Global updates – a quick glance
Argentina: Labour law reforms introduced effective from September 26, 2024.
Australia:
- New payday superannuation reform effective from July 1, 2026.
- Introduces additional payment to parents as a contribution to their superannuation fund under the Paid Parental Leave (“PPL”) Scheme effective from July 1, 2025.
- Australia introduces mandatory climate reporting requirements effective from January 1, 2025, for large companies as specified.
Belgium:
- Royal decree introduced regulations to address workplace ergonomics and Musculoskeletal Disorders (“MSDs”) among employees which is effective from May 25, 2024.
- Two new royal decrees introduced amending transfer pricing forms and requiring filing of transfer pricing study and agreements as part of local file, effective from the financial year January 1, 2025.
- Belgian VAT code amended effective from January 2025, deadline for quarterly VAT returns extended by 5 days.
Brazil: Brazilian Data Protection Authority (“ANPD”) publishes regulation governing international data transfer.
Canada: Global Minimum Tax introduced through Global Minimum Taxation Act.
- Minimum percentage of workers with disabilities to be hired by the companies having 100 or more employees increased from 1% to 2%.
- Chile amended data protection law.
China:
- Retirement age to be gradually increased over next 15 years, with effect from January 1, 2025.
- Network Data Regulations governing data security matters to be effective from January 1, 2025; they lay down stricter consent requirements, clearer definitions and obligations for ‘important data’.
Czech Republic: Amendments to Czech Labor Code.
Finland:
- The job alternation leave scheme has been abolished as of August 1, 2024.
- Key taxation changes proposed in the 2025 budget including revision in the tax rates, income slabs and allowable deductions.
Hong Kong: Re-Employment Allowance (“REA”) scheme introduced to encourage elderly and middle-aged workers to join the workforce.
India:
- Due date for filing return for taxpayers under GST composition scheme changed from April 30 to June 30, starting from financial year 2024-25 onwards.
- Ministry of Corporate Affairs (“MCA”) revises due date for filing Form CSR-2 (corporate social responsibility related disclosure) for the F.Y. 2023-24 to December 31, 2024, and updates form BEN-2 for beneficial ownership disclosure.
Indonesia:Implements use of single identity number in tax administrative services with effect from July 1, 2024.
Ireland: Ireland published Budget for the year 2025; introduced changes to personal income tax slabs, certain social security contributions, and VAT thresholds.
Israel: Knesset passes amendments to privacy law introducing broader powers to data protection authority, mandatory appointment of privacy officer.
Italy:
- Introduces reforms of the tax penalty system; making changes in the VAT penalties, effective for violations committed after September 1, 2024.
- Italy increases substitute tax on foreign income for new residents from EUR 100,000 to EUR 200,000 effective from August 10, 2024.
- European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
- New increased thresholds for preparation of abbreviated financial statements, micro-enterprises regime and exemption from consolidated financial statements; mandatory sustainability reporting.
Lithuania:
- Minimum wages in Lithuania increased to EUR 6.35 per hour from EUR 5.65 per hour effective from January 1, 2025.
- VAT registration threshold proposed to be increased from EUR 45,000 to EUR 55,000 effective from January 1, 2025.
- Corporate tax measures effective from January 1, 2025.
Malaysia: Senate approved significant amendments to data protection law introducing requirement to appoint data privacy officer and to notify data breaches.
Mexico: Mandatory holiday for employees shifted from December 1st to October 1st.
Netherlands:
- Tax Plan 2025 presented before the parliament, key proposals include revision in slabs and rates for Box 1 income (work and home ownership income), tax credits, social security contributions rates for employer.
- Government announces changes to the small business scheme for VAT (“kleineondernemersregeling/ KOR”), introduces new EU-KOR scheme effective from January 1, 2025.
Poland: Transposed two EU directives related to VAT exemption for small businesses and place of supply rules for certain services effective from January 1, 2025.
- Increase in Central Provident Fund (“CPF”) ceiling limits effective from January 1, 2025.
- Singapore passes new bills to enhance regulatory framework for corporate service providers and corporate transparency for companies and limited liability partnerships.
- Employer of Record cannot sponsor work passes for foreign company’s employees.
Sweden: Sweden presented Autumn Budget Bill for 2025.
Switzerland: Tax deductions for childcare costs increased.
Taiwan: Amendments related to submission of B2B and B2C electronic invoices to E-invoice platform of Ministry of Finance effective from January 1, 2025.
Thailand
- Lower standard VAT rate of 7% to continue till September 30, 2025.
- New documentation requirements introduced for companies having share capital more than THB 5 million.
United Kingdom: Process to update VAT registration details digitized effective from August 5, 2024.
| Data Protection Fines Table | ||||
| Country | Authority Name | Fine imposed on | Reason for Fine Related to Data Protection Failure | Amount of Fine and Penalty |
| Belgium | Belgian Data Protection Authority (“Belgian DPA”) (“Autorité de protection de s donnée”) | Unnamed telecommunications company | A fine was imposed for the following reasons: Failure to respond to data subjects’ requests for access to their data in a proper manner and within the required timeframe; andFailure to carry out processing of data as per the provisions of GDPR. | EUR 100,000 |
| Finland | Data Protection Ombudsman (“Tietosuojavaltuutetun toimisto”) (“Finnish DPA”) | Verkkokauppa.com Oyj, a company engaged in online retailing of electronics and consumer goods. | A fine was imposed for: Failing to define a storage period for collected personal data; andRequiring the customers to create an account before purchasing. | EUR 856,000 |
| Greece | Hellenic Data Protection Authority (“HDPA”) | Greece’s Ministry of Citizen Protection | The HDPA examined the process of introduction of the new type of identity cards for Greek citizens by the Ministry of Citizen Protection, in which it observed some limitations/ failures. The Ministry was fined for violations of principles of GDPR relating to the following: Provision of incomplete/ incorrect information to the data subjects; and Failure in carrying out timely and proper data privacy impact assessment for ensuring security of processing of personal data. | EUR 150,000 |
| Ireland | The Irish Data Protection Commission (“DPC”) | Meta Platforms Ireland Limited, (A multinational Information Technology Company operating as the data controller of the social media platform – Facebook). | The DPC carried out an investigation in respect of the storage of certain passwords of social media users inadvertently in the plain text format by the Company without any encryption and imposed a fine for the following GDPR violations: Failure to implement appropriate technical and organisational security measures for protecting user’s passwords from unauthorised access and maintaining confidentiality of this personal data.Failure to document and notify the DPC in due time about a personal data breach/ non-compliance. | EUR 91 million |
| Italy | Italian Data Protection Authority (“Garante’) | Credit Agricole Autobank SpA, (Parent company) operating in the automotive financial services industry.Drivalia Leasys Rent SpA, (Subsidiary company) providing car rental services. | The Garante investigated a customer complaint regarding refusal of financing by the Company due to blacklisting of the customer as a bad payer. The refusal was based on the income verification of the customer by accessing the Scipafi database (Centralized Fraud Prevention System) by the Company on behalf of its subsidiary Drivalia, a car leasing company, without necessary authorization from the Ministry of Economy and Finance. The fine was imposed for following GDPR violations: Unlawfully processing of the personal data of customers. Accessing the Scipafi database without the required authorization. Lack of transparency in communication with customers (for the subsidiary). | EUR 1 million EUR 250,000 |
| Netherlands | The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) | A.S. Watson Health and Beauty Continental Europe B.V., a company that manages and operates several wholesale and retail businesses. | A fine was imposed for the following reasons: Failure to obtain consent from visitors before putting cookies on their devices.The “agree” option for cookies was pre-selected by default, leading to automatic consent for advertising (tracking) cookies.The cookie banner was complex and required multiple steps for users to refuse cookies making users’ choice not genuinely free, as opting out was more difficult. | EUR 600,000 |
| Netherlands | The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) | Uber Technologies Inc. and Uber B.V. engaged in business of providing ride-hailing services, courier services, food delivery, and freight transport | A fine was imposed for the following reasons: Transfer of collected sensitive data about the drivers to the US without having appropriate safeguard such as standard contractual clauses in place, thereby compromising protection of such data. | EUR 290 million. |
| Netherlands | The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) | Clearview AI Inc. engaged in business of providing software to investigating agencies for facial recognition | A fine was imposed for the following reasons: Processing of biometric personal data without consent or any other basis.Failure to comply with the GDPR provision regarding data access requests from data subjects. | EUR 30.5 million |
| Poland | The Polish Data Protection Authority (“UODO”) | mBank S.A., a company operating in the Financial Services industry | The UODO carried out an investigation in respect of a data breach incident where mBank entrusted a third-party to perform processing activities i.e., processor. The processor’s employee mistakenly sent client documents containing personal data (viz. name, bank account, ID card, etc.) to another bank. The UODO imposed a fine for failing to meet obligations under the GDPR related to notifying the affected data subjects about the data breach involving sensitive personal information and potential next steps. The UODO instructed the Bank to inform the affected individuals within seven days, providing details about the breach, contact information for the data privacy officer, potential consequences, and measures taken to address the breach. | PLN 4.05 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Alibaba.com Singapore E-Commerce Private Limited (operating as AliExpress), is a subsidiary of Alibaba Group, specializing in e-commerce, technology, and various digital services. | Fine was imposed for the following reasons: Failure to notify data subjects about transfer of their data to another country;Failure to incorporate necessary data protection measures; andDifficulty in exercising the rights by data subjects due to display of information in English. | Fine – KRW 1.97 billion Penalty – KRW 7.8 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Worldcoin Foundation and its affiliate Tools for Humanity (“TFH”) is a for-profit cryptocurrency project that uses iris biometrics. | Fine was imposed for the following reasons: Failure to implement appropriate safety measures.Failure to obtain separate consent from data subjects, as the information included sensitive data;Failure to provide data subjects with appropriate privacy notices, including details of cross-border data transfer such as country and the recipient’s contact information; Failure to implement a method for deleting or suspending the processing of personal data; andFailure to implement adequate age verification procedures for children under 14. | Fine (on Worldcoin Foundation) – KRW 725 million Penalty (on TFH) – KRW 379 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Korean Social Welfare Council is the main national organization for social welfare in South Korea. | A fine was imposed due to: Failure to implement appropriate safety measures thereby failing to detect unauthorised access; andFailure to provide a way for members to change their registration numbers. | KRW 487.4 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Techlab a Korean advertising technology company, that operates dating app in Korea | A fine was imposed for using personal data for purposes other than those for which it was originally collected and failure to obtain consent from the data subjects. | KRW 224 million |
| Spain | Spanish Data Protection Authority (“AEPD”) | Banco Cetelem. SA – A company providing online credit approval services to dealers of new and used cars. | Fine was imposed for an irregularity in the collection of a loan. The company added a person’s bank account number into the contract, without verifying the real ownership of that account. As a result, monthly loan collection entries were debited to wrong person’s bank account. The fine was imposed for following violations of GDPR principles relating to: Unlawful processing of personal data of a claimant who was not the customer of the company, and his bank account number was considered for a loan contract of a third-party debtor; andFailure to erase the data erroneously collected from the claimant. | EUR 250,000 |
| Spain | Spanish Data Protection Authority (“AEPD”) | UNIQLO Europe Ltd. – Spanish branch of Japanese fashion retailer company | The data breach incidence occurred due to a human error made by an employee of the Human Resources department of mistakenly sending a file containing the payslips of several employees to an unauthorized recipient, being the former employee of the company. The file included personal data, such as names, ID, social security numbers, bank accounts, salaries, etc. The company was fined for violation of principles of GDPR relating to: Principle of integrity and confidentiality as there was a leak of employee sensitive data; Failure in implementing technical and organizational measures to safeguard the sensitive data of the employees; andFailure to timely notify AEPD and the affected data subjects about the data breach. | EUR 450,000 |
| Spain | Spanish Data Protection Authority (“AEPD”) | ID Finance S.A.U. – An online quick loan company. | The fine was imposed for improperly including customer in the list of defaulters. The company is fined twice for the same act involving following violations: Failure to delete the personal data collected from its list of defaulters and its common credit information system in spite of the claimant paying the debt; andIllegal inclusion of the claimant’s data, and negligence on the part of the company. | EUR 225,000 and EUR 70,000 |
| Sweden | Swedish data protection authority (“IMY”) | Apoteket AB and Apohem AB, Swedish pharma Companies | The Swedish pharma companies were fined for unauthorized and accidental collection and transfer of personal data of many users to Meta due to incorrect settings of meta pixel tool used by them for optimizing its marketing by tracking visitors’ activity on the website. It was deactivated when the companies became aware about the incident. The fine was imposed for violating the Article 32 of the GDPR as follows: Failure to adopt necessary technical and organizational measures for ensuring an appropriate level of security for personal data while using the Meta pixel analysis tool;Breach involving high-risk data, such as name, address, contact data, and social security data, which caused a significant risk to data subjects’ rights and freedoms; andFailure to detect the risk associated with the pixel tool. | SEK 37 million (for Apoteket AB) and SEK 8 million (for Apohem AB) |
| Thailand | The Personal Data Protection Committee (“PDPC”) of Thailand’s Ministry of Digital Economy and Society (“MDES”) | J.I.B. Computer Group Co., Ltd. (“JIB”) engaged in business of selling computers, notebooks, smartphones, and all kinds of computer accessories through its online shop. | A fine was imposed for the following reasons: Failure to appoint a Data Protection Officer (“DPO”) as required by the law;Failure to implement appropriate security measures resulting in the data leak; andFailure to take corrective action and notify the authorities of the data breach. | THB 7 million |
| Turkey | The Personal Data Protection Authority (“Kisisel Verileri Koruma Kurumu/KVKK”) | Domestic and Foreign data controllers | A fine was imposed for the following reasons: Failure to register with and notify the Data Controllers’ Registry (“VERBIS”) before beginning the data processing activity. | TRY 503.94 million |
| United Kingdom | Office of Communications (“Ofcom”), regulator and competition authority | Tiktok Information Technologies UK Limited, company engaged in providing information technology service | A fine was imposed for not responding to Ofcom’s formal request for information within the given time and not providing accurate data on safety controls. | GBP 1.875 million |
| United Kingdom | The Information Commissioner’s Office (“ICO”) | Advanced Computer Software Group Ltd, a British company engaged in providing information technology services to companies nationwide, including handling of database on behalf of NHS and other healthcare providers | Fine was imposed for failure to implement safety measures to protect personal and sensitive information which resulted in a ransomware attack and exfiltration of personal data. | GBP 6.09 million |