top of page

Data Source Booklet:
Regulatory and policy developments
2025 Edition


Data & big data
1. Research conducted by individuals, companies, associations and universities
1.1. March
1.1.1. International

  • Centre for Information Policy Leadership (CIPL), Privacy-Enhancing and Privacy Preserving Technologies in AI: Enabling Data Use and Operationalizing Privacy by Design and Default, March 2025, accessible here

1.2. April
1.2.1. Africa

  • Lawyers Hub, Africa Artificial Intelligence & Privacy Report 2025, April 2025, accessible here

1.3. May
1.3.1. Europe
1.3.1.1. European Union

  • European Crypto Initiative (EUCI), GDPR Booklet - Read GDPR with EUCI, May 2025, accessible here

  • Sean Musch et al., EU AI Act - AI Regulation - Impact on Data Protection, AI & Partners, May 2025, accessible here

  • Sean Musch et al., EU AI Act - GDPR Enforcement Tracker - Enforcing the EU AI Act with Fines, AI & Partners, May 2025, accessible here

1.4. July
1.4.1. International

  • McKinsey & Company, What is a data center?, July 2025, accessible here;

  • International Business Machines Corporation (IBM), Cost of a Data Breach Report 2025 - The AI Oversight Gap, July 2025, accessible here

1.5. September
1.5.1. International

  • World Economic Forum (WEF), Synthetic Data: The New Data Frontier, September 2025, accessible here

1.6. October

1.6.1. International

  • Centre for Information Policy Leadership (CIPL), Global CBPR & Global PRP Systems Playbook: An Actionable Guide for Participation in the Global Cross-Border Privacy Rules and the Global Privacy Recognition for Processors, October 2025, accessible here;

1.6.2. Europe

1.6.2.1. European Union

  • CEDPO - Confederation of European Data Protection Organisations, Data Act - FAQ for DPOs, EU Digital Strategy Working Group, October 2025, accessible here;

1.6.2.2. United Kingdom

  • Graeme West et al., Deep Dive on Data and Information for Critical Infrastructure Management and Maintenance, The Alan Turing Institute, Lloyd's Register Foundation,  University of Strathclyde, October 2025, accessible here

1.7. December 

  • Centre for Information Policy Leadership (CIPL), Legitimate Interests for Data in AI Training - The DPO Perspective, December 2025, accessible here;

  • Centre for Information Policy Leadership (CIPL), Reconciling AI with the Data Minimization Principle: Bridging the Innovation and Privacy Gap, December 2025, accessible here

  • World Economic Forum (WEF) & Cognizant, New Economy Skills: Building AI, Data and Digital Capabilities for Growth, December 2025, accessible here;

  • Sean Musch et al., EU AI Act - European Union Data Strategy: Regulating AI-Data Flows, Ai & Partners, December 2025, accessible here

1.7.1. Europe

1.7.1.1. European Union

  • Sean Musch et al., EU AI Act - European Union Data Strategy: Regulating AI-Data Flows, Ai & Partners, December 2025, accessible here

2. Reports, guidelines, recommendations and other documents published by regulatory and supervisory authorities, international organizations, and other public institutions and agencies
2.1. January
2.1.1. Europe
2.1.1.1. European Union

  • European Data Protection Board (EDPB), Guidelines 01/2025 on Pseudonymisation, January 2025, accessible here

  • Hendrik Mildebrath, Understanding EU data protection policy, European Parliamentary Research Service (EPRS), European Parliament, PE 698.898, January 2025, accessible here;

2.2. February
2.2.1. International

  • Organisation for Economic Cooperation and Development (OECD), Enhancing Access to and Sharing of Data in the Age of Artificial Intelligence, OECD Policy Briefs, February 2025, accessible here

2.2.2. Europe
2.2.2.1. European Union

  • ​Stefano De Luca & Marina Federico, Algorithmic discrimination under the AI Act and the GDPR, European Parliamentary Research Service (EPRS), European Parliament, PE 769.50, February 2025, accessible here

2.2.2.2. Sweden

  • Integritetsskyddsmyndigheten (Swedish Data Protection Authority - IMY), GDPR when using by generative AI - The Privacy Protection Authority's part of the government's mission to develop guidelines for the use of generative AI in public administration, February 2025, accessible here

2.3. March
2.3.1. International

  • Hadley Newman & Gundars Bergmanis-Korāts, Democratising Data Integration - Standardising Communication Protocols for Interoperable Data Processing and Analytics Tools in Strategic Information Environments, North Atlantic Treaty Organization (NATO), NATO Strategic Communications Centre of Excellence, March 2025, accessible here

  • Parma Bains & Tamas Gaidosch, Privacy Technologies & The Digital Economy - A Primer for Supervisors, International Monetary Fund (IMF), March 2025, acccessible here

2.3.2. Europe
2.3.2.1. United Kingdom

  • Hendrik Mildebrath, Navigating challenges to UK data adequacy, European Parliamentary Research Service (EPRS), European Parliament, PE 769.528, March 2025, accessible here

2.3.3. North America
2.3.3.1. United States of America

  • Joseph Near et al., Guidelines for Evaluating Differential Privacy Guarantees, National Institute of Standards and Technology (NIST), NIST SP 800-226, March 2025, accessible here

2.4. April
2.4.1. International

  • Isabel Barberá, Large Language Models (LLMs) - AI Privacy Risks & Mitigations, European Data Protection Board (EDPB), Support Pool of Experts Programme, April 2025, accessible here

2.4.2. Europe
2.4.2.1. European Union

  • European Data Protection Board (EDPB), Guidelines 02/2025 on processing of personal data through blockchain technologies, Version 1.1., April 2025, accessible here;

2.4.3. North America
2.4.3.1. United States of America

  • National Institute of Standards and Technology (NIST), NIST Privacy Framework 1.1, NIST CSWP 40 (Initial Public Draft), April 2025, accessible here;

2.5. May
2.5.1. Europe
2.5.1.1. Netherlands

  • Autoriteit Persoonsgegevens (Dutch DPA), Moving forward responsibly - GDPR preconditions for generative AI, May 2025, accessible here;

2.5.1.2. Luxembourg

  • Government of the Grand Duchy of Luxembourg, Accelerating digital sovereignty 2030 - Luxembourg’s Data Strategy, May 2025, accessible here;

2.6. June
2.6.1. International

  • Organisation for Economic Cooperation and Development (OECD), Sharing trustworthy AI models with privacy-enhancing technologies, OECD Artificial Intelligence Papers no. 38, June 2025, accessible here;

  • Organisation for Economic Cooperation and Development (OECD), The legal and policy landscape of age assurance online for child safety and well-being, June 2025, accessible here;

  • Organisation for Economic Cooperation and Development (OECD), AI, data governance and privacy - Synergies and areas of international co-operation, OECD Artificial Intelligence Papers no. 22, June 2025, accessible here;

2.6.2. Europe
2.6.2.1. European Union

  • Marco Almada, Law & Compliance in AI Security & Data Protection - Training curriculum on AI and data protection, European Data Protection Board (EDPB), Support Pool of Experts Programme, June 2025, accessible here;

  • European Data Protection Supervisor (EDPS) & Agencia Española de Protección de Datos (AEPD), TechDispatch #1/2025 - Federated Learning, Publications Office of the European Union, June 2025, accessible here;

  • Isabel Barberá & Murielle Popa-Fabre, Privacy and Data Protection Risks in Large Language Models (LLMs), Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data, Convention 108, 48th Plenary meeting presentation, Council of Europe, June 2025, accessible here;

  • Enrico Glerean, Fundamentals of Secure AI Systems with Personal Data - Training curriculum on AI and data protection, European Data Protection Board (EDPB), Support Pool of Experts Programme, June 2025, accessible here;

  • European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions - Roadmap for lawful and effective access to data for law enforcement, COM/2025/349 final, June 2025, accessible here;

  • Hendrik Mildebrath, TikTok and EU regulation: Legal challenges and cross-jurisdictional insights, European Parliamentary Research Service (EPRS), European Parliament, PE 775.837, June 2025, accessible here;

  • European Data Protection Board (EDPB), EDPB Comments on the draft guidelines on protection of minors online under the Digital Services Act (‘DSA’), June 2025, accessible here;

  • Commission Nationale de l'Informatique et des Libertés (CNIL), Cybersecurity: The Economic Benefits of GDPR, June 2025, accessible here;

2.6.2.2. France

  • Commission Nationale de l'Informatique et des Libertés (CNIL), La base légale de l’intérêt légitime: fiche focus sur les mesures à prendre en cas de collecte des données par moissonnage (web scraping)» («The legal basis for legitimate interest: focus sheet on the measures to be taken in the event of data collection by harvesting [web scraping]»), June 2025, accessible here;

  • Commission Nationale de l'Informatique et des Libertés (CNIL), IA: Mobiliser la base légale de l’intérêt légitime pour développer un système d’IA» («AI: Mobilizing the legal basis of legitimate interest to develop an AI system»), June 2025, accessible here;

2.6.3. South America
2.6.3.1. Brazil

  • Diego Carvalho Machado Angela Halen Claro Franco & Eduardo André Viana Alves, Autoridade Nacional de Proteção de Dados (ANDP), neurotecnologias («neurotechnologies»)radar tecnológico N.º 4, June 2025, accessible here;

2.7. July

2.7.1. International

  • United Nations Educational Scientific & Cultural Organization (UNESCO), International Telecommunication Union (ITU), United Nations Development Programme (UNDP), the African Union Commission (AUC), & Broadband Commission for Sustainable Development (BCSD), Data Governance Toolkit - Navigating Data in the Digital Age, July 2025, accessible here

2.7.2. Europe
2.7.2.1. European Union & United Kingdom

  • Hendrik Mildebrath & Bente Daale, Revisiting the GDPR: Lessons from the United Kingdom experience, European Parliamentary Research Service (EPRS), European Parliament, PE 775.856, July 2025, accessible here

2.7.2.2. European Union

  • European Data Protection Supervisor (EDPS), Opinion 12/2025 on the Proposal for a Regulation amending Regulation (EU) 2021/2115 and Regulation (EU) 2021/2116, in particular as regards data and interoperability governance, July 2025, accessible here

2.7.2.3. France

  • Commission Nationale de l'Informatique et des Libertés (CNIL), AI: The CNIL finalises its recommendations on the development of artificial intelligence systems and announces its upcoming work, July 2025, accessible here

2.8. September
2.8.1. International

  • International Working Group on Digital Education, Ministry for Foreign Affairs of Finland & United Nations Children's Fund (UNICEF), Data Governance for EdTech: Policy Recommendations, September 2025, accessible here

2.8.2. Europe
2.8.2.1. European Union

  • Polona Car, Data Act: Data sharing and competitiveness, European Parliamentary Research Service (EPRS), European Parliament, PE 775.915, September 2025, accessible here

  • European Commission, Data Act explained - A comprehensive overview of the Data Act, including its objectives and how it works in practice, September 2025, accessible here;

  • European Commission, Communication from the Commission - Guidance on vehicle data, accompanying Regulation 2023/2854 (Data Act), C/2025/6119, September 2025, accessible here;

  • European Data Protection Board (EDPB), Guidelines 3/2025 on the interplay between the DSA and the GDPR, September 2025, accessible here;

  • European Commission, Frequently Asked Questions, V 1.3, September 2025, accessible here;

  • Council of Europe, Consultative committee of the convention for the protection of individuals with regard to automatic processing of personal data (Convention 108) - Draft Guidelines on Privacy and Data Protection in the context of Large Language Models-based systems, T-PD(2025)3, September 2025, accessible here;

2.9. October
2.9.1. Europe
2.9.1.1. European Union

  • European Commission, Communication from the Commission – Guidelines on measures to ensure a high level of privacy, safety and security for minors online, pursuant to Article 28(4) of Regulation (EU) 2022/2065, C/2025/6826, October 2025, accessible here

  • European Commission & the European Data Protection Board (EDPB), Joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation, Version for public consultation, October 2025, accessible here;

  • European Data Protection Supervisor (EDPS), Generative AI and the EUDPR. Orientations for ensuring data protection compliance when using Generative AI systems, Verson 2, October 2025, accessible here;

  • Hendrik Mildebrath, New GDPR procedural rules for cross-border cases, European Parliamentary Research Service (EPRS), European Parliament, PE 777.953, October 2025, accessible here;

  • Australian Government, Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021, Office of the Australian Information Commissioner, October 2025, accessible here;

2.9.1.2. United Kingdom

  • Information Commissioner's Office (ICO), Draft - Data protection enforcement procedural guidance: Data Protection Act 2018 and UK General Data Protection Regulation, October 2025, accessible here;

2.10. November
2.10.1. Europe
2.10.1.1. European Union

  • European Data Protection Supervisor (EDPS), Guidance for Risk Management of Artificial Intelligence systems, November 2025, accessible here

  • European Commission, Communication from the Commission to the European Parliament and the Council - Data Union Strategy: Unlocking Data for AI, COM/2025/835 final, November 2025, accessible here;

  • European Commission, Communication to the Commission, Approval of the draft Commission Recommendation on non-binding model contractual terms on data access and use and non-binding standard contractual clauses for cloud computing contracts (with Annexes), annexed hereto, November 2025, accessible here;

  • European Data Protection Supervisor (EDPS), TechSonar 2025-2026 Report, November 2025, accessible here;

  • European Data Protection Board (EDPB), Stakeholder event on anonymisation and pseudonymisation in light of the EDPS v SRB judgment - discussion paper, November 2025, accessible here;

2.10. December
2.10.1. Europe
2.10.1.1. European Union

  • European Data Protection Board (EDPB), Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites, December 2025, accessible here;

3. Legislations, regulations, other legislative instruments
3.1. May
3.1.1. Europe
3.1.1.1. European Union

  • European Commission, Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2016/1036, (EU) 2016/1037, (EU) 2017/1129, (EU) 2023/1542 and (EU) 2024/573 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplification measures, COM/2025/501 final, May 2025, accessible here;

3.2. June
3.2.1. Europe
3.2.1.1. United Kingdom

  • Data (Use and Access) Act 2025, UK Parliament, Chapter 18, 2025, Royal Assent on 19.06.25, accessible here;

3.3. November
3.3.1. Europe
3.3.1.1. European Union

  • European Commission, Draft - Digital Package on Simplification - Proposal for a Regulation of the European Parliament and of the Council on the simplification of the digital acquis, amending Regulation (EU) 2023/2854, Regulation (EU) 2016/679, Regulation (EU) 2024/1689 and Directive 2002/58/EC and Directive (EU) 2022/2555 and repealing Regulation (EU) 2022/868, Regulation EU 2018/1807, Regulation (EU) 2019/1150 and Directive (EU) 2019/1024 (Digital Omnibus for the digital acquis), November 2025, accessible here

3.4. December
3.4.1. Europe

3.4.1.1. European Union

  • Regulation (EU) 2025/2518 of the European Parliament and of the Council of the European Union of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679, European Union, December 2025, accessible here;

  • European Commission Implementing Decision (EU) 2025/2574 of 19 December 2025 amending Commission Implementing Decision (EU) 2021/1772 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union on the adequate protection of personal data by the United Kingdom (notified under document C(2025) 8771), December 2025, accessible here

4. Litigation & case-law

4.1. October

4.1.1. Europe

4.1.1.1. United Kingdom

  • Decision of the Upper Tribunal, Administrative Appeals Chamber, Appeal No. UA-2024-001563-GIA, NCN [2025] UKUT 319 (AAC), Case No: EA/2022/0165/FP, Information Commissioner's Office (ICO) v Clearview AI Inc (Privacy International intervening), October 2025, accessible here (clarifies that European Union and UK data protection law can apply extraterritorially to foreign companies processing UK personal data); 

4.2. November

4.2.1. Europe

4.2.1.1. European Union

  • Court of Justice of the European Union (CJEU), The police of a Member State may decide, on the basis of internal rules, whether it is necessary to store the biometric and genetic data of a person accused or suspected of a criminal offence, Judgment of the Court in Case C-57/23, Policejní prezidium (Storage of biometric and genetic data, November 2025, accessible here;

bottom of page