UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

China: New guidance on data transfer and identification of important data in the automotive sector

By Carolyn Bigg & Amanda Ge on February 4, 2026

Posted in Uncategorized

On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the…

EU: NIS2 Update – EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities

By Heidi Waem, Lorcan Moylan Burke, Henry Kilding & Alanna Grogan on February 3, 2026

Posted in Cyber security, Digital Decade, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws

The NIS2 Directive continues to evolve – and organisations must keep pace. On 20 January 2026, the Commission unveiled a set of targeted amendments to the NIS2 Directive (“the Proposal“), signalling the next phase of its push to modernise and streamline the EU’s cybersecurity legal framework.

Positioned within a broader legislative package, also…

Supreme Court to Clarify Meaning of “Consumer” Under VPPA

By Andrew Serwin on January 28, 2026

Posted in Privacy Litigation, Uncategorized, Video Privacy

By: Andrew Serwin, Isabelle Ord, Jeffrey DeGroot, Hayley Curry, and Matt Danaher

On January 26, 2026, the U.S. Supreme Court granted certiorari in Salazar v. Paramount Global to clarify the scope of the Video Privacy Protection Act (“VPPA”) and resolve a circuit split on the issue. See Salazar v. Paramount Global, No. 25-459 (S. Ct.).

Australia: Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages

By Sarah Birkett & Clarissa Kwee on January 16, 2026

Posted in Privacy Law

From 1 July 2026, entities that use an alphanumeric sender ID for SMS/MMS messages in Australia must register that ID on the SMS Sender ID Register.

Sender IDs are used to send SMS/MMS messages from a named entity (i.e. a name displayed at the top of a text message to show who the message is…

CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026

By Carolyn Bigg & Amanda Ge on January 7, 2026

Posted in Children's data, China, New laws, Privacy Law

All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any…

Singapore: Key Amendments to the Cybersecurity Act Now in Force

By Carolyn Bigg & Qiuyang Zhao on December 3, 2025

Posted in Cyber security, New laws, Privacy Law

Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity  (Amendment)  Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory…

EU: Digital Autofocus – Will Europe’s Digital Omnibus bring clarity to Regulation?

By Rachel de Souza on November 24, 2025

Posted in Artificial Intelligence, Cyber security, Digital transformation, EU Commission, EU data governance, EU Digital Decade, EU privacy, General Data Protection Regulation, New laws, Privacy Law

Over the last decade, the EU has launched an unprecedented constellation of laws: GDPR, the AI Act, the Data Act, NIS2, the Cyber Resilience Act, DORA, DSA, DMA, eIDAS 2.0 and more. Together – under the ‘Digital Decade’ banner – they aim to form a powerful framework to protect fundamental rights, promote trustworthy technology and…

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026

By Carolyn Bigg, Qiuyang Zhao & Amanda Ge on November 3, 2025

Posted in China, Cyber security, Cyber-crime, New laws, Privacy Law

On 28 October 2025, China passed amendments to the Cybersecurity Law, marking the first update since its enactment in 2016. These amendments reflect China’s heightened focus on cybersecurity and AI governance and are scheduled to take effect on 1 January 2026.

Key Updates

The amendments primarily focus on the law’s enforcement provisions. Key updates include:…

Insider Threat: Client Considerations and Justifications

By Linzi Penman, Katherine Gibson & Henry Pelling on October 31, 2025

Posted in Cyber security

The Threat

Malware usage by adversaries has reportedly declined. Partly due to sophisticated detection methods commonly deployed by medium to large organisations.

Conversely, insider threats (cybersecurity risks originating from within an organisation) are increasing, posing complex and costly challenges for businesses. CrowdStrike’s 2025 Global Threat Report indicates that insider threat operations accounted for 40% of…

Privacy Matters

EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities