All change in Mexico and Nigeria – this month’s data protection highlights

Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't).

Mexico - New data protection law enacted

An updated Federal Law for the Protection of Personal Data held by Private Parties (the New DP Law) was published in Mexico’s Official Gazette on 20 March 2025, taking effect the following day. It replaces the existing law of the same name. Updated regulations to complement the New DP Law are expected to be enacted in due course. 

The passing of the New DP Law completes the abolition of the INAI as Mexico’s data protection regulator. Its duties and powers have now been formally passed to the Ministry of Anti-Corruption and Good Governance. Any proceedings currently ongoing under the previous law will now be overseen by the Ministry. The substantive obligations under the New DP Law remain largely the same as under the previous law, although there are some changes, including more detailed content requirements for privacy notices, clarifications to the definition of publicly accessible data, updates to when the right to object may be exercised, and amendments to the formalities around data subject rights.

The New DP Law is available here (in Spanish)

Nigeria - NDPC issues GAID 2025

On 20 March 2025, the Nigeria Data Protection Commission adopted the Nigeria Data Protection Act (NDP Act) 2023 General Application and Implementation Directive (GAID) 2025. The GAID further implements the NDP Act, addressing key topics and repealing the Nigeria Data Protection Regulation 2019. Full implementation of the GAID is set for September 2025, and the fee-related provisions will take effect in January 2026.

The GAID covers a broad array of topics including DPOs, data protection principles, lawful bases, transparency, DPIAs, security, data breach handling, deployment of processing software, data processing agreements, individual rights, emerging technologies, compliance audits, general compliance measures, and international transfers. It also has provisions dealing with the designation and registration requirements for data controllers and processors of major importance.

The GAID is available here

EU - EDPB report on risks and mitigations for LLMs

The European Data Protection Board has published a report on AI Privacy Risks & Mitigations Large Language Models (LLMs). The report provides practical guidance and tools for developers and users of LLM based systems to manage the data privacy risks associated with the use of these technologies. 

The report also aims to help Data Protection Authorities to have a comprehensive understanding and state-of-the-art information on the functioning of LLM systems and the risks associated with LLMs. Topics covered include: data flows and associated privacy risks; data protection impact assessments - risk identification, estimation, and evaluation; data protection and privacy risk control; residual risk evaluation; and review and monitoring. The report also provides detailed use cases, setting out examples of LLM systems' risk assessments, and contains a section with useful tools, valuation metrics, benchmarks, methodologies, and standards.

The report is available here

UK - New guidance on anonymisation and pseudonymisation  

The UK ICO has published the final version of its non-binding guidance on anonymisation and pseudonymisation, which sits alongside the ICO's data sharing code of practice and positions data anonymisation (followed by the sharing of non-personal information) as a privacy-friendly alternative to personal data sharing. The guidance is comprehensive and goes into matters such as how effective anonymisation can be ensured and what kind of accountability and governance measures should be implemented in an organisation relying on anonymisation. 

The guidance contains helpful clarifications and recommendations, including that “identifiability exists on a spectrum", so when assessing whether someone is still identifiable (and so the data is not yet anonymised) organisations should consider the “means reasonably likely to be used to enable identification”.  The ICO suggests organisations consider whether a “motivated intruder” (with certain key characteristics) would be likely to be able to identify individuals.

The guidance is available here

Finland - Cybersecurity Act to implement NIS 2 Directive

The Finnish Parliament has passed the Government’s proposal for a national Cybersecurity Act to implement the EU NIS 2 Directive, with some obligations effective from 8 April 2025.  Please note that the Cybersecurity Act does not apply to any entity to which DORA applies. The Finnish Transport and Communications Agency (Traficom) will be the competent supervisory authority for cybersecurity matters, liaising with the sectoral authorities as required, and it also has new supervisory duties.

The NIS 2 Directive and the related national Cybersecurity Act impose risk management obligations on sectors critical to society, aimed at enhancing cybersecurity, along with a duty to report significant incidents. The Cybersecurity Act lists minimum measures that entities must implement to manage the cybersecurity risks posed to their operations. Entities within the scope of the NIS 2 regulatory framework are required to notify the relevant supervisory authority of significant information security incidents and must register for a list of entities maintained by the relevant authority.

The Cybersecurity Act is available here (in Finnish)

Sanctions. We're keeping count.

115. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2025. It amounts to over 275,510,000 US dollars in penalties and numerous other reprimands and corrective actions.

Not seen our Enforcement Tracker yet? Ask us for a demo. 

China - CAC publishes Q&A on security assessments for cross-border transfer 

The Cyberspace Administration of China (CAC) has published Questions and Answers on managing data security assessments for cross-border transfer. The Q&A is intended to improve knowledge and implementation of management policies on outbound data security and to assist organisations processing personal data to undertake transfers efficiently and in compliance with applicable regulations.

The Q&A addresses a number of topics, including: (i) restrictions and requirements under PRC laws, including the requirement to undertake a data security assessment for cross-border transfers of important data and personal information in certain circumstances; (ii) scope of free trade pilot zones; (iii) how to assess 'necessity' in the context of a cross-border transfer of personal information; (iv) how to identify 'important data' and how such data can be exported in compliance with the relevant laws; (v) intra-group transfers; and (vi) extending the validity of the security assessment.

The Q&A is available here (in Chinese)

South Korea - revised guidelines on privacy notices 

The South Korean data protection authority, the PIPC, has issued an updated version of its guidelines on drafting "Privacy Policies" (often referred to as "privacy notices" in other jurisdictions), which organisations are required to publish. The updated guidelines seek to create greater transparency about data processing and enhance the rights of individuals whose personal information is processed. At the same time, they try to reduce the burden on organisations.

The guidelines: (i) suggest less detail and granularity are required when setting out data retention periods; (ii) include some new requirements in terms of where and how often the policies should be displayed; and (iii) contain clarifications on individuals' rights to refuse processing in the context of behavioural data collection and profiling.

The guidelines are available here (in Korean)

United States - Arkansas - Children's online privacy act enacted

On 21 April 2025, the Governor of Arkansas signed into law HB 1717 to create the Arkansas Children and Teens’ Online Privacy Protection Act, which will take full effect on 1 July 2026.  The Act is similar to the federal Children and Teens’ Online Privacy Protection Act (reintroduced as a bill in March 2025 and known as COPPA 2.0) and creates protections for children aged between 13 and 16.

The Act applies to operators of websites, online services, online applications, or mobile applications either directed at Arkansas residents that are children (12 years or under) or teens (aged 13 to 16), or with actual knowledge that they are collecting personal information from those children or teens. It contains provisions covering transparency and consent, data minimisation, and rights that must be facilitated.

The full text of the bill is available here

Netherlands - AP monitoring cookie banners 

The Dutch data protection authority (the AP) has highlighted that since 2024 it has significantly increased its proactive checks on website cookie banners and whether organisations are asking for permission to place tracking cookies or similar technologies in a fair and lawful manner.  The AP refers to five investigations of Dutch websites in 2024, which all resulted in the organisations adjusting their cookie banners to comply with the law.  Unlawful practices included: (i) the button to refuse cookies was hidden, (ii) the consent for placing cookies was pre-checked, and (iii) cookies were placed before the website visitor had given permission, or after refusal. 

The AP confirms that organisations that do not comply with the rules on cookies will generally receive a warning and the opportunity to adjust their cookie banner.  However, in the event of serious violations or if an organisation refuses to adjust the cookie banner, there is a good chance that the AP will take enforcement action with fines or other sanctions.

The press release is available here