The world of privacy is evolving at a dizzying pace. Legislators across Europe, North America, and the Asia-Pacific are rolling out new rules that not only protect personal data but also shape how companies can share and monetise information. In Europe, the Data Act entered into force in January 2024 and will apply from 12 September 2025, creating a framework for fair access to data and ensuring that data-sharing does not undermine personal data protection. Meanwhile, the EU AI Act is adding layers of governance around artificial intelligence, with prohibitions on certain AI practices already taking effect on 2 February 2025 and more substantive obligations (including compliance frameworks for high‑risk systems) scheduled for August 2026. This wave of regulation signals that privacy professionals must navigate not only traditional data-protection law but also an emerging intersection with AI governance and digital ethics.
Against this backdrop, the International Association of Privacy Professionals (IAPP) has announced sweeping updates to its Certified Information Privacy Professional / Europe (CIPP/E) certification. Beginning 1 September 2025, the exam will assess candidates on new case law, fresh regulatory opinions, and emerging topics like AI compliance and data‑breach management.
Why 2025 is a Landmark Year for Privacy?
A confluence of regulatory forces makes 2025 a watershed year for privacy. The Data Act focuses on granting users greater control over non‑personal and industrial data while ensuring personal data remains protected. At the same time, global trends highlight the rise of national and regional privacy laws. New U.S. state laws, updated regimes in Asia–Pacific and the Middle East, and debates over “pay or consent” business models all point to a world where organisations must grapple with a patchwork of rules. These developments are not just legal footnotes; they reflect fundamental questions about who owns data, how it can be used, and the balance between innovation and individual rights.
Privacy professionals also face the challenge of aligning AI practices with existing data-protection frameworks. The EU AI Act’s early provisions prohibit certain manipulative AI practices and emphasise the need for AI literacy within organisations.
Later provisions will impose detailed documentation and risk‑management requirements for general‑purpose AI models, impacting companies that build or integrate AI systems. For exam candidates, mastering the interplay between GDPR and AI regulations will be critical to answering scenario‑based questions on the 2025 exam.