on Healthline's data practices, extending beyond the requirements of the CCPA," signalling "a new emphasis on substantive compliance" beyond procedural box-ticking.
• Connecticut AG (July 8, 2025): First-ever enforcement action under the Connecticut Data Privacy Act (CTDPA), against TicketNetwork, Inc. — marking the CTDPA's transition from paper law to enforcement reality.
• Eight-state consortium: California, Colorado, and Connecticut launched a joint sweep on Global Privacy Control (GPC) compliance in October 2025 — part of a multistate coordination that Skadden describes as a structural shift in US privacy enforcement.

Skadden's key takeaway: Compliance must now be "substantive" (genuine consumer protection outcomes), not merely procedural (notices, policies, consent forms). AG coalitions are coordinating and scaling enforcement capacity.

New in 2025 Handbook: Expanded content to include "Non-Personal Data Regulation," "AI Governance," and "Geopolitical Cyber Threats" — reflecting Baker McKenzie's view that the compliance perimeter has fundamentally expanded.

Baker McKenzie's flagship AI theme: "Organizations must find innovative ways to create, leverage and utilize AI while improving AI governance as global policy and legislation shift, leading to increased regulation in many jurisdictions." They explicitly flag: "With the EU AI Act an imperfect benchmark, businesses must grapple with the challenge of operationalizing a global AI strategy while respecting local nuances."

Baker McKenzie's distinctive angle — AI meets antitrust: "As organizations deploy AI to develop their business strategies, their internal investigations and in their relationships with consumers, they will need to keep in mind antitrust issues regarding information sharing and price unification alongside privacy and cyber concerns." The firm coins "Regulatory FOMO (Fear of Missing Out)" to describe convergence of data/cyber risk with antitrust — making a "holistic data governance strategy essential."

Cybersecurity as top dispute risk: For the third consecutive year, cybersecurity and data privacy were ranked the top concern in Baker McKenzie's Global Disputes Forecast — cited by 45% of respondents.

Geopolitical factor: Geopolitical instability predicted to drive new cyber threats and policy/legislative responses — a theme Baker McKenzie treats as integrated into, not separate from, privacy compliance.

Hogan Lovells' annual "Look Back, Look Forward" publication (co-led by Scott Loughlin and Eduardo Ustaran) identifies six interconnected themes for 2025/2026:

• Potential GDPR reform: The EU Digital Omnibus package could reshape GDPR's core obligations — Hogan Lovells flag that reform proposals are proceeding faster than anticipated and that the balance between innovation facilitation and individual rights protection is genuinely contested.
• Biometrics and age verification: Emerging as a contentious category globally — driven by children's protection requirements but raising proportionality concerns under GDPR and equivalents.
• Geopolitics and data protection: The intersection of national security, geopolitical competition, and data flows (particularly US-China, EU-US) is creating asymmetric compliance obligations for multinationals.
• International data transfers: Described as a "key topic" for 2026 — UK adequacy uncertainty, EU-US DPF litigation risk, and China's standard contract filing backlog all flagged.
• AI governance: Growing focus on the accountability chain for AI systems: who is the controller, what safeguards apply when AI uses personal data, and how transparency obligations translate to algorithmic systems.
• Children's data: Elevated globally across all major jurisdictions — regulators moving from guidance to enforcement with increasing speed.

Hogan Lovells' distinctive emphasis: The "global impact of artificial intelligence" and the "ongoing balance between innovation and regulation" — framing AI not as a compliance risk to manage but as a fundamental tension in the architecture of data protection law.

Fieldfisher's designation of 2026 as "the year of the child": Australia became the first country to restrict social media access for under-16s; Denmark restricting under-15s; US, Brazil, and India considering similar restrictions. ICO secured changes from social media and video platforms on: privacy-by-default design, geolocation data restrictions, and restrictions on personalised advertising targeting children.

Key UK-specific findings (Fieldfisher's specialist strength):

• UK's Data (Use and Access) Act 2025 introduces reforms to UK GDPR, DPA 2018, and PECR — increased fines, clarified lawful bases, updated cookie rules, transparency requirements, and automated decision-making provisions.
• ICO's new AI and Biometrics Strategy: plans for a statutory code of practice, oversight of foundation models, and facial recognition regulation.
• Irish DPC issued €530 million fine against TikTok for failures on data transfers to China and transparency obligations — the largest DPC fine in 2025.

EU-level highlights from Fieldfisher's monthly tracker: EU Digital Omnibus affecting AI Act, GDPR, ePrivacy Directive, Data Act, and NIS2 simultaneously — Fieldfisher warns of "regulatory stack" risk where multiple concurrent amendments to overlapping regimes create implementation gaps.

Federal privacy law: Covington attorneys Lindsey Tonsager, Micaela McMurrough, and Mark Young identify federal government efforts to establish a "nationwide standard for how companies handle and share consumers' personal information" as a key watch item — though they note the structural obstacles remain significant.

Covington's distinctive contribution on AI training and consent: Their attorneys explicitly articulate the dilemma that regulators face: "Regulators are in a challenging spot because a lot of training is already being done, and many recognize that it's not practical to require individual-level consent when talking about the vast amount of data required to train AI models." This is the most direct treatment of the AI training consent paradox from any of the major annual reviews.

EU Digital Omnibus: Covington flag that if adopted, the package would introduce "significant changes to data protection obligations, cookie rules, cybersecurity regulations and EU AI Act" simultaneously — creating implementation timing risk for multinationals running EU compliance programmes.

Ongoing resource: Covington's "Inside Privacy" resource — written by Covington's Data Security lawyers — is noted as a consistently reliable reference for in-house teams tracking daily developments.

Linklaters' headline characterisation: The UK Data (Use and Access) Act received Royal Assent on 19 June 2025. Linklaters describe the final Act as "a set of modest and largely technical reforms" — noting that "the more radical amendments have been dropped."

What was dropped (and why this matters): The original consultation had floated scrapping data protection officers (DPOs), eliminating data protection impact assessments (DPIAs), and narrowing the definition of personal data. These were withdrawn due to concerns about the "potential impact on EU-UK data transfers" — i.e., risk of losing EU adequacy.

What remained in the Act: New measures on international data transfers, automated decision-making, legitimate interests, cookies, and a new complaints procedure. Linklaters describe these as "marginally increasing the regulatory burden, whilst still leaving key questions about the regulation of AI and Adtech unanswered."

Linklaters' adequacy assessment: "Most commentators believe the steps taken to tone down the UK reforms mean EU-UK transfers are safe for the time being." The EU adequacy finding was due for review at end of 2025 — Linklaters assess the risk as currently contained but not eliminated.

Linklaters' bottom line: "These modest and sensible reforms marginally increase the regulatory burden" — a notably more sceptical framing than the ICO's own messaging about the Act's benefits.

Areas of Strong Consensus

1. AI governance is the defining compliance investment of 2025-2026. Every firm — Baker McKenzie, Hogan Lovells, Covington, Sidley, DLA Piper, Fieldfisher — identifies AI governance as the dominant theme, but from different angles. Baker McKenzie uniquely adds the antitrust dimension. Covington is the only firm to squarely name the AI training consent paradox. Hogan Lovells frames it as a structural tension in data protection law's architecture rather than a checklist item.

2. Fragmentation is accelerating, not resolving. All US-focused firms (White & Case, Skadden, Covington, Sidley) agree: 20+ US states now active, federal baseline nowhere near. All EU-focused firms (Fieldfisher, Linklaters, Hogan Lovells) note Digital Omnibus could reshape GDPR simultaneously. Bird & Bird confirms China's rules are becoming more detailed, not simpler. No firm expects convergence before 2028.

3. Children's data has moved from guidance to enforcement. Fieldfisher ("year of the child"), A&O Shearman (ICO enforcement against platforms), White & Case (COPPA Rule amendments), Sidley (teen data regulation), Hogan Lovells (children's data as a 2026 key topic) — unanimous across jurisdictions. This is the fastest-moving enforcement area.

4. Data breach notifications are surging 22% YoY. DLA Piper's data is unique and unambiguous: 443/day in 2025 (up from 363). No other firm publishes equivalent empirical data — this should be treated as a baseline for incident response planning.

Areas of Divergence — Where Firms Disagree

5. Federal US privacy law: optimist vs. realist split. Covington maintains focus on a federal standard as possible; Skadden and Baker McKenzie treat state AG coordination as the de facto enforcement reality. Implication: plan for state-level fragmentation through at least 2027.

6. UK DUA Act: opportunity vs. modest reform. The ICO frames the DUA Act as enabling innovation; Linklaters characterises it as "modest and largely technical," leaving AI and AdTech questions unanswered. Fieldfisher highlights the "regulatory stack" risk from simultaneous EU changes. Implication: don't overinvest in DUA Act restructuring — it's operational, not transformational.

7. Personal liability risk: DLA Piper alone predicts structural shift. DLA Piper explicitly predicts 2025 as "the year that regulators pivot more to naming and shaming and personal liability." Other firms mention enforcement intensity but not personal officer liability as a distinct emerging risk. This divergence is significant — DLA Piper may be ahead of the curve, or overstating the trend.

Priority Actions for In-House Counsel at a Global Group

Based on cross-firm synthesis, the following are the highest-priority actions for Q2/Q3 2026:

1. Establish regional compliance architecture — EU, UK, US (state-specific), China as separate pillars. A single global policy no longer holds.
2. Begin AI governance programme now — don't wait for perfect regulatory clarity. Map all deployed AI systems, identify controllers, document data lineage, establish governance committee at board level.
3. Audit all products/services for child user exposure — implement child-specific data minimisation, consent, and design protocols before enforcement finds you.
4. Stress-test breach response capacity — 443 breach notifications/day is the new baseline. Your incident response SLA must meet multi-jurisdictional notification deadlines simultaneously (72h for GDPR, 72h for NIS2, 24h initial + 72h detailed for some sectors).
5. Review cross-border data transfer infrastructure — UK adequacy under review (contained but unresolved); EU-US DPF faces legal challenge; China NDSM standard contract filing is generating delays. Mapping is urgent.
6. Assess D&O insurance for data privacy/AI coverage — in light of DLA Piper's personal liability prediction, confirm officer indemnification language covers privacy enforcement scenarios.