<\/p>\n
The European Commission’s Digital Omnibus Regulation proposal and recent national law updates in the UK, China, and India mark significant shifts in data law compliance for organisations in 2025, requiring renewed focus on cross-border risks and incident reporting.<\/p>\n<\/div>\n
Welcome to the final edition of the Stephenson Harwood data protection update for 2025, which reviews the principal regulatory, cyber security and enforcement developments from November and highlights what organisations should prioritise as we move into 2026. [1]<\/a><\/sup><\/p>\n The European Commission published its Digital Omnibus Regulation proposal on 19 November 2025, a package of amendments aimed at simplifying and aligning the GDPR, the ePrivacy Directive, the AI Act, the Data Act, the Data Governance Act and NIS2 to reduce complexity while seeking to preserve high standards. Industry and legal observers should monitor fast-moving trilogue negotiations and consider the potential impact of proposed changes on data processing, AI compliance and cross-border data flows. According to the Commission\u2019s announcement, some deadlines for high\u2011risk AI measures have also been floated for later implementation to give stakeholders more time to prepare. [1]<\/a><\/sup>[2]<\/a><\/sup>[5]<\/a><\/sup>[7]<\/a><\/sup><\/p>\n In the UK, the Department for Science, Innovation and Technology introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament on 12 November 2025, updating the NIS Regulations to broaden scope, impose new duties on regulated entities, mandate incident reporting and strengthen regulator enforcement powers and fines. The Bill is intended to bring a wider range of digital services and critical suppliers within the framework and to raise obligations for resilience and recovery. Stakeholders should review the government factsheets and prepare for expanded compliance and reporting requirements. [1]<\/a><\/sup>[3]<\/a><\/sup>[4]<\/a><\/sup>[6]<\/a><\/sup><\/p>\n China tightened its cyber security regime in two phases: the Measures for the Administration of National Cybersecurity Incident Reporting, effective 1 November 2025, which sets out cross\u2011sector incident reporting obligations (including very short reporting windows for critical infrastructure), and an amended Cybersecurity Law, effective 1 January 2026, which increases penalties, extends extra\u2011territorial reach and strengthens data localisation and cross\u2011border assessment requirements. Businesses with operations or data processing in China should reassess localisation, incident response and documentation practices. [1]<\/a><\/sup><\/p>\n The UK\u2019s Data (Use and Access) Act 2025 continued its phased implementation in November, with sections on joint law\u2011enforcement processing and intelligence services coming into force on 17 November and most digital verification services provisions commencing from 1 December 2025 (subject to limited exceptions). Organisations should consult the DUAA implementation timeline and update policies ahead of the anticipated wave of further amendments due in early January 2026. [1]<\/a><\/sup><\/p>\n India finalised rules to operationalise the Digital Personal Data Protection Act 2023 when it notified the Digital Personal Data Protection Rules 2025 on 13 November 2025, establishing the Data Protection Board and setting a phased timetable for core obligations. Key features include the introduction of registered \u201cconsent managers\u201d, mandatory security safeguards, a two\u2011stage breach reporting framework with detailed follow\u2011up within 72 hours, parental\u2011consent regimes for children\u2019s data, obligations for Significant Data Fiduciaries and substantial fines for serious breaches. Organisations offering goods or services to individuals in India should map flows, assess SDF exposure and prepare for progressive compliance milestones through to May 2027. [1]<\/a><\/sup><\/p>\n In enforcement and litigation, the European Court of Justice held on 13 November 2025 in Inteligo Media v ANSPDCP that the ePrivacy Directive governs the use of email addresses for direct marketing and can take precedence over the GDPR in that context, reinforcing the scope of the ePrivacy \u201csoft opt\u2011in\u201d for certain freemium models while cautioning that the ruling should be read narrowly. Separately, the FCA secured a prosecution under section 170(1) of the Data Protection Act 2018 after a former employee unlawfully sold customer data that enabled a crypto boiler\u2011room fraud; the FCA said the defendant \u201cabused his position of trust\u201d and stressed it will use its powers to tackle misuse of personal data that facilitates financial crime. These developments underscore that both data protection and financial regulators are sharpening enforcement tools where data misuse enables harm. [1]<\/a><\/sup><\/p>\n Taken together, November\u2019s measures , from the Digital Omnibus proposals and the ECJ clarifications to national laws and incident reporting regimes in China, India and the UK , emphasise three immediate priorities for organisations: (1) map and minimise cross\u2011border transfer and localisation risks; (2) strengthen incident detection, reporting and record\u2011keeping to meet tightened timelines; and (3) reassess marketing and consent practices in light of evolving ePrivacy\/GDPR interaction and regional law changes. Legal teams and compliance functions should treat the coming months as a period to convert strategic planning into operational controls. [1]<\/a><\/sup>[2]<\/a><\/sup>[3]<\/a><\/sup>[5]<\/a><\/sup>[6]<\/a><\/sup><\/p>\n ##Reference Map:<\/p>\n\ud83d\udccc Reference Map:<\/h3>\n
\n