Global Data Privacy & PETs Developments (June–July 2025)

Data privacy saw significant global activity in mid-2025. New laws took effect, regulators handed down record fines, companies launched cutting-edge privacy-enhancing technologies (PETs), and experts weighed in on future trends. Below is a comprehensive report of key developments during June and July 2025, organized by theme and region.

Major Privacy Legislation & Policy Updates (June–July 2025)

• United Kingdom – Data (Use and Access) Act 2025: The UK overhauled its data protection regime with the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025 stephensonharwood.com. The DUAA introduces targeted amendments to UK GDPR and e-Privacy rules, aiming to “facilitate the safe and effective use of data [and] encourage innovation” stephensonharwood.com while keeping UK law roughly aligned with EU standards. Notable changes include a defined list of “recognised legitimate interests” where organizations can process data without a full balancing test (e.g. national security, fraud prevention) stephensonharwood.com, relaxed requirements on record-keeping for small businesses, and higher PECR (cookie law) fines up to GDPR levels (max £17.5M or 4% of global turnover) stephensonharwood.com stephensonharwood.com. The DUAA also creates frameworks for “Smart Data” portability and digital identity verification services stephensonharwood.com stephensonharwood.com. In light of these changes, the European Commission extended the UK’s EU adequacy decision by six months (to Dec 27, 2025) to evaluate whether the UK still provides an adequate data protection level stephensonharwood.com.
• European Union – GDPR Simplification & AI Guidelines: EU policymakers moved on business-friendly tweaks to privacy rules. In late May, the European Commission published a proposal to simplify GDPR compliance for SMEs, expanding the Art.30 record-keeping exemption to organizations <750 employees (unless high-risk processing or special data are involved) techgdpr.com. The proposal clarifies that small or medium companies need not maintain processing records unless their activities pose high risk techgdpr.com. Meanwhile, EU data protection authorities issued guidance related to AI and privacy. Germany’s regulators decided not to unilaterally block Meta’s use of personal data to train AI models, opting to await an EU-wide assessment – effectively allowing Meta’s AI training to proceed under legitimate interests for now techgdpr.com techgdpr.com. The French CNIL released new guidelines on web scraping for AI, outlining when legitimate interest can justify scraping public data and recommending safeguards for such data collection termageddon.com. These steps reflect Europe’s attempt to balance innovation with privacy, ahead of the EU AI Act’s first enforcement phase (set for mid-2025) which will ban certain high-risk AI practices like social scoring and unwarranted biometric surveillance bigid.com bigid.com.
• United States – State Privacy Laws: The patchwork of U.S. state privacy laws continued to expand. Tennessee’s Information Protection Act and a comprehensive law in Minnesota both took effect on July 1, 2025, granting consumers rights to access, delete, and opt-out of data sales/profiling frostbrowntodd.com whitecase.com. These are among eight new state privacy laws coming into force in 2025 (others include Iowa, Indiana, Montana, Delaware, etc.) bigid.com bigid.com, underscoring the trend of state-level action in absence of federal legislation. Additionally, children’s online privacy gained attention: Vermont’s legislature passed an Age-Appropriate Design Code (similar to California’s), imposing strict requirements on services likely to be accessed by minors (e.g. highest default privacy settings for teens) techgdpr.com techgdpr.com. The bill awaited the Governor’s signature as of June techgdpr.com. At the federal level, the FTC signaled plans to update COPPA (Children’s Online Privacy Protection Act) to cover teens and AI profiling by late 2025 bigid.com, potentially broadening protections for minors online.
• Asia-Pacific – New Privacy Regulations: Major APAC economies advanced privacy rules. India’s Digital Personal Data Protection Act (DPDPA), passed in 2023, entered into force in July 2025 bigid.com bigid.com. The law establishes modern consent-based data rights and strict obligations on data handlers, with steep penalties for noncompliance bigid.com. It requires organizations (domestic or abroad) processing Indians’ data to ensure purpose limitation, data minimization, and timely breach reporting bigid.com. In China, new regulations on the “secure use of facial recognition technology” took effect June 1, 2025 techgdpr.com. These rules mandate explicit consent for collecting facial data, restrict use of facial recognition in public venues to security purposes only, and even prohibit relying solely on face scans where alternative identification methods exist techgdpr.com. China’s move highlights a growing focus on biometric privacy. Elsewhere, Australia is drafting a major Privacy Act reform (expected late 2025) to introduce GDPR-like rights (erasure, portability), tighter breach notification and limits on AI use of personal data bigid.com. And in Canada, Quebec’s stringent Law 25 had its first full compliance year in 2025, pushing companies to implement privacy impact assessments and consent for sensitive data bigid.com bigid.com.

Table 1: Key Privacy Developments (Mid-2025)

Regulatory Enforcement & Data Breaches

Mid-2025 saw aggressive enforcement of data privacy laws, with regulators imposing record fines and taking novel actions:

• Record GDPR Fines in Europe: European authorities dramatically ramped up GDPR enforcement in Q2 2025, culminating in the largest quarter of fines on record (over €6.2 billion) fastaudit.io fastaudit.io. A headline case was TikTok’s €530 million fine (≈$600 M) announced in early May. Ireland’s Data Protection Commission found TikTok unlawfully transferred EU users’ personal data to China without adequate safeguards apnews.com apnews.com. The watchdog noted TikTok “failed to verify, guarantee and demonstrate” that European data accessed by staff in China was protected from Chinese government access apnews.com apnews.com. TikTok was also ordered to suspend data flows to China within 6 months unless it complies with EU standards theguardian.com theguardian.com. (TikTok is appealing, claiming it’s being singled out despite using standard transfer mechanisms apnews.com.) This penalty – one of the largest under GDPR – underscores regulators’ focus on cross-border data transfers and Chinese apps. In addition, EU regulators continued targeting Big Tech for children’s data and ad practices. Meta (Facebook/Instagram) faced ongoing inquiries, and earlier cases resulted in fines like €390 M for forced consent and €345 M for Instagram’s mishandling of teens’ data fastaudit.io (2023 precedents). Cookie consent violations are another enforcement hotspot – regulators in Germany and elsewhere now insist that websites provide a one-click “Reject All” option equal to “Accept All,” deeming anything less a GDPR breach techgdpr.com techgdpr.com. This was affirmed by a German court ruling against a publisher whose cookie banner made opting out much harder than opting in techgdpr.com techgdpr.com. The trend is clear: in 2025, European authorities are using large fines and strict orders to push companies into compliance on international transfers, children’s privacy, and honest consent practices fastaudit.io fastaudit.io.
• United States – State Enforcement & Lawsuits: In the U.S., state authorities and the new California regulator made their presence felt. In a historic settlement, Texas’s Attorney General secured a $1.375 billion deal with Google to resolve allegations that Google illegally tracked Texans without consent texastribune.org texastribune.org. Announced in May 2025, this is the largest privacy settlement ever obtained by a U.S. state texastribune.org – Texas had sued Google for surreptitiously collecting geolocation data, recording “incognito” browsing, and capturing voiceprints/facial recognition data in violation of state law texastribune.org texastribune.org. (Google admitted no wrongdoing but noted it had already changed the disputed practices texastribune.org.) This followed a similar $1.4 billion Texas settlement with Meta in 2024 over Facebook’s past use of facial recognition on users without consent texastribune.org. These massive payouts, under Texas’s biometric and consumer protection statutes, demonstrate rising state-level enforcement muscle in privacy. Meanwhile in California, the California Privacy Protection Agency (CPPA) brought some of its first enforcement actions under the CPRA. In June, clothing retailer Todd Snyder, Inc. was fined over $300,000 by the CPPA for having a misconfigured opt-out mechanism and collecting more data than disclosed – a violation of California’s transparency and purpose-limitation rules termageddon.com termageddon.com. Earlier, the CPPA fined a data broker (Jerico, Inc.) for failing to register in the state’s Data Broker Registry termageddon.com. Privacy advocates are also turning up the pressure: in July, the EFF and Privacy Rights Clearinghouse published research showing many data brokers were ignoring registration laws, and urged states’ Attorneys General to investigate and sanction these brokers termageddon.com termageddon.com. We can expect more states to form enforcement coalitions targeting data brokers and dark patterns in the coming months.
• Notable Data Breaches & Cyber Incidents: Several high-profile data breaches came to light, raising privacy concerns across sectors. In June, legal research giant LexisNexis disclosed that a leak (from a third-party software platform) had exposed personal data of over 300,000 customers termageddon.com. Alarmingly, the breach occurred in late 2024 but went unnoticed until April 2025 termageddon.com – highlighting gaps in vendor security oversight. Dior, the luxury fashion house, confirmed a cyberattack in which intruders accessed customer contact info, purchase histories and preferences termageddon.com termageddon.com. And in July, U.S. insurer Aflac suffered a hack compromising sensitive health policy data and Social Security numbers termageddon.com termageddon.com. These incidents underscore that no industry is immune: from retail to insurance to data brokers, attackers target personal data wherever it resides. European regulators continue to emphasize breach reporting obligations – e.g. Denmark’s DPA updated its breach handling guidance in June, reminding controllers that timely breach notification aids the “ongoing improvement of data protection” techgdpr.com techgdpr.com. On a positive note, authorities are also pushing preventative security: Germany’s cybersecurity office (BSI) issued best-practice guidance to harden email systems (urging widespread adoption of standards like SPF, DKIM, and DMARC to curb phishing) techgdpr.com techgdpr.com. Overall, mid-2025’s news highlights a dual trend: heavier penalties for privacy failures, and greater official guidance to mitigate security risks before breaches occur.

Advances in Privacy-Enhancing Technologies (PETs)

Innovations in privacy-enhancing technologies accelerated during June–July 2025, with new products and research aimed at reconciling data use with privacy:

• Homomorphic Encryption Goes Mainstream: Fully Homomorphic Encryption (FHE), long a theoretical marvel, made tangible strides. In June, Paris-based cryptography startup Zama announced a $57 million Series B funding round (pushing its valuation above $1 billion) to build out its FHE platform siliconangle.com siliconangle.com. Alongside the funding, Zama launched a public test network for its Confidential Blockchain Protocol, enabling developers to execute smart contracts on Ethereum without revealing any sensitive data siliconangle.com siliconangle.com. FHE allows computation on encrypted data, and Zama’s breakthrough drastically improved performance – its encrypted virtual machine now runs 100× faster than five years ago, and is even designed to be resistant to quantum attacks siliconangle.com siliconangle.com. Use-cases span from encrypted financial transactions (secure blockchain payments, private asset exchanges) to privacy-preserving AI (training models on encrypted user data) siliconangle.com siliconangle.com. Zama’s CEO declared that “without confidentiality, blockchain cannot reach mass adoption”, framing FHE as the “HTTPZ” of the future internet – fully encrypted end-to-end by default siliconangle.com siliconangle.com. The sizable investment in Zama reflects investor optimism around PETs, especially as industries like finance and Web3 seek to comply with privacy norms without sacrificing functionality.
• Zero-Knowledge Proofs in Consumer Tech: Zero-knowledge proofs (ZKPs) – cryptographic techniques that prove facts without revealing underlying data – saw a major real-world deployment by a tech giant. Google revealed in late April that it is integrating ZKPs into Google Wallet to enable private age and ID verification techcrunch.com. By June, this feature began rolling out: for instance, users in the UK can add a digital ID (from their passport) into Wallet, and Google uses a ZKP-based protocol to confirm the user’s age to third-party apps without disclosing the user’s identity or any other personal info techcrunch.com techcrunch.com. Dating app Bumble is an early partner, employing Google’s ZKP-enabled ID to verify ages anonymously techcrunch.com techcrunch.com. Crucially, Google also open-sourced its ZKP libraries so that other wallet providers and online services can adopt similar privacy-preserving verification techcrunch.com. This move earned praise for bringing advanced cryptography to everyday use; observers noted it could set a precedent for platforms to offer “selective disclosure” of attributes (age, credentials) without harvesting personal data. Separately, Google’s push coincides with broader interest in ZKPs for digital identity – for example, developers are exploring ZKPs to prove one-person-one-account in social media without revealing actual identities ainvest.com, and NIST is working toward standards for zero-knowledge proofs by 2025 to ensure interoperability and trust cryptoslate.com. All told, ZKPs are emerging from the realm of blockchain and crypto into mainstream applications like payments and identity.
• Federated Learning & Differential Privacy: Companies and researchers are increasingly combining PET approaches to enable data analytics with privacy. In enterprise data science, federated learning (FL) – training AI models across decentralized devices or servers holding sensitive data – is gaining traction as a way to comply with data locality and privacy laws. During this period, industry experts highlighted that FL, along with techniques like differential privacy, have moved from academia into the “enterprise data stack.” A Q2 2025 tech trends report noted a “surge in the use of Privacy-Enhancing Technologies” by organizations to reconcile global data regulations with AI and analytics needs datadecoded.com datadecoded.com. Techniques such as FL, homomorphic encryption, and differential privacy are now “part of the enterprise toolkit”, enabling collaborative machine learning and analysis without exposing personal data datadecoded.com datadecoded.com. For example, medical researchers can train predictive models on patient data across multiple hospitals via FL, so that no raw patient data is ever pooled centrally – addressing both privacy and data residency concerns in healthcare. Differential privacy (DP), which adds statistical noise to results to hide individual records, also saw ongoing adoption. In the public sector, statistical agencies and tech firms continued to use DP for releasing aggregate data with provable privacy guarantees (building on its successful use in U.S. Census and products like Apple’s iOS analytics). Regulators themselves are encouraging PET use: notably the G7 data protection authorities jointly endorsed PET development in 2023 and urged stakeholders in 2025 to leverage PETs to enable data sharing for public good “while building trust and protecting privacy” data.org. This top-down support is catalyzing cross-sector PET innovation challenges (for instance, a global PETs challenge for pandemic data was backed by data.org, Mastercard, the FDA, and others data.org). In summary, the midpoint of 2025 finds PETs maturing – moving from theory to practice, with real systems implementing FL, DP, and encryption to unlock data value responsibly.

Table 2: Notable PET Innovations (Mid-2025)

Expert Opinions and Industry Trends

Privacy experts, industry leaders, and regulators offered insights into the trajectory of data privacy and PETs:

• Enforcement as a Wake-Up Call: Commentators noted that 2025 marks a turning point in privacy enforcement. A compliance analyst observed that “2025 is proving to be a year of increased enforcement and greater penalties for GDPR violations. The message is clear: invest in compliance now, or pay exponentially more later.” fastaudit.io. Regulators themselves stressed that privacy compliance is not optional; for example, Ireland’s Deputy Commissioner Graham Doyle, in the TikTok decision, emphasized companies must prove foreign data transfers are safe before they happen apnews.com. The consensus is that organizations need proactive privacy programs – from data mapping and transfer risk assessments to privacy by design in new products – to avoid becoming the next headline.
• Privacy as a Differentiator: Far from being only a legal burden, privacy is increasingly seen as a competitive advantage. Industry leaders at the IAPP and in tech companies argue that strong data privacy and governance can build customer trust and enable new business models. A mid-2025 trends report noted that compliance with GDPR, California’s CPRA, and forthcoming AI regulations is “not just about avoiding fines – it’s a strategic differentiator” datadecoded.com. Firms investing in “privacy by design” – embedding PETs and strict data controls into their operations – are better positioned to offer services in privacy-sensitive domains like health tech, finance, and AI. For example, privacy-focused email provider Proton has leveraged its reputation for security to expand services (VPN, cloud storage). Proton’s CEO, Andy Yen, has long contended that giving users privacy can be a selling point rather than a drawback. This ethos underpinned Proton’s June 30, 2025 lawsuit against Apple, where Proton accused Apple of anti-competitive App Store rules that hinder privacy apps. Proton stated it sued Apple “to set an important precedent that free people, not monopolies, will dictate the future of the internet.” reuters.com reuters.com Proton’s stance reflects a broader industry trend championing open ecosystems and interoperability, which many privacy innovators see as crucial for users to have control (e.g. the ability to install private, secure apps outside of Big Tech’s walled gardens).
• Investor Sentiment & Market Forecasts: The flurry of PET-related funding (e.g. Zama’s $57M, other startups in secure computation and identity) suggests investors see real market demand for privacy tech. Market analysts project robust growth for the PET industry – one report estimates the global PET market will grow ~25% annually, reaching over $12 billion by 2030 univdatos.com. Driving factors include the proliferation of data protection laws worldwide (spurring demand for compliance tech), the need for secure cloud data analytics, and consumer expectations of privacy. Notably, sectors like healthcare and finance are expected to lead PET adoption. Healthcare providers handling sensitive patient data are experimenting with PETs to enable research and AI diagnostics without compromising privacy – and regulators in the EU have flagged health data as a major enforcement focus for late 2025 fastaudit.io fastaudit.io. In finance, operational resilience and privacy go hand in hand: for instance, the EU’s Digital Operational Resilience Act (DORA) now mandates strict data risk management for banks bigid.com, and open banking initiatives are expanding in multiple regions. The UK’s new Smart Data schemes (under the DUAA) plan to let consumers securely share their financial data with third-party services to get better deals stephensonharwood.com stephensonharwood.com – an approach that will rely on strong encryption and user consent management. All these trends point to a future where privacy tech becomes standard infrastructure. As one industry group put it, “Privacy and data security have become C-suite priorities, not just IT issues”, and companies that fail to implement state-of-the-art protections risk regulatory, reputational, and financial fallout.
• Regional & Sectoral Outlook: Different regions continue to shape privacy in their own ways. Europe maintains a stance as the strict privacy enforcer – doubling down on GDPR enforcement and pioneering new laws (Data Act, AI Act, ePrivacy updates) that integrate privacy with digital competition and AI governance trustarc.com bigid.com. North America is marked by divergence: Canada and U.S. states advancing privacy rights (with California often at the forefront), while the U.S. federal landscape remains fragmented. Asia-Pacific is rapidly evolving – India now has a comprehensive privacy law affecting nearly 1.4 billion people bigid.com, China is enforcing cybersecurity and privacy with a nationalistic lens (protecting personal data from misuse but also asserting state data sovereignty), and Japan, South Korea, Australia are each updating laws to align with global standards and facilitate data trade. Specific industries face unique challenges: tech and social media firms are under heavy scrutiny for how they handle user data (witness TikTok, Meta). Financial services must balance innovation like blockchain, open banking and AI-driven fraud detection with privacy (hence interest in PETs like MPC and ZK-proofs for transactions). Healthcare organizations see PETs as key to unlocking data-driven medicine while complying with HIPAA and GDPR (for instance, using federated learning to train diagnostics on distributed hospital data). And in the AI sector, privacy is now a core part of the ethics debate – with large language models and generative AI trained on massive datasets, experts argue for techniques like data anonymization, synthetic data generation, and privacy-preserving training to mitigate risks of leaking personal information. Indeed, in July 2025 France’s CNIL and other bodies began examining how to apply GDPR to generative AI, and the EU AI Act will require impact assessments for high-risk AI that likely include privacy considerations techgdpr.com techgdpr.com (ISO is even developing an AI management system standard, ISO/IEC 42001, to guide organizations in responsible AI deployment including privacy risk monitoring techgdpr.com bigid.com).

Conclusion: June and July 2025 underscored that data privacy is more dynamic than ever. Regulators worldwide are actively enforcing privacy laws and updating them to address emerging issues like AI and children’s data. At the same time, technological advances in PETs are providing new ways to use data safely – turning the old “privacy vs. innovation” dichotomy into a synergy. The global consensus, from Silicon Valley to Brussels to New Delhi, is that privacy considerations must be embedded at every level: legal, organizational, and technical. As we move into the latter half of 2025, organizations that embrace privacy-enhancing technologies, invest in compliance, and earn user trust will be best positioned in an increasingly privacy-conscious market fastaudit.io datadecoded.com.

Sources:

1. Stephenson Harwood – Data Protection Update (June 2025) stephensonharwood.com stephensonharwood.com
2. TechGDPR – Privacy News Digest (May 17 – June 1, 2025) techgdpr.com techgdpr.com
3. Termageddon – Data Privacy News (June 2025) termageddon.com termageddon.com
4. Termageddon – Privacy & Security News (July 2025) termageddon.com termageddon.com
5. Reuters – TikTok fined €530M over data transfers (May 2025) apnews.com apnews.com
6. Reuters – Texas AG on $1.4B Google Settlement (May 2025) texastribune.org texastribune.org
7. FastAudit – GDPR Fines Record High in Q2 2025 fastaudit.io fastaudit.io
8. SiliconANGLE – Zama raises $57M for homomorphic encryption (June 26 2025) siliconangle.com siliconangle.com
9. TechCrunch – Google Wallet adds ZKP-based IDs (Apr 29 2025) techcrunch.com techcrunch.com
10. Data Decoded – Top Data Trends 2025 (Q2 2025) datadecoded.com datadecoded.com
11. Reuters – Proton sues Apple over App Store (June 30 2025) reuters.com