The German Federal Court of Justice recently clarified online platforms' liability for user-generated content, ruling platforms aren't directly liable without knowledge but must act swiftly upon notification, significantly impacting digital service providers across Europe.
Australia’s eSafety Commissioner ordered Telegram to pay AUD 1 million for ignoring transparency obligations. Officials requested details on terrorist and child sexual content steps, but Telegram delayed months, triggering enforcement under the Online Safety Act.
On 28 February 2025, Japan’s Cabinet announced significant plans to introduce a Bill to promote research, development, and practical application of artificial intelligence technologies. The legislation focuses on transparency, protection of rights, and international cooperation.
India’s draft Digital Personal Data Protection Rules 2025 by MeitY focus on safeguarding personal data, regulating cross-border transfers, and introducing consent management mechanisms. Public consultation is encouraging feedback to refine the proposed regulations.
On 3 January 2025, India's Ministry of Electronics and Information Technology (MeitY) unveiled the draft Digital Personal Data Protection (DPDP) Rules 2025, inviting public feedback until 18 February 2025.
These rules aim to operationalise the Digital Personal Data Protection Act 2023, by establishing comprehensive guidelines for data processing, consent management, breach notifications, and cross-border data transfers.
The draft rules emphasise the importance of obtaining clear and informed consent from individuals (data principals) before processing their personal data. Data fiduciaries—entities that determine the purpose and means of data processing—are required to provide concise and easily understandable notices to individuals, detailing the nature and purpose of data collection.
This approach aims to empower users with greater control over their personal information.
Additionally, the rules introduce the concept of Consent Managers—independent entities that will act as intermediaries to help individuals manage their consent across different platforms.
These managers must register with the Data Protection Board and adhere to stringent obligations to ensure transparency and accountability in consent management.
A significant aspect of the draft rules is the regulation of cross-border data transfers.
The government retains the authority to restrict the transfer of personal data to foreign countries, entities, or individuals, especially concerning national security or privacy concerns.
In the event of a personal data breach, data fiduciaries are mandated to inform the Data Protection Board without undue delay.
However, the draft rules specify that reporting should be done "without delay," which some experts find subjective and ambiguous, calling for clearer timelines to ensure prompt action.
The draft rules introduce stringent measures for processing children's data. Data fiduciaries are prohibited from tracking or targeting advertisements at children.
Additionally, users under 18 will need parental consent to use social media platforms, and companies must carry out due diligence to establish that the parent is indeed an adult.
This move aims to protect minors online but raises questions about the practicalities of verifying parental consent.
The introduction of the draft DPDP Rules 2025, has elicited a range of responses from industry stakeholders.
While many acknowledge the necessity of robust data protection regulations, concerns have been raised regarding the potential increase in compliance burdens for businesses, especially local enterprises.
The ambiguity in certain provisions, such as the undefined timeline for data breach reporting and the broad restrictions on cross-border data transfers, has led to calls for greater clarity to ensure practical implementation.
Furthermore, the requirement for parental consent for minors' use of social media platforms has sparked debate.
Critics argue that the process of verifying parental consent may be challenging to implement effectively, potentially leading to unintended barriers for young users seeking access to online resources.
MeitY has opened the draft rules for public consultation, inviting feedback from individuals, industry bodies, and other stakeholders until 18 February 2025. This participatory approach aims to refine the rules, balancing the protection of personal data with the operational realities of businesses and the rights of individuals.
Stakeholders are encouraged to submit their comments via the MyGov portal, contributing to the development of a comprehensive and effective data protection framework for India.
Italy has enforced new rules requiring digital devices to support parental control apps, ensuring parents can monitor children's online activity. The law also prevents companies from using collected data for advertising or profiling, strengthening privacy protections.
The CFPB seeks to categorise certain data brokers as consumer reporting agencies under Regulation V. Doing so would tighten obligations, require more transparency, and ensure consumers can see, correct, and control their own information.
House Bill H.210, introduced in Vermont, outlines new guidelines for digital platforms handling minors’ data. By mandating default high-privacy settings and transparent practices, legislators aim to reduce risks of emotional harm and excessive data harvesting.
Both GDPR and HIPAA are key regulations focused on protecting sensitive data. GDPR applies to personal data of EU residents, while HIPAA governs healthcare data in the U.S. Organisations must comply with both for international operations.
Follow the latest Tech Law news and updates about AI, Digital Assets, Internet Law, Data Protection, LawTech.
