Privacy remains a dynamic and changing landscape, as legislators grapple to address privacy in rapidly developing AI technologies, data sovereignty amid geopolitical unrest, and uphold national and international commercial interests and cross-border data flows.

In this roundup, we take a look at the latest developments in privacy in the first three months of 2026.

Canada, USA and the Americas

The Office of the Privacy Commissioner of Canada (OPC) has updated its guidance to explicitly exclude neural data as sensitive personal information requiring additional protection. This follows precedents set by the state legislatures of California, Colorado Connecticut and Montana in the USA, in response to the expanding use of neurotechnology, which processes information gathered from an individual’s nervous system.

More significant changes in Canadian privacy laws may be on the cards in 2026, following the resignation of Prime Minister Justin Trudeau and subsequent election. These meant that the reforms outlined in Bill C-27 have been sidelined. Instead, the debate continues, with many calling for more robust data sovereignty provisions, improved privacy protection for children and stronger enforcement powers. One controversial change introduced in Bill C-4, which focuses on supporting economic growth and affordability, also grants immunity to federal political parties from privacy laws. The Bill was passed with royal assent on March 12.

Meanwhile, in the United States, three state privacy laws came into force – in Indiana, Kentucky and Rhode Island. California’s new privacy requirements for automated decision-making came online, and its Delete Act request and opt-out platform launched.

The number of healthcare data breaches reported to the US Department of Health and Human Services Office for Civil Rights has fallen for the second year running, to 710 as of March 2026. However, this still represents a two-fold increase on 2018 figures. More encouragingly, 2025 saw a 78.7% decrease in the number of individuals affected by these incidents. This is largely due to significantly fewer mega breaches being reported in 2025 – just 9 compared to 18 in 2024.

Europe and the UK

EU regulators have submitted their feedback to the European Commission’s Digital Omnibus Package presented last November. The Digital Omnibus aims to bring consistency to key concepts in the GDPR, ePrivacy Directive and NIS2.

While the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) support this goal in principle, they have raised concerns related to aspects that may weaken data protection and other rights. The regulators opposed amending the definition of personal data, arguing that it would narrow the concept of personal data – counter to individuals’ rights. The regulators partially agreed with other Omnibus proposals with caveats that focused around clearer rules and guidelines to support the initiative. These other proposals cover legal bases for AI development, rules for scientific research, exemptions for data subject rights, cookie rules, breach notification and harmonized data protection impact assessment guidance.

In the UK, provisions under the Data (Use and Access) Act 2025 came into effect, including cookie consent exemptions, less stringent restrictions for automated decision making, enhanced child protection requirements, recognized “legitimate interests” for personal data processing and increased enforcement powers for the country’s Information Commissioner’s Office (ICO) – soon to be replaced with a new Information Commission.

Middle East and Africa

More African nations continue to progress cyber security and privacy focused legislation to mitigate growing cybercrime and support access to online services.

Nigeria’s Data Protection Act came into effect in September 2025. Meanwhile, South Africa updated their Protection of Personal Information Act (POPIA) with new health information regulations that are now in force.

Elsewhere, Namibia is fast-tracking cybercrime legislation as it aims to expand internet access to underserved communities and rural locations. The Digital Data Protection Bill was passed by the Namibian parliament last month.

Asia and Oceania

Last month, South Korea’s National Assembly passed amendments to its Personal Information Protection Act (PIPA) raising maximum fines to 10% of total revenue. This change comes in response to large-scale breaches across the region’s telecommunications, technology and financial services sectors.

Separately, China has released draft rules regulating how personal data can be collected and used by internet applications. These include detailed permissions settings, safeguards for minors and bans on unauthorized or unnecessary data collection. It also sets limitations on how apps can use camera and microphone data.

Meanwhile, the Office of the Australian Information Commissioner (OAIC) kicked off 2026 with the launch of a large-scale policy review of 60 companies across the country. This action is supported by new enforcement powers granted to the OAIC under Privacy Act amendments approved in December 2024.

New Zealand’s privacy enforcement has been called into question in 2026, following a major data breach at a healthcare technology provider at the end of 2025. New Zealand’s meagre financial penalties fall far short of global norms, and are limited in their applicability. This has triggered an upswell of support of privacy reform, including the introduction of a more robust penalty regime.

To find out how Ground Labs can help you discover and protect personal information for privacy compliance, request a demo or book a call with one of our experts today!