Global Data Protection Enforcement Beyond GDPR: Key Frameworks and Trends

Global Data Protection Enforcement Beyond GDPR: Key Frameworks and Trends
Photo by Zlaťáky.cz / Unsplash

The European Union’s General Data Protection Regulation (GDPR) has long been the gold standard for data privacy, but a wave of new regulations worldwide is reshaping the global compliance landscape. From California to Vietnam, governments are imposing stricter rules and heavier penalties to protect personal data, reflecting heightened public concern over privacy breaches, AI-driven data harvesting, and cross-border data flows. This article examines six major frameworks outside the GDPR, their enforcement trends, and what they signal for businesses operating in 2025.

Italy’s Privacy Watchdog Blocks DeepSeek AI: A GDPR Battle Begins
The Italian Data Protection Authority (Garante) has issued an emergency order to block DeepSeek AI from processing the personal data of Italian citizens, effectively halting the company’s operations in Italy. This decision underscores Europe’s ongoing struggle to enforce GDPR compliance on foreign AI companies that claim immunity from

1. California Consumer Privacy Act (CCPA): Transparency and Penalty Escalation

California Consumer Privacy Act (CCPA)
Introduction The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, the Governor of California, on June 28, 2018, and

Key Features

  • Maximum Penalty: $7,500 per intentional violation or $2,500 per unintentional violation, adjusted annually for inflation. In 2025, fines rose to $7,988 and $2,663, respectively[16][31].
  • Scope: Applies to businesses with annual revenues exceeding $26.6 million or those handling data of 100,000+ consumers[16][23].
  • Enforcement: Jointly managed by the California Privacy Protection Agency (CPPA) and the Attorney General.

Notable Enforcement

  • Criteo: The French ad-tech giant faced a $44 million fine in 2024 for using dark patterns to bypass opt-in consent requirements for behavioral advertising[2][26].
  • Tilting Point Media: Fined $500,000 in 2024 for collecting minors’ data without parental consent in its mobile game SpongeBob: Krusty Cook-Off[90].

2025 Updates

  • Elimination of the 30-day cure period for violations, shifting to discretionary grace periods[2].
  • Expanded rights for employees and B2B data subjects, requiring explicit consent for workplace monitoring[20].

Trends
Regulators are prioritizing cases involving sensitive data (e.g., health, geolocation) and algorithmic bias. The CPPA’s 2024 enforcement sweep targeted streaming services for improperly retaining viewing histories beyond disclosed periods[18].


2. Australia’s Privacy Act Reforms (2024): Systemic Accountability

Australia Introduces First Standalone Cybersecurity Law to Address Growing Threat Landscape
The Australian government has taken a decisive step to bolster national cybersecurity by introducing the Cyber Security Bill 2024 to Parliament. This new legislation, the country’s first standalone cybersecurity law, is designed to address the growing geopolitical and cyber threats that have placed both citizens and organizations at increased

Key Changes

  • Penalties: Up to AUD 3.3 million for corporations or 5% of global revenue for systemic breaches[4][32].
  • New Powers: The Office of the Australian Information Commissioner (OAIC) can issue infringement notices (up to AUD 330,000) and compliance orders[32][95].

Sector Impact

  • Healthcare: Mandated encryption for patient records and stricter breach reporting within 72 hours[31].
  • Retail: Penalties for failing to delete inactive customer profiles after 7 years[28].

Case Study

  • Australian Clinical Labs: Fined AUD 2.5 million in 2024 for a 2022 data breach exposing 223,000 patients’ diagnostic details. The OAIC cited inadequate encryption and delayed breach notifications[94].

Challenges
Small businesses (turnover < AUD 3 million) remain exempt unless handling sensitive data, creating compliance asymmetries in supply chains[32].


3. India’s Digital Personal Data Protection Act (DPDPA, 2023): Localization and High Stakes

PDPB (Personal Data Protection Bill, India)
This is a bill in India which proposes the establishment of a Personal Data Protection Authority. The Personal Data Protection Bill (PDPB), 2018, is a comprehensive piece of legislation proposed by the Indian government to safeguard the privacy and autonomy of individuals in relation to their personal data. The bill

Penalties

  • Up to INR 250 crores (~$30 million) for security failures or unauthorized data processing[5][104].
  • Lower thresholds (INR 150 crores) for mishandling children’s data[41][104].

Key Requirements

  • Data Localization: Critical personal data (e.g., financial, biometric) must be stored in India[46][51].
  • Consent Managers: Third-party platforms must register with the Data Protection Board to handle consumer opt-outs[105].

Enforcement Trends

  • Tech Sector: A 2024 probe found 60% of Indian fintech apps lacked valid consent mechanisms for data sharing[100].
  • HR Compliance: Employee biometric systems now require annual audits and mandatory breach drills[104].

2025 Outlook
The draft DPDP Rules introduce sector-specific codes, including a Children’s Code banning addictive AI features in educational apps[42][102].


4. Vietnam’s Personal Data Protection Decree (PDPD): Rising Ambitions

Navigating Global Data Privacy Laws: A Closer Look at GDPR, PIPEDA, POPIA, APPI, PDPB, PDPA, APPs, Swiss-US Privacy Shield, and LGPD
In the digital age, data privacy has emerged as a critical issue. As a result, countries around the world have enacted their own data privacy laws to safeguard their citizens’ personal information. This article delves deeper into the similarities and differences between nine major data privacy laws worldwide: GDPR (EU)

Penalties

  • Fines up to VND 1 billion (~$40,000), escalating to 5% of annual revenue for breaches affecting 5+ million citizens[6][106].
  • Non-monetary sanctions: Mandatory data deletion, public apologies, and operational suspensions[63][108].

Compliance Hurdles

  • Cross-Border Transfers: Require approval from the Ministry of Public Security (MPS) and a Data Transfer Impact Assessment (DTIA)[107].
  • Consent Complexity: Pre-ticked boxes are prohibited; granular opt-ins must specify third-party recipients[52][109].

2024 Crackdown
The MPS launched its first PDPD audit targeting e-commerce and fintech firms. Preliminary findings revealed 80% lacked internal data protection officers (DPOs)[106].


5. Canada’s Consumer Privacy Protection Act (Bill C-27): AI and Accountability

Canada AI Law & Policy: A Comprehensive Guide
Introduction Canada has emerged as a global leader in AI governance, setting precedents with its national strategy and comprehensive regulatory approach. This guide offers an in-depth look at Canada’s AI policies, laws, and future directions. 1. Canada’s AI Leadership National AI Strategy * First in the World: Canada proudly claims the

Penalties

  • Up to CAD 25 million or 5% of global revenue for reckless data practices[9][64].
  • AI Transparency: Mandatory impact assessments for automated decision-making systems affecting employment or credit[64][113].

Sector-Specific Rules

  • Healthcare: Requires “zero-knowledge” encryption for patient portals[9].
  • Banking: Open banking frameworks mandate user consent for data portability[64].

Case Study

  • Clearview AI: Fined CAD 9 million in 2024 for scraping facial images without consent, highlighting Canada’s alignment with EU standards[9].

6. EU NIS2 Directive (Cybersecurity): Critical Infrastructure in Focus

Penalties

  • Essential Entities (e.g., energy grids): Up to €10 million or 2% of global revenue[12][78].
  • Important Entities (e.g., cloud providers): Up to €7 million or 1.4% of revenue[12][78].

Key Requirements

  • Supply Chain Audits: Vendors must certify compliance with ISO 27001 or equivalent standards[11][76].
  • Incident Reporting: Critical breaches must be reported within 24 hours[77][81].

2025 Impact

  • Healthcare: Hospitals face mandatory penetration testing every six months[85].
  • Transport: Airlines must adopt real-time threat detection for passenger reservation systems[76].

Comparing and Contrasting Global Data Privacy Laws: GDPR, PIPEDA, POPIA, APPI, PDPB, PDPA, APPs, Swiss-US Privacy Shield, and LGPD
In the era of digital transformation, data privacy has become a paramount concern for individuals and organizations alike. Different countries have established their own data privacy laws to protect their citizens’ personal information. This article provides a comparative analysis of nine major data privacy laws worldwide: GDPR (EU), PIPEDA (Canada)

Emerging Frameworks to Watch

1. Indonesia’s PDPL (2023)

  • Penalties up to 2% of annual revenue for unauthorized data transfers.
  • Requires “data trustees” for public sector databases[39][57].

2. Japan’s APPI Updates

  • Biometric data (e.g., facial recognition) now classified as “special care-required information”[39].
  • Fines up to ¥100 million (~$700,000) for improper anonymization[39].

3. Brazil’s LGPD

  • Sectoral penalties: Healthcare providers face fines up to 2% of revenue (capped at BRL 50 million) for ransomware-related breaches[21].

Ten Major GDPR Fines: Lessons in Accountability, Transparency, and Compliance
As the General Data Protection Regulation (GDPR) matures, enforcement actions continue to underscore the regulation’s wide-ranging impact. The five cases below—spanning AI-driven chatbots to streaming services and real estate—demonstrate how regulators are intensifying scrutiny on key requirements such as timely breach reporting, valid legal bases for data

1. Sector-Agnostic Enforcement
Regulators are targeting non-traditional sectors:

  • Energy: Italy fined Enel Energia €79 million for using customer data in unsolicited marketing campaigns[3][39].
  • Gaming: Spain’s AEPD penalized a lottery app €600,000 for deceptive location tracking[13].

2. Revenue-Linked Penalties

  • Australia, Canada, and Vietnam now tie fines to global turnover, ensuring penalties scale with company size[25][32][108].

3. Dark Pattern Crackdowns

  • Netflix: Fined €4.7 million by Dutch authorities for burying opt-out options in layered menus[2].
  • LinkedIn: Faced a €310 million EU fine for nudging users into “legitimate interest” data processing[13].

4. Cross-Border Coordination

  • The Global Cross-Border Privacy Rules (CBPR) Forum, launched in 2023, enables joint investigations between the CPPA, OAIC, and India’s DPB[39][46].

Conclusion: Navigating the New Normal

The convergence of stricter penalties, sector-wide accountability, and AI-driven compliance tools is reshaping global data governance. Businesses must prioritize:

  • Privacy-by-Design: Embedding compliance into product development (e.g., automated consent logs).
  • Third-Party Audits: Regular assessments of vendors and AI systems.
  • Crisis Simulation: Annual drills for breach response and regulator communications.

As Brazil’s Data Protection Authority head recently noted: “GDPR was the starting pistol—now, the race is on to balance innovation with individual rights.”[39] Companies that treat privacy as a competitive advantage, rather than a checkbox, will lead this new era.


Citations:
[1] https://cppa.ca.gov/announcements/2024/20241217.html
[2] https://usercentrics.com/knowledge-hub/ccpa-penalties/
[3] https://iapp.org/news/a/top-operational-impacts-of-reforms-to-the-australian-privacy-act
[4] https://www.corrs.com.au/insights/changes-to-australias-privacy-act-bolster-enforcement-and-investigative-powers
[5] https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law
[6] https://www.jisasoftech.com/dpdp-act-2023-key-updates-and-whats-new-in-2025-for-data-protection/
[7] https://www.allens.com.au/insights-news/insights/2023/06/a-close-look-at-vietnams-first-consolidated-personal-data-protection-regulation/
[8] https://www.dlapiperdataprotection.com/?t=enforcement&c=VN
[9] https://www.didomi.io/blog/canadas-bill-c-27-what-is-it-and-how-to-prepare-for-it
[10] https://www.pwc.com/ca/en/services/consulting/data-trust-and-privacy/cppa-readiness-survey.html
[11] https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[12] https://nis2directive.eu/nis2-fines/
[13] https://www.navex.com/en-us/blog/article/understanding-the-nis2-directive-what-it-means-for-cybersecurity-in-the-eu/
[14] https://pt.ruckusnetworks.com/blog/2025/nis2-explained/understanding_nis2_framework_for_network_security/
[15] https://cybellum.com/blog/understanding-nis2-what-it-means-for-eu-cybersecurity/
[16] https://www.fmglaw.com/cyber-privacy-security/key-updates-to-ccpa-fines-and-penalties-for-2025/
[17] https://content.next.westlaw.com/Link/Document/Blob/I93434d3a83d411ed8636e1a02dc72ff6.pdf?targetType=PLC-multimedia&originationContext=document&transitionType=DocumentImage&uniqueId=c46fbb97-81b3-4779-a2c4-1e13ca498f00&ppcid=7d8a11390a234200823d35e59cd01225&contextData=(sc.RelatedInfo)
[18] https://www.jdsupra.com/legalnews/2024-year-end-recap-of-california-9171223/
[19] https://www.dataguidance.com/news/california-cppa-announces-2025-increases-ccpa-fines
[20] https://www.callaborlaw.com/entry/top-five-2025-california-privacy-alerts-for-california-employers
[21] https://www.bytebacklaw.com/2024/10/u-s-privacy-litigation-update-september-2024/
[22] https://www.morganlewis.com/blogs/healthlawscan/2024/12/2024-year-end-recap-of-california-consumer-privacy-act-activity
[23] https://www.mailmodo.com/guides/ccpa/
[24] https://newsroom.courts.ca.gov/news/major-us-supreme-court-cases-2024
[25] https://bcp.dof.ca.gov/2526/FY2526_ORG0820_BCP8131.pdf
[26] https://termly.io/resources/articles/ccpa/
[27] https://www.dentons.com/en/insights/alerts/2024/april/17/ccpa-in-2024-what-quarter-1-signals-for-retailers
[28] https://www.dlapiperdataprotection.com/index.html?c=AU&t=law
[29] https://www.dentons.com/en/insights/articles/2024/december/3/australian-privacy-act-reforms-and-cyber-security-legislative-package-passed-what-you-should-know
[30] https://www.herbertsmithfreehills.com/insights/2024-11/australian--privacy-reform-bill-tranche-1-passed-parliament--key-impacts-for-your-business
[31] https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/part-1-data-breaches-and-the-australian-privacy-act
[32] https://www.privacyworld.blog/2024/12/first-tranche-of-reforms-to-australian-privacy-law-passed-with-amendments/
[33] https://www.hunton.com/privacy-and-information-security-law/australian-privacy-law-amendments-and-social-media-age-restrictions-enacted
[34] https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/privacy-regulatory-action-policy
[35] https://www.nortonrosefulbright.com/en/knowledge/publications/be98b0ff/australian-privacy-alert-parliament-passes-major-and-meaningful-privacy-law-reform
[36] https://www.minterellison.com/articles/privacy-and-other-legislation-amendment-act-2024-now-in-effect
[37] https://www.csoonline.com/article/569187/major-systemic-failure-on-privacy-again-by-federal-court-of-australia.html
[38] https://www.jonesday.com/en/insights/2024/10/first-tranche-of-australias-much-anticipated-privacy-law-reforms-revealed
[39] https://gdprlocal.com/complying-with-the-australian-privacy-act-a-complete-guide/
[40] https://fpf.org/blog/five-ways-in-which-the-dpdpa-could-shape-the-development-of-ai-in-india/
[41] https://www.techtarget.com/searchdatabackup/definition/Digital-Personal-Data-Protection-Act-2023
[42] https://iapp.org/news/a/decoding-india-s-draft-dpdpa-rules-for-the-world
[43] https://www.nature.com/articles/s41746-025-01448-x
[44] https://secureprivacy.ai/blog/india-digital-personal-data-protection-act-2023-guide-protected-data
[45] https://www.linkedin.com/pulse/imperative-cfos-budgeting-dpdpa-compliance-2025-2026-cxo-india-nyngc
[46] https://www.globalprivacyblog.com/2023/12/indias-digital-personal-data-protection-act-2023-vs-the-gdpr-a-comparison/
[47] https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
[48] https://pib.gov.in/PressReleasePage.aspx?PRID=2090271
[49] https://www.linkedin.com/pulse/challenges-implementing-digital-personal-data-act-dpdpa-appayanna-hcnuf
[50] https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf
[51] https://www.meity.gov.in/writereaddata/files/Explanatory-Note-DPDP-Rules-2025.pdf
[52] https://resourcehub.bakermckenzie.com/en/resources/global-data-privacy-and-cybersecurity-handbook/asia-pacific/vietnam/topics/penalties-for-non-compliance
[53] https://www.didomi.io/blog/vietnam-data-privacy-law-pdpd-everything-you-need-to-know
[54] https://www.vietnam-briefing.com/news/vietnams-latest-draft-decree-on-sanctions-for-cybersecurity-violations.html/
[55] https://www.tilleke.com/insights/vietnam-issues-landmark-personal-data-protection-decree/14/
[56] https://fpf.org/blog/vietnams-personal-data-protection-decree-overview-key-takeaways-and-context/
[57] https://privacymatters.dlapiper.com/2024/10/vietnam-malaysia-and-indonesia-what-you-need-to-know-about-the-new-se-asia-data-protection-laws/
[58] https://cpl.thalesgroup.com/compliance/apac/data-security-compliance-vietnam-pdpd
[59] https://www.tilleke.com/insights/a-closer-look-at-vietnams-first-ever-personal-data-protection-decree/
[60] https://vietnamnews.vn/society/1689881/stricter-fines-for-traffic-violations-introduced-in-2025.html
[61] https://www.ey.com/en_vn/insights/consulting/navigating-a-stricter-data-privacy-legal-landscape-next-and-beyond
[62] https://www.roedl.com/insights/newsflash-vietnam/decree-personal-data-protection
[63] https://www.dataguidance.com/jurisdiction/vietnam
[64] https://piwik.pro/blog/pipeda-analytics/
[65] https://lop.parl.ca/sites/PublicWebsite/default/en_CA/ResearchPublications/LegislativeSummaries/441C27E
[66] https://bigid.com/blog/what-you-need-to-know-about-cppa/
[67] https://barrysookman.com/2022/11/13/cppa-problems-and-criticisms-service-provider-obligations/
[68] https://www.dataguidance.com/opinion/canada-overview-bill-c-27-and-its-proposed-changes
[69] https://www.cookiehub.com/blog/what-is-the-cppa-canadas-consumer-privacy-protection-act
[70] https://www.onetrust.com/blog/the-ultimate-guide-to-pipeda-compliance/
[71] https://www.ourcommons.ca/Content/Committee/441/INDU/Brief/BR12942185/br-external/ImagineCanada-e.pdf
[72] https://www.blakes.com/insights/digital-policy-issues-face-uncertain-future-after-prorogation-of-parliament/
[73] https://www.contactcenterpipeline.com/Article/canadian-privacy-law-reform-has-the-train-left
[74] https://srinstitute.utoronto.ca/news/five-things-to-know-about-bill-c-27
[75] https://gowlingwlg.com/en-ca/topics/canadian-privacy-laws-new-rules-for-a-new-era/bill-c-27
[76] https://www.sans.org/webcasts/nis2-directive-readiness-compliance-challenges-and-recommendations/
[77] https://www.mayerbrown.com/en/insights/publications/2024/10/new-eu-cyber-rules-nis2-take-effect-implementing-rules-adopted
[78] https://www.threatscape.com/cyber-security-blog/what-are-the-penalties-for-nis2-non-compliance/
[79] https://natlawreview.com/article/5-trends-watch-2025-eu-data-privacy-cybersecurity
[80] https://www.skadden.com/insights/publications/2024/10/navigating-the-new-cybersecurity-landscape
[81] https://www.crowell.com/en/insights/publications/nis2-directive-is-on-the-edge-of-enforcement-what-now-for-euus-companies
[82] https://www.sans.org/white-papers/nis2-directive-readiness-compliance-challenges-recommendations/
[83] https://www.nis-2-directive.com
[84] https://www.moodys.com/web/es/es/kyc/resources/insights/understanding-the-nis2-regulation-staying-compliant-key-insights.html
[85] https://compliance-aspekte.de/en/blog/nis2-compliance-who-is-affected/
[86] https://www.sailpoint.com/identity-library/nis2-directive
[87] https://tresorit.com/blog/penalties-for-non-compliance-with-nis2-what-businesses-need-to-know/
[88] https://law.justia.com/cases/california/supreme-court/2024/
[89] https://usercentrics.com/knowledge-hub/california-consumer-privacy-act/
[90] https://www.venable.com/insights/publications/2024/07/california-attorney-generals-recent-enforcement
[91] https://sprinto.com/blog/ccpa-penalties/
[92] https://epic.org/california-consumer-privacy-act-ccpa/
[93] https://oag.ca.gov/privacy/privacy-enforcement-actions
[94] https://www.fticonsulting.com/insights/articles/australia-serious-penalties-privacy-enforcement
[95] https://www.ashurst.com/en/insights/australias-first-tranche-of-privacy-reforms-a-deep-dive-and-why-they-matter/
[96] https://www.finlaysons.com.au/2024/12/privacy-reforms-2025-are-you-ready/
[97] https://www.jonesday.com/en/insights/2023/01/australian-government-serious-about-data-privacy
[98] https://www.minterellison.com/articles/first-tranche-of-privacy-reforms-passed
[99] https://resourcehub.bakermckenzie.com/en/resources/global-data-privacy-and-cybersecurity-handbook/asia-pacific/australia/topics/penalties-for-non-compliance
[100] https://tsaaro.com/blogs/how-dpdpa-impacts-financial-institutions-compliance-strategies-and-challenges/
[101] https://www.legal500.com/developments/thought-leadership/primer-on-the-digital-personal-data-protection-act-2023-2/
[102] https://www.indiainsurtech.com/digital-personal-data-protection-act-2025-impact-on-the-insurance-and-insurtech-sectors-in-india
[103] https://iapp.org/news/a/operationalizing-india-s-new-data-protection-law-the-challenges-opportunities-ahead
[104] https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023
[105] https://www.ey.com/content/dam/ey-unified-site/ey-com/en-in/insights/cybersecurity/documents/2025/01/ey-india-dpdp-rules-2025-v1.pdf
[106] https://www.tilleke.com/insights/vietnam-to-conduct-first-pdpd-compliance-investigation/
[107] https://services.google.com/fh/files/misc/vietnam_pdpd_googlecloud_whitepaper.pdf
[108] https://www.usasean.org/article/vietnams-latest-decree-violations-cybersecurity-and-data-protection
[109] https://vietnam.acclime.com/podcasts/vietnam-data-privacy-decree-explained-compliance-practices-and-strategies/
[110] https://www.dlapiperdataprotection.com/index.html?t=law&c=VN
[111] https://www.vietnam-briefing.com/news/vietnam-law-on-personal-data-protection-latest-developments-and-insights.html/
[112] https://www.jdsupra.com/legalnews/the-quebec-consumer-protection-act-new-6910901/
[113] https://www.blg.com/en/insights/2023/01/consumer-privacy-protection-act-canadas-bill-c-27-feedback-from-industry-participants
[114] https://www.americanbar.org/groups/business_law/resources/business-law-today/2020-december/proposed-canadian-privacy-bill/
[115] https://ised-isde.canada.ca/site/innovation-better-canada/en/consumer-privacy-protection-act
[116] https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/proactive-disclosure/opc-parl-bp/indu_20231019/is_c27_20231019/
[117] https://www.didomi.io/blog/canada-data-privacy-law
[118] https://www.puppet.com/blog/nis2
[119] https://www.aon.com/en/insights/articles/nis-2-preparation-for-emea-organisations-ensuring-cybersecurity-compliance
[120] https://www.ropesgray.com/en/insights/viewpoints/102jqo9/the-eus-nis2-directive-is-in-force-but-can-it-be-enforced

Read more