Public edition. This is the public, citable edition of the Dxtra Privacy Scanner Regulator Reference (v1.6), companion to the scanner methodology. It is a living document of public regulator material; it is not legal advice.

Dxtra Privacy Scanner — Regulator Reference¶

Living document. Companion to the Dxtra Privacy Scanner Methodology.

Version 1.6 — last updated 16 June 2026. Status: Canonical regulator reference, 2026-06-16. Companion to Methodology v1.7.

This document catalogues the regulator sources, statutory instruments, and enforcement precedent that underpin the Dxtra Privacy Scanner's finding catalogue. It is a living document: updated more frequently than the methodology itself, typically monthly, as new guidance is published and new enforcement decisions are handed down. Each finding in the methodology cites anchor entries from this Reference.

This Reference is not a legal treatise and it is not comprehensive. It collects the regulator material that directly informs the scanner's detection logic. For any material privacy decision, consult a qualified privacy professional or counsel admitted in the relevant jurisdiction.

How this Reference is structured¶

1. Framework backbone — the three controls catalogues against which the scanner's findings are organised
2. Regulator sources by jurisdiction — the data protection authorities and their material guidance and enforcement
3. Statutory instruments — the laws, regulations, directives, and orders the scanner tests against
4. Enforcement precedent highlights — specific decisions that drive severity tiering in the methodology
5. Industry frameworks and complementary references
6. Gaps and planned additions — regimes not yet integrated and the planned v1.5 work

1. Framework backbone¶

NIST Privacy Framework v1.1 (2025)¶

The closest thing to a US-recognised privacy controls catalogue. NIST released the Initial Public Draft on 14 April 2025 with a final version published later in 2025; v1.1 supersedes the original v1.0 (January 2020). Version 1.1 realigns the Core with the NIST Cybersecurity Framework v2.0 (February 2024), with particular focus on the Govern function. It introduces Section 1.2.2 on AI and privacy risk management — explicitly addressing privacy risks arising from AI training data, AI-driven inference, and privacy attacks such as data reconstruction, prompt injection, and membership inference.

The Framework is organised into five functions (Identify-P, Govern-P, Control-P, Communicate-P, Protect-P), each broken into categories and subcategories.

ISO/IEC 27701:2025¶

Published 14 October 2025, replacing the 2019 edition. The most significant change is that ISO/IEC 27701 is now a standalone Privacy Information Management System standard, no longer dependent on ISO/IEC 27001 certification. The 2025 revision restructures controls into Annex A (31 privacy controls for PII controllers), Annex B (18 controls for PII processors), and Annex C (29 information security controls), with strengthened guidance on AI and digital ecosystems and an updated GDPR mapping annex. Organisations certified under ISO/IEC 27701:2019 have a transition period to October 2028.

ENISA's risk-based methodology for personal data security¶

The 2018 methodology with Online Platform (2020) provides the peer-reviewed European basis for privacy risk scoring. The scanner uses ENISA's likelihood × impact × data sensitivity model to assign severity tiers. Also draws on ENISA's Recommendations for a methodology of the assessment of severity of personal data breaches (joint with the German and Greek DPAs), the 2025 ENISA Risk Management Standards inventory, and ENISA's Technical Implementation Guidance for NIS2 (Commission Implementing Regulation 2024/2690).

2. Regulator sources by jurisdiction¶

European Union — European Data Protection Board (EDPB)¶

Selected guidelines informing scanner detection:

• Guidelines 03/2018 on the territorial scope of the GDPR
• Guidelines 05/2020 on consent under Regulation 2016/679
• Guidelines 03/2022 on deceptive design patterns in social media platform interfaces (v2.0 adopted 14 February 2023, originally titled "dark patterns")
• Guidelines 02/2023 on the technical scope of Article 5(3) of the ePrivacy Directive (finalised October 2024) — extends cookie-consent scope to tracking pixels, tracking links, device fingerprinting, local processing where information transfers off device, IoT reporting, and certain IP tracking. Named as anchor source for F3, F6, F7, M2, M23.
• Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR (legitimate interests)
• Guidelines on the interplay between Article 3 and Chapter V (international transfers)
• Recommendations 01/2020 on supplementary measures for transfers

United Kingdom — Information Commissioner's Office (ICO)¶

• Guidance on cookies and similar technologies
• Age-Appropriate Design Code (Children's Code)
• Updated DSAR guidance reflecting the Data (Use and Access) Act 2025 "reasonable and proportionate" search test
• Updated guidance on data protection by design and by default (reissued February 2026 alongside DUAA commencement)
• 2025 Online Tracking Strategy
• 2024–2025 enforcement programme on UK ecommerce sites

France — Commission Nationale de l'Informatique et des Libertés (CNIL)¶

Deliberation SAN-2025-005 of 1 September 2025 against INFINITE STYLES SERVICES CO. LIMITED (SHEIN's Irish subsidiary) — €150 million fine on three specific bases: 1. Cookies deposited before any information banner appeared 2. Information banners incomplete or misleading, with intermediate "Cookie settings" interface cited as non-compliant 3. Cookies continued to be placed after the user clicked "Refuse all" and after consent withdrawal

This decision established that ePrivacy enforcement operates outside the GDPR one-stop-shop mechanism.

Deliberation SAN-2025-006 of 1 September 2025 against Google LLC and Google Ireland Ltd — €325 million total (€200M Google LLC, €125M Google Ireland) for placing advertising cookies on Google account creation without valid consent and inserting advertisements between Gmail messages without consent. Key passage: consent alternatives must be "presented in a balanced manner, without encouraging [users] to choose one option over another".

• 2019 cookie guidelines and recommendation; ongoing CNIL enforcement plan
• Decision against ORANGE for Article L. 34-5 violations in email-based advertising

European Commission (AI Act oversight)¶

• Guidelines on Prohibited AI Practices (4 February 2025)
• Guidelines on the AI system definition
• Draft Code of Practice on Transparency of AI-Generated Content — first draft 17 December 2025; second draft March 2026; final expected June 2026
• GPAI Code of Practice (finalised July 2025)

Other European supervisory authorities¶

• Agencia Española de Protección de Datos (AEPD)
• Hamburg Commissioner for Data Protection (HmbBfDI)
• Italian Garante per la protezione dei dati personali
• Berlin Commissioner for Data Protection
• Belgian Data Protection Authority
• Irish Data Protection Commission
• Spain's Agency for the Supervision of Artificial Intelligence (AESIA) — 16 AI Act compliance guidance documents

Singapore — Personal Data Protection Commission (PDPC)¶

• Advisory Guidelines on Key Concepts in the PDPA
• Guide to Managing Data Breaches 2.0
• Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (1 March 2024)
• Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment (28 March 2024)
• Advisory Guidelines on the PDPA for Selected Topics (revised 23 May 2024)
• Proposed Guide on Synthetic Data Generation (July 2024)
• Re Keppel Telecommunications & Transportation Ltd [2024] SGPDPC 3

Malaysia — Personal Data Protection Department (JPDP)¶

Material published in connection with the Personal Data Protection (Amendment) Act 2024, which commenced in phases through 2025: - Circular of Personal Data Protection Commissioner No. 1/2025 (Data Breach Notification) - Circular of Personal Data Protection Commissioner No. 2/2025 (Appointment of Data Protection Officer) - DBN Guideline and DPO Guideline (25 February 2025) - Cross Border Personal Data Transfer (CBPDT) Guidelines (29 April 2025)

Thailand — Personal Data Protection Committee (PDPC)¶

• First administrative penalty under PDPA: THB 7M, 21 August 2024, against online retailer for DPO not appointed, inadequate security, late breach reporting
• August 2025 wave: THB 14.5M across 5 cases (government agency cyberattack, hospital medical records, cosmetics company, collectible toy seller). Cumulative THB 21.5M.
• Royal Gazette notification of 9 October 2025 — DPOs mandatory for state agencies with broader private sector implications expected
• PDPC Eagle Eye breach response and complaint centre
• PDPC Notification on Administrative Penalties

China — Cyberspace Administration of China (CAC)¶

• Coordinated 28 March 2025 nationwide personal information protection enforcement campaign (joint with Ministry of Industry and Information Technology, Ministry of Public Security, State Administration for Market Regulation)
• May 2025 Shanghai penalty against European luxury brand for unlawful cross-border transfer to French headquarters (first publicly disclosed PIPL cross-border transfer penalty)
• September 2025 Shanghai subsidiary case for failure to fulfil PI protection obligations
• Measures for Certification of Cross-Border Transfer of Personal Information (issued 14 October 2025, effective 1 January 2026)
• Provisions on Promoting and Regulating Cross-Border Data Transfer (March 2024)
• Guidelines for Data Export Security Assessment (Version 3), effective 27 June 2025
• CAC FAQs of April 2025 and October 2025 clarifying CBDT implementation

Australia — Office of the Australian Information Commissioner (OAIC)¶

• Privacy and Other Legislation Amendment (POLA) Act 2024 — Royal Assent 10 December 2024
• Statutory tort for serious invasions of privacy — commenced 10 June 2025
• ADM transparency in privacy policies — effective 11 December 2026
• Children's Online Privacy Code — in development, expected 10 December 2026
• OAIC ALI and ALJ (Privacy) [2024] AICmr 131 (employee records exemption narrowing)
• 100,000+ additional small businesses regulated from 1 July 2026

Hong Kong / New Zealand / India¶

• Privacy Commissioner for Personal Data, Hong Kong
• Office of the Privacy Commissioner, New Zealand
• Data Protection Board of India (DPBI) — established 13 November 2025 under the DPDPA 2023

Americas¶

United States federal: - Federal Trade Commission (FTC) — Drizly action (2022) on personal CEO accountability; Edmodo COPPA enforcement - Department of Health and Human Services, Office for Civil Rights (HHS OCR) — HIPAA enforcement

California: - California Privacy Protection Agency (CPPA / CalPrivacy) — final regulations adopted 23 September 2025 covering ADMT, risk assessments, and cybersecurity audits (effective 1 January 2026; ADMT compliance obligations 1 January 2027) - CPPA enforcement actions: Todd Snyder decision (\(345,178), American Honda Motor Co. decision (\)632,500), Healthline Media $1.55M settlement (July 2025 — largest CCPA settlement to date, specifically for failing to honor GPC) - California Attorney General — Sephora $1.2M settlement (2022) on GPC; joint multi-state GPC enforcement sweep with Colorado and Connecticut AGs (September 2025)

US states with UOOM mandates: Colorado, Connecticut, Texas, Montana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Nebraska, Oregon, plus California

Washington State Attorney General — enforces My Health My Data Act (MHMDA). Private right of action under Washington Consumer Protection Act is rare among US state privacy laws — litigation exposure not contingent on AG enforcement.

Colorado Attorney General — exclusive enforcement authority for Colorado AI Act (SB 24-205). Violations constitute deceptive trade practices under Colorado Consumer Protection Act.

Other state AGs: Virginia, Utah

Canada¶

Commission d'accès à l'information du Québec (CAI) — enforces Quebec Law 25: - Administrative monetary penalties up to CAD 10M or 2% global turnover - Penal proceedings in Court of Quebec up to CAD 25M or 4% global turnover - Minimum fine of CAD 15,000 for corporations; doubling for subsequent offences - Approximately 444 confidentiality-incident declarations received 2023–2024

Office of the Privacy Commissioner of Canada (OPC) — federal PIPEDA enforcement; coordinates with provincial regulators.

Brazil — Autoridade Nacional de Proteção de Dados (ANPD)¶

• Transformed into an independent regulatory agency by Provisional Measure 1,317/2025 (September 2025), providing functional, technical, decision-making, administrative, and financial autonomy
• Cumulative fines of approximately BRL 98M (USD 20M) between 2023 and 2025
• Meta enforcement case (daily fines BRL 50,000, suspended August 2024) — inadequate disclosures, insufficient children's data protections, failure to provide opt-out, disregard for Brazilian users' legitimate expectations
• DPO non-compliance campaign November 2024 – April 2025 — investigatory proceeding against 20 companies for failure to appoint DPO, not disclosing DPO information, not providing communication channel to data subjects. Concluded April 2025 after all 20 companies complied.
• November 2025 Enforcement Dashboard launched — interactive tool providing aggregated data on oversight actions
• Active supervisory actions: social media (children's data), messaging platforms (transparency and consent), pharmaceutical loyalty programs, 23 football clubs using facial recognition for stadium access

ANPD Resolutions informing detection: - Resolution CD/ANPD No. 4/2023 — classification of infractions and sanctions - Resolution CD/ANPD No. 15/2024 — Regulation on Notification of Security Incidents - Resolution CD/ANPD No. 18/2024 — DPO requirements including mandatory appointment of substitute DPO - Resolution CD/ANPD No. 19/2024 — international data transfer SCCs; grace period ended 23 August 2025 - Resolution CD/ANPD No. 30/2025 — Priority Topics Map for Oversight and Regulatory Action, 2026–2027 biennium (sensitive data advertising, children and adolescents, public authorities, AI) - Resolution CD/ANPD No. 31/2025 — Regulatory Agenda 2025–2026

ANPD reports: - Report on Generative AI - Study on biometric data and facial recognition in Brazil - Guide on Legitimate Interests

3. Statutory instruments¶

European Union¶

• EU GDPR (Regulation 2016/679)
• EU AI Act (Regulation (EU) 2024/1689) — entered into force 1 August 2024. Staged commencement:
• 2 February 2025: Article 4 (AI literacy) and Article 5 (prohibited practices) in force
• 2 August 2025: sanctions regime applicable for prohibited practices (€35M or 7% global turnover); GPAI obligations applicable
• 2 August 2026: Article 50 transparency enforceable; high-risk AI obligations; general enforcement begins
• 2 August 2027: high-risk AI in regulated products
• Digital Services Act (Regulation (EU) 2022/2065) — Article 25(1) ban on dark patterns by online platforms, applicable from 17 February 2024
• ePrivacy Directive (2002/58/EC, as amended)

United Kingdom¶

• UK GDPR and Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025:
• Royal Assent 19 June 2025
• Key provisions commenced 5 February 2026
• Maximum PECR fines increased from £500,000 to £17.5 million or 4% of global annual turnover (35-fold increase)
• Senior Responsible Individual (SRI) role replaces UK-only DPO requirement for some organisations
• Mandatory data protection complaints procedure from 19 June 2026
• DSAR "reasonable and proportionate" search test
• New exemptions for low-risk analytics and functional cookies (subject to transparency and opt-out conditions)
• PECR 2003 as amended by DUAA

Asia-Pacific¶

• Singapore Personal Data Protection Act (PDPA) 2012
• Malaysia Personal Data Protection Act 2010, as amended by the Personal Data Protection (Amendment) Act 2024 — phased commencement January to June 2025:
• 1 January 2025: minor amendments
• 1 April 2025: 'personal data breach' definition; amended 'requestor' definition; cross-border transfer regime changes
• 1 June 2025: mandatory DPO appointment (s.12A); mandatory data breach notification (s.12B — 72 hours to Commissioner, 7 days to individuals for significant harm); data portability right (s.43A); penalty increase (RM300K → RM1M; imprisonment 2 → 3 years); whitelist approach replaced with risk-based cross-border transfer framework
• Thailand Personal Data Protection Act B.E. 2562 (2019) — fully effective 1 June 2022
• Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No 2) B.E. 2568 (2025) — effective 13 April 2025; criminal offences for misuse of personal data in connection with technology crimes (imprisonment up to 1 year, fines up to THB 100,000; commercial misuse doubles both)
• India Digital Personal Data Protection Act 2023 (DPDPA) and Digital Personal Data Protection Rules 2025 — notified 13 November 2025:
• 13 November 2025: DPBI establishment; administrative provisions effective
• 13 November 2026: Consent Manager framework effective
• 13 May 2027: all other operational provisions (notices, consent, rights, retention, security, breach notification)
• Maximum penalty: INR 250 crore
• China Personal Information Protection Law (PIPL) 2021, Cybersecurity Law (CSL), Data Security Law (DSL)
• Provisions on Promoting and Regulating Cross-Border Data Transfer (March 2024)
• Measures for Certification of Cross-Border Transfer of Personal Information (effective 1 January 2026)
• Three-pathway cross-border transfer framework now complete: Security Assessment (CAC-led, stringent), SCCs (procedural), PIP Certification (middle-ground)
• Maximum penalty: RMB 50M or 5% annual turnover

Americas¶

• California CCPA/CPRA, as amended by:
• 2025 CPPA regulations on ADMT, risk assessments, cybersecurity audits (effective 1 January 2026)
• California Opt Me Out Act (AB 566, signed October 2025, mandatory browser GPC by 1 January 2027)
• US state privacy laws with UOOM mandates with commencement dates:
• Colorado Privacy Act — 1 July 2024
• Texas Data Privacy and Security Act — 1 July 2024
• Montana Consumer Data Privacy Act — 1 October 2024
• Connecticut Data Privacy Act — 1 January 2025
• Delaware Personal Data Privacy Act — 1 January 2025
• New Hampshire Data Privacy Act — 1 January 2025
• Nebraska Data Privacy Act — 1 January 2025
• New Jersey Data Privacy Law — 15 July 2025
• Minnesota Consumer Data Privacy Act — 31 July 2025
• Maryland Online Data Privacy Act — 1 October 2025
• Oregon Consumer Privacy Act — 1 January 2026
• Washington My Health My Data Act (MHMDA, RCW 19.373):
• Effective 31 March 2024 for regulated entities; 30 June 2024 for small businesses
• Requires separate consumer health data privacy policy, prominently linked from the homepage, distinct from the general privacy policy
• "Consumer health data" defined broadly (fitness, wellness, nutrition, biometric, bodily functions, reproductive, mental health, location reasonably indicating health)
• Geofencing ban around healthcare facilities
• Private right of action under Washington Consumer Protection Act
• Extraterritorial scope: applies to any natural person whose consumer health data is collected in Washington
• Nevada Consumer Health Data Privacy Law (SB 370) — effective 31 March 2024; parallel to MHMDA but without private right of action and with narrower scope
• Colorado Artificial Intelligence Act (SB 24-205):
• Signed 17 May 2024
• Delayed from 1 February 2026 to 30 June 2026 by SB 25B-004 (signed 28 August 2025)
• Applies to developers and deployers of "high-risk" AI systems making or substantially influencing "consequential decisions" in employment, education, housing, healthcare, financial/lending services, or legal services
• Obligations: risk management program, impact assessments, consumer notices, adverse decision explanations, appeals
• Consumer-facing AI disclosure: unless obvious to a reasonable person, consumers must be told they are interacting with an AI system
• Colorado AG exclusive enforcement; violations are deceptive trade practices under the Colorado Consumer Protection Act
• HIPAA Privacy and Security Rules
• Brazil Lei Geral de Proteção de Dados (LGPD)
• Digital Statute of Children and Adolescents (ECA Digital, Law 15,211/2025)
• Quebec Law 25 (Act to Modernize Legislative Provisions as Regards the Protection of Personal Information):
• Three-phase commencement: 22 September 2022, 22 September 2023, 22 September 2024 (final phase: data portability)
• Extraterritorial scope based on residence of data subject, not organisation
• Privacy officer (Encarregado equivalent) appointment mandatory; CEO is default privacy officer unless delegated; contact information must be published on the company website
• Mandatory breach notification to CAI and affected individuals
• Private right of action with minimum CAD 1,000 statutory damages
• Administrative monetary penalties up to CAD 10M or 2% global turnover
• Penal fines up to CAD 25M or 4% global turnover
• Minimum penal fine of CAD 15,000 for corporations; doubling for subsequent offences
• Canada Personal Information Protection and Electronic Documents Act (PIPEDA) — federal private-sector privacy law applying where provincial laws are not deemed "substantially similar"
• French Data Protection Act, Article 82

4. Enforcement precedent highlights¶

Decisions that drive severity tiering in the scanner's finding catalogue:

Cookie enforcement¶

• CNIL SAN-2025-005 (SHEIN, 1 September 2025, €150M) — cookies before banner; incomplete information; cookies persisting after Reject All
• CNIL SAN-2025-006 (Google, 1 September 2025, €325M) — advertising cookies without consent on account creation; ads between Gmail messages
• Landgericht München I — 3 O 17493/20 (Google Fonts, 20 January 2022, €100 damages) — Munich Regional Court held that embedding Google Fonts in a way that transmits the visitor's IP address to Google without prior consent constitutes an unlawful transfer of personal data under GDPR Article 6; civil damages awarded to the visitor. Frequently cited as anchor authority for the broader principle that fetching a remote resource which transmits IP and request metadata to a third country is in scope of GDPR/ePrivacy Article 5(3) for EU/UK visitors, even where no cookie is set. Added 16 June 2026.
• Earlier CNIL cookie decisions since 2020

GPC / universal opt-out¶

• Sephora settlement (CA, 2022, $1.2M) — first enforcement for failing to honor GPC
• Todd Snyder decision (CA, $345,178)
• American Honda Motor Co. decision (CA, $632,500)
• Healthline Media settlement (CA, July 2025, $1.55M) — largest CCPA settlement to date, specifically for failing to honor GPC
• CA / CO / CT joint GPC enforcement sweep (September 2025) — coordinated multi-state action

Brazil LGPD¶

• Meta daily fines case (suspended August 2024)
• DPO non-compliance campaign against 20 companies (November 2024 – April 2025)
• INSS (National Social Security Institute) Article 48 violation order

Thailand PDPA¶

• First enforcement THB 7M (21 August 2024) — online retailer; DPO not appointed, inadequate security, late breach reporting
• August 2025 wave THB 14.5M across 5 cases (state agency, hospital, cosmetics, toy seller)

China PIPL¶

• May 2025 Shanghai penalty against European luxury brand — first publicly disclosed cross-border transfer penalty
• September 2025 Shanghai subsidiary case
• 28 March 2025 nationwide enforcement campaign

EU AI Act¶

• No Article 5 enforcement actions publicly disclosed as of publication date
• Commission Guidelines on Prohibited AI Practices (4 February 2025) provide interpretative framework

5. Industry frameworks and complementary references¶

• IAB Europe Transparency and Consent Framework (TCF) — de facto industry standard for consent signal exchange
• Global Privacy Control (GPC) technical specification — adopted as official work item of W3C Privacy Working Group in November 2024
• IAPP analysis, certification mappings (CIPM, CIPP/E, CIPP/US), and enforcement-pattern documentation
• noyb (None of Your Business) public complaints — particularly where a noyb complaint has triggered subsequent regulatory action (e.g., August 2022 noyb complaint to CNIL led to SAN-2025-006)
• ASEAN Model Contractual Clauses for Cross-Border Data Flows — accepted under Thailand PDPA

6. Newly integrated regimes (v1.6) and remaining gaps¶

Integrated in v1.6 (21 May 2026)¶

The following five regimes are now covered by the scanner (findings M24–M29 plus anchor-source extensions; see Methodology v1.6 Appendix A). Article-level citations were verified against authoritative secondary sources (law-firm guidance, IAPP, the official UAE legislation portal); a final confirmation against primary statutory text by a qualified privacy professional is recommended before enforcement-grade reliance.

Switzerland — Federal Data Protection and Information Commissioner (FDPIC / EDÖB / PFPDT). Supervises the nFADP / revFADP (in force 1 September 2023; implementing Ordinance DPO/OPDo). Advisory and investigatory powers; cannot impose administrative fines — cantonal prosecutors impose criminal fines of up to CHF 250,000 on responsible individuals (Art. 60). Key provisions: Art. 7 (privacy by design/default), Art. 12 (ROPA; <250-employee + low-risk exemption), Art. 14 (Swiss representative for certain foreign controllers), Art. 19 (duty to inform), Art. 21 (automated individual decisions), Art. 22 (DPIA), Art. 24 (breach notification to the FDPIC "as soon as possible"). Transfers governed by the Swiss Federal Council's own adequacy list, SCCs, BCRs, or specific guarantees. FDPIC cookie guidance: first version January 2025; v1.1 issued 6 October 2025 (consent / "consent-or-pay"). Swiss cookie regime is transparency-based, not ePrivacy opt-in.

South Korea — Personal Information Protection Commission (PIPC). Enforces PIPA, as amended (amendment effective 15 September 2023; automated-decision enforcement-decree provisions effective 15 March 2024). Administrative penalties up to 3% of total revenue (a 10%-of-total-turnover ceiling is scheduled for 11 September 2026 — verify before relying on it). 72-hour breach notification; mandatory CPO (Art. 31) with statutory independence and board reporting; automated-decision rights — refuse/explanation (Art. 37-2); cross-border transfer requires separate consent (Art. 28-8, incl. 28-8(2) prior notice). Enforcement: January 2025 — KRW 5.9bn on KakaoPay and KRW 2.4bn on Apple Distribution International for failure to notify cross-border processing via the Alipay relationship; 2022 — ≈KRW 69.2bn on Google and ≈KRW 30.8bn on Meta for behavioural-advertising data without consent.

United Arab Emirates — UAE Data Office (federal). Oversees Federal Decree-Law No. 45 of 2021 (UAE PDPL; effective 2 January 2022; extraterritorial). DPO contact specified and notified to the Bureau (Art. 10); immediate breach notification (Art. 9); cross-border transfer to adequate/approved destinations or via safeguards/consent (Art. 22–23). Executive Regulations remain pending — breach timing, approved-country list, and penalty amounts not yet fixed (indicative AED 5M ceiling cited, unconfirmed); UAE findings are interim. Separate regulators govern the financial free zones: DIFC Commissioner of Data Protection (DIFC DPL 2020) and ADGM Office of Data Protection (ADGM DPR 2021) — both outside the Federal PDPL.

Nigeria — Nigeria Data Protection Commission (NDPC). Established by the NDPA 2023 (succeeding the NDPB / NITDA NDPR 2019); issued the General Application and Implementation Directive (GAID) 2025. "Data controllers/processors of major importance" must register (NDPC publishes a public register) and appoint a DPO; 72-hour breach notification; penalty for such entities is the higher of ₦10,000,000 or 2% of preceding-year annual gross revenue.

Saudi Arabia — Saudi Data and Artificial Intelligence Authority (SDAIA). Competent authority for the PDPL (Royal Decree M/19) and Implementing Regulations — in force 14 September 2023; full enforcement since 14 September 2024 (one-year grace ended). 72-hour breach notification (Implementing Regulations Art. 24); cross-border via consent/adequacy/safeguards + risk assessment (Regulation on Personal Data Transfer Outside the Kingdom). Penalties up to SAR 5M (doubled on repeat); disclosing/publishing sensitive personal data carries up to 2 years' imprisonment and/or SAR 3M.

Remaining gaps and planned work¶

• EU AI Act Article 50 Code of Practice (expected finalisation June 2026) integration
• UK DUAA complaints-procedure promotion to high severity (19 June 2026)
• CCPA ADMT pre-use notice compliance hardening (1 January 2027 signals)
• DPDPA Consent Manager framework (13 November 2026 commencement)
• Colorado AI Act finalisation (30 June 2026 commencement)
• Further jurisdictions assessed on a rolling basis (additional GCC, African, and Latin American frameworks)

Acknowledged substantive gaps¶

• Sector-specific compliance — HIPAA Business Associate Agreements, FERPA for education, GLBA for financial services — these impose obligations the scanner does not currently test for
• Contractual compliance — DPAs, SCCs, BCRs — not externally observable
• Internal governance — training, incident response drilling, DPIA quality — not externally observable
• Cybersecurity obligations that intersect with privacy — NIS2, DORA, sector-specific cyber incident reporting — treated as out of scope for this scanner

7. Version and changelog¶

v1.6 — 16 June 2026¶

• Added Landgericht München I — 3 O 17493/20 (Google Fonts, 20 January 2022, €100 damages) to §4 Cookie enforcement as the anchor authority for IP-transmitting remote resources falling under GDPR/ePrivacy Article 5(3) without cookie storage.
• Companion to Methodology v1.7 (scan-agent naming, M5/C8 detection corrections, geo-vantage chapter integrated; severity-financial overlay added). No methodology citations changed; the bump tracks the Munich addition + the version coupling to Methodology v1.7.

v1.5 — 21 May 2026¶

• Added FDPIC (Switzerland), PIPC (South Korea), UAE Data Office, NDPC (Nigeria), and SDAIA (Saudi Arabia) as regulator sources, with verified article-level citations.
• Added Switzerland nFADP, South Korea PIPA, UAE PDPL, Nigeria NDPA 2023, and Saudi PDPL as statutory instruments; noted DIFC DPL 2020 / ADGM DPR 2021 free-zone carve-outs.
• Added Korea enforcement precedent (KakaoPay/Apple Jan 2025; Google/Meta 2022) and the FDPIC cookie-guidance update (Oct 2025).
• Restructured Section 6: the five regimes moved from "gaps" to "integrated in v1.6"; remaining gaps and rolling-assessment note retained.
• Companion to Methodology v1.6 (findings M24–M29 + anchor extensions). Article numbers verified against authoritative secondary sources; primary-source confirmation by a qualified privacy professional recommended before enforcement-grade reliance.

v1.4 — 17 April 2026¶

• First version as standalone Regulator Reference document
• Content previously resided as encyclopedic appendix material within the Methodology (v1.0 through v1.3)
• Structural refactor motivated by v1.4 methodology review: separating regulator detail from scanner detection logic keeps both documents clearer
• Added Canadian regulators (CAI, OPC)
• Added Washington State AG and Colorado AG
• Added EDPB Guidelines 02/2023 as anchor source for tracking-scope findings
• Added Quebec Law 25, Washington MHMDA, Nevada Consumer Health Data Privacy Law, Colorado AI Act (SB 24-205), PIPEDA as statutory instruments
• Added Section 6 (Gaps and planned additions) as explicit acknowledgement of regimes not yet integrated

Future updates¶

This document is maintained as a living reference. Material updates are cadenced monthly; minor updates (new enforcement decisions, guidance amendments) may be published more frequently. The Methodology is updated less frequently, typically with quarterly or event-driven cadence.

Questions about regulator sources or citations can be sent to methodology@dxtra.ai. For substantive questions from researchers, journalists, and customers we respond within 5 business days.