Categories
Regulatory Updates

Global Updates – January 2025

Global updates – a quick glance

Australia:

  • Australia introduced public country-by-country reporting (“CbC”) requirements effective for the financial year beginning on or after July 1, 2024.
  • Australian Global Minimum Tax law received royal assent on December 10, 2024, which is effective from January 1, 2024.

Belgium: The Belgian parliament passed a law to make e-invoicing mandatory for business-to-business (“B2B”) transactions effective from January 1, 2026; subject to EU’s approval.

Brazil:

  • Revises social security contribution table for 2025.
  • Global Minimum Tax introduced through Law No. 15,079/24 effective from January 1, 2025.
  • Complementary Law No. 214/2025 sanctioned regulating the indirect tax reform.

Bulgaria: Thresholds for arrivals and dispatches under Intrastat system and statistical value reporting revised for 2025.

Canada:

  • Canada and Quebec’s social security contribution rates and maximum bases for 2025 announced. (i.e., January 1, 2025, to December 31, 2025).
  • Quebec brings changes to the requirement of providing a medical certificate for a sick leave by employees, effective from January 1, 2025.
  • Ontario enacts Bill – 229 introducing new leaves such as child placement leave, and long-term illness leave.
  • Federal and certain provincial income tax slabs increased for 2025.
  • Ontario government published Regulations 477/24 prescribing information to be provided by the employers to the employees before starting the employment, effective July 1, 2025.
  • Some provisions of Ontario’s Employment Standards Act, 2000 relating to pay transparency and job posting requirements amended by Bills 149 and 190 effective from January 1, 2026.

Chile: Chile enacts the personal data protection law aligning with EU GDPR standards.

China:

  • Starting from January 2025, statutory paid holiday entitlement increases from 11 to 13, with one additional day added to both Spring Festival (Chinese New Year) and Labour Day holidays.
  • Fully Digitalized E-Fapiao implemented across the entire China, effective from December 1, 2024.
  • SAMR issued the Company Registration Management Implementation Measures, effective February 10, 2025, to implement the new Company Law, standardize registration management, ensure timely capital contribution.
  • China enacts new VAT law to be effective from January 1, 2026.

Costa Rica: Costa Rica publishes tax rates and slabs for the tax year 2025.

Cyprus: Cyprus House of Representatives approved implementation of global minimum tax on December 12, 2024, which is effective from January 1, 2024.

Czech Republic:

  • Czech Republic revised provisions related to VAT registration thresholds from January 1, 2025.
  • Czech Republic abolishes the guaranteed wages for Commercial/ Private sector revising the classification of the groups for the guaranteed wages for State/ Public sector and increases the minimum monthly wages for the year 2025.

European Union:

  • VAT in Digital Age (“ViDA”) Agreement finalized to implement uniform VAT rules across EU, mainly focusing on digital reporting requirements, platform economy and single VAT registration; to be implemented in phased manner.
  • Effective January 1, 2025, SME VAT exemption scheme expanded for cross border transaction.

Finland: Mandatory VAT registration threshold increased from EUR 15,000 to EUR 20,000 with effect from January 1, 2025.

France: The French Parliament approved the Special Finance Bill, 2025, maintaining continuity of the existing tax rules in 2025 until the new Finance Bill for 2025 is passed.

Germany:

  • Changes in maximum income bases and rates for social security contributions for 2025.
  • The Annual Tax Act enacted, includes changes in income tax, VAT registration thresholds, introduction of small business VAT exemption scheme, effective from January 1, 2025.
  • Germany introduces key reforms for digital contracts, document retention effective from January 1, 2025.

Greece: Greece sets new thresholds for criteria for categorization of enterprises.

India: Multi-Factor Authentication (“MFA”) for GST e-invoicing /e-way bill system access to apply to all taxpayers gradually.

Indonesia: Enacted new KIA Law amending provisions relating to maternity leave effective from July 2, 2024.

Ireland:

  • Ireland grants right to postpone maternity leave, effective from November 20, 2024.
  • Ireland introduces amendments to Companies Act, 2014 with key changes on virtual meetings and strike off provisions effective from December 3, 2024.

Italy: Italy published Budget for the year 2025; introduced new non-taxable allowances for employees; reduced corporate tax rate incentive; small business VAT exemption scheme; and changes to Digital Service Tax, effective from January 1, 2025.

Japan:

  • Freelancer Protection Act came into effect to promote fair treatment and timely payments for freelancers.
  • Government unveils tax reforms proposals for 2025; proposes new special defense corporate tax at 4% of the standard corporate tax amount, further special corporate tax rate applicable to SME for income up to JPY 8 million proposed to be increased from 15% to 17% for fiscal years where annual taxable income exceeds JPY 1 billion.

Malaysia:

  • Increases wage ceiling for contributions to the Social Security Organization (“SOCSO”) from RM 5,000 to RM 6,000.
  • New requirement to include beneficial owner information in the Annual return to be effective from November 30, 2024

Morocco: Morocco enacts Finance Law 2025, revises tax brackets and rates for individual taxation.

Netherlands: Netherlands Senate approves 2025 tax plan with changes to personal income tax, social security rates, and 30% ruling applicable to foreign workers.

Poland:

  • Polish President signed the law to implement Global Minimum Tax on November 15, 2024, which is effective from January 1, 2025.
  • Poland announced revised thresholds for small taxpayers and social security contribution caps, effective from January 1, 2025.
  • Poland passes legislation to make December 24 (Christmas Eve) a public holiday effective from February 1, 2025.

Singapore:

  • Singapore implements Global Minimum Tax effective from January 1, 2025.
  • Singapore amends its paternity and shared parental leave provisions.

Serbia:

  • VAT and e-invoicing law amended to introduce requirement of preliminary VAT return, requirement to register status as VAT payer or not on the e-invoicing system, etc.
  • Digital sick leave system introduced for seamless employer notifications from March 2025

South Africa: Amendments to Employment Equity Act to be effective January 2025, employers having more than 50 employees regardless of the turnover need to comply with the law as turnover based threshold for applicability removed.

South Korea: Amendments to the law promoting childcare support to be effective from February 23, 2025; amendments include increase in the childcare leave and paternity leave.

Spain:

  • Spain implemented Global Minimum Tax effective from December 22, 2024.
  • Spain introduces new additional solidarity contribution effective from January 1, 2025.
  • Gradual reduction in corporate income tax rate for micro-enterprises and small companies effective from January 1, 2025.

Sweden:

  • Sweden revises the National Income Tax Threshold for 2025.
  • Sweden increases VAT registration threshold to SEK 120,000 from SEK 80,000 effective from January 1, 2025.

Switzerland: Switzerland increases the child and education allowance from the year 2025.

Thailand: Introduction of Employee Welfare Fund contribution to be effective from October 1, 2025.

United Kingdom: UK Autumn Statement 2024, announced on October 30, 2024; employer’s NI contribution rate increased from 13.8% to 15%; secondary threshold at which the employer becomes liable to pay NI reduced from GBP 9,100 to GBP 5,000, effective from April 1, 2025.

Data Protection Fines Table
Country Authority Name Fine imposed on Reason for Fine Related to Data Protection Failure Amount of Fine and Penalty
Finland Data Protection Ombudsman (“Tietosuojavaltuutetun toimisto”) (“Finnish DPA”) Posti Group Oyj, a company providing postal and logistics services. A fine was imposed for:
  • creating an electronic mailbox without the consent of customers and not providing choice to customer to opt out of electronic mailbox.
  • failing to inform the customers about the purpose of use of personal data,
  • not having legal ground for processing the personal data in case of customers who had not separately ordered electronic mailbox but were assigned with it automatically.
 EUR 2.4 million
France French Data Protection Authority (“CNIL”) Telemaque SAS is a company which provides wireless, IT and digital services. Telemaque has a joint responsibility agreement concerning the processing of personal data with Cosmospace and offers remote clairvoyance services by telephone, chat, and SMS. The fine was imposed for failing to:
  • obtain explicit consent before collecting sensitive personal information ,
  • minimize personal data collection and processing,
  • retain data for a period limited to the intended purpose,
  • improper processing of the personal data
 EUR 150,000
France French Data Protection Authority (“CNIL”) Cegedim Santé is a subsidiary of Cegedim, that provides software solutions and digital services to healthcare professionals and their patients, for the management of their activity and their daily practice. The fine was imposed due to following reasons:
  • processing of personal data in the health sector carried out without the authorization of the CNIL,
  • unlawful processing of the personal data.
 EUR 800,000
France French Data Protection Authority (“CNIL”) Orange SA, a French company, is a telecommunication operator and IT service provider The fine was imposed due to following reasons:
  • failure to obtain consent of the individuals to receive advertisements by electronic means (in form of mails),
  • continued reading of cookies even after withdrawal of consent by the individuals.
 Fine – EUR 50 million
Also passed order directing to make its cookies related practice compliant with law within 3 months for which Penalty of EUR 100,000 per day will apply in case of delay.
France French Data Protection Authority (“CNIL”) KASPR SAS, a subsidiary of Cognism, provides platform that integrates with LinkedIn to quickly gather and save contact details, helping businesses to connect with leads, save time, and standardize their outreach. The fine was imposed due to following reasons:
  • unauthorized collection of individuals’ contact information,
  • retaining personal data for longer period than necessary,
  • failing to clearly explain the individuals how their personal data will be processed and not informing about their rights.
 EUR 240,000
Ireland The Data Protection Commission (“DPC”) LinkedIn Ireland Unlimited Company, a company operating a social networking platform, specifically designed for the business community. The Irish Data Protection Commission (“DPC”) initiated an investigation into LinkedIn following a complaint by La Quadrature Du Net in August 2018, alleging the platform used member data for behavioural analysis and targeted advertising without a lawful basis. The DPC imposed a GDPR fine for:
  • Invalid consent for third-party data use, lacking clarity, and specificity.
  • Legitimate interests for data processing were outweighed by members’ rights and freedoms.
  • Failure to justify processing as contractually necessary.
  • Breach of transparency by failing to provide clear and sufficient information on data processing and its legal basis.
  • Violation of fairness due to misleading, unexpected, and harmful data processing.
 EUR 310 million
Ireland The Data Protection Commission (“DPC”) Meta Platforms Ireland Limited,
(Operating as the data controller of the social media platform – Facebook, a multinational Information Technology company).		 The Irish Data Protection Commission (“DPC”) investigated Facebook for a data breach, exposing sensitive user information like names, emails, and phone numbers. The breach affected global users, including in the EU/EEA, due to unauthorized exploitation of user token/ access codes. The reasons for the fine are as follows:
  • Lack of data protection principles in the design of its processing systems.
    Failure to limit processing to necessary personal data by default.
  • Missing mandatory information in its breach notification under GDPR.
  • Failure to document breach details, mitigation steps, and provide the documentation for verification.
 EUR 251 million
Italy Italian Data Protection Authority (“Garante”) Postel S.p.A., a company providing software products and management services. The Garante investigated Postel S.p.A. after a ransomware attack in August 2023 exposing the personal data of around 25,000 individuals, including employees and job applicants, raising concerns about the company’s GDPR compliance and data protection practices. Reasons for the fine are as follows:
  • Insufficient technical and organizational measures to safeguard against processing risks.
  • Failing to address vulnerabilities highlighted by the Microsoft Security Response Center (September 2022) and the National Cybersecurity Agency (November 2022).
  • Failure to include key details about the IT incident in the breach notification.
 EUR 900,000
Italy Italian Data Protection Authority (“Garante”) Sky Italia S.r.l., a company providing television and radio broadcasting services. The Garante investigated a company following 275 complaints about telemarketing practices, including using outdated consents, providing insufficient user information, and contacting individuals without verifying their registration in the Public Register of Opposition. Fine was imposed under GDPR for:
  • Using pre-GDPR consent to contact users without verifying its validity.
  • Storing unclear consent records in editable excel files, making it hard to verify user intent.
  • Using mandatory website registration consent for marketing and data sharing without offering users specific choices.
  • Failing to consult the “Do Not Call” registry before starting promotional campaigns.
EUR 842,062
Italy Italian Data Protection Authority (“Garante”) Foodinho S.r.l., a company providing online food ordering, food delivery, and other related services. The Garante investigated a data breach on March 20, 2023, that exposed users’ personal data. Several instances of non-compliance in ChatGPT’s management were found, leading to a fine under GDPR for:
  • Processing personal data for training without a valid legal basis, breaching transparency obligations.
  • Lack of age verification, exposing minors under 13 to inappropriate content.
  • Generating false or misleading outputs, violating accuracy principles.
  • Incomplete, hard-to-access privacy policy, missing key details and only available in English.
  • Delayed notification of the breach to the Garante.
 EUR 15 million
Netherlands The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) Netflix International B.V. engaged in the business of video-on-demand service through streaming technology for a subscription fee. A fine was imposed for the following reasons:
Netflix’s privacy statement lacked clarity regarding:
  • the purposes and legal basis for collecting and using personal data;
  • which personal data were shared with other parties and the reasons for such sharing;
  • data retention periods; and
  • measures to ensure data security during transfers to countries outside Europe.
 EUR 4.75 million
South Korea The Personal Information Protection Commission (“PIPC”) Meta Platforms Inc, a company which builds and operates technologies/platforms that help in connecting people and to grow businesses such as Facebook, WhatsApp, Instagram The fine was imposed due to following reasons:
  • for analyzing users’ behavioral data based on the ‘likes’ given by them and providing such sensitive personal information to advertisers without any lawful basis.
  • rejecting the request made by the individuals to access their personal data, without a legitimate reason,
  • failure to implement appropriate safety measures.
 KRW 21.6 billion
South Korea The Personal Information Protection Commission (“PIPC”) AXA General Insurance Co. Ltd a global Insurance Company The fine was imposed due to following reasons:
  • illegally collected personal information from customers without proper consent for marketing purposes,
  • failed to delete personal data for which retention purpose or retention period was expired,
  • failed to consult with the company’s Data Protection Officer (“DPO”) before implementing the pop-ups,
KRW 2.715 billion
South Korea The Personal Information Protection Commission (“PIPC”) Hyundai Marine & Fire Insurance, a company engaged in general insurance services The fine was imposed due to following reasons:
  • Collected excessive customer data and change of consent settings without obtaining proper consent for the same,
  • failed to delete personal data for which retention purpose or retention period was expired.
  • failed to consult with the company’s Data Protection Officer (“DPO”) before implementing the pop-ups.
KRW 6.198 billion
Spain Spanish Data Protection Authority (“AEPD”) Banco Bilbao Vizcaya Argentaria. SA (“BBVA”) – A Spanish multinational financial services company. Fine was imposed for deletion of personal data of the complainant without any legal basis. The complainant had acquired a corporate device for personal use after his employment contract ended with the company. The device on becoming inactive needed corporate credentials for reactivating it resulting in deletion of all personal data of the complainant. The fine was imposed for violations of following GDPR principles relating to:
  • unlawful deletion of personal data of a claimant who was no longer an employee of the company;
  • not having a legitimate basis for processing of personal data of the complainant as the employment contract ended; and
  • Negligence of the company in not following internal policies.
 EUR 120,000
Spain Spanish Data Protection Authority (“AEPD”) The Phone House, S.L. – A telecommunications company providing telecommunication and information services. The cyberattack incident was reported compromising the personal data of millions of users. The attackers accessed and downloaded a data base with the personal data of customers, suppliers and employees containing details such as names, ID, social security numbers, bank accounts, salaries, gender related information, nationality etc. The company was fined for violation of the following principles of GDPR relating to:
  • Failure in implementing adequate technical and organizational
  • measures to safeguard the personal data of the employees;
  • Failure to process data in a manner
  • which will prevent unauthorized access, loss and destruction of the data; and
  • Failure in anticipating the risks/ threats and implementing adequate safeguards to prevent the cyberattacks.
EUR 6,500,000

CLICK HERE FOR FULL REPORT