Data Protection News Roundup: May 16, 2025
As a data protection officer, staying current with the latest developments is crucial. Here’s a timely blog idea based on recent data protection news that would be valuable for your audience:
GDPR Enforcement Continues: Meta’s AI Training Practices Under Scrutiny
Meta finds itself once again in the crosshairs of European data protection authorities as privacy advocacy group noyb has filed complaints regarding the company’s latest plan to train AI models using EU user data. Despite a settlement reached in June 2024 where Meta agreed to pause AI training using EU/EEA data, the company appears to be violating GDPR rules with its new approach.
This case highlights the ongoing tension between big tech’s AI ambitions and European data protection requirements. As a DPO, you could explore:
- The specific GDPR provisions Meta is allegedly violating
- The implications for other companies developing AI systems
- Best practices for lawful AI training using personal data
Recent Regulatory Developments
The European data protection landscape continues to evolve with several significant developments this month:
EDPB and EDPS Address Record-Keeping Requirements
On May 8, 2025, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint letter responding to the European Commission’s proposal to simplify record-keeping obligations under GDPR Article 30(5). The proposed changes would particularly affect organizations with fewer than 500 employees.
The supervisory authorities have expressed preliminary support for this targeted simplification but requested better evaluation of the impact on affected organizations and assessment of whether the proposal ensures a proportionate balance between data protection and organizational interests.
Blockchain Data Protection Rules
The European Data Protection Board has approved draft rules governing how personal data is stored and shared on blockchains. This represents an important step in clarifying how GDPR applies to blockchain technologies, which have traditionally presented challenges for data protection compliance.
International Perspectives
New Zealand Privacy Act Amendment
Looking ahead, New Zealand is preparing for a significant amendment to its Privacy Act 2020, set to come into force on May 1, 2026. This change will expand privacy notice obligations to include indirect collections of personal data. The Office of the Privacy Commissioner has released draft guidance clarifying that generic privacy notices will be insufficient, requiring organizations to proactively notify individuals after indirect data collection.
This amendment aims to ensure New Zealand maintains its EU adequacy status, highlighting the global influence of GDPR standards.
Brazil’s AI Regulation to Combat Psychological Violence
Brazil recently passed Law No. 15.123/2025 on April 24, introducing increased penalties for psychological violence against women when committed using artificial intelligence or other technologies capable of manipulating media. This legislation specifically targets deepfakes and other synthetic media, allowing up to a 50% increase in penalties for such offenses.
This development reflects a growing global trend toward regulating harmful AI applications, similar to provisions in the EU AI Act regarding transparency for deepfake content.
As data protection professionals, these developments remind us of the importance of staying vigilant about emerging technologies and their privacy implications.