On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent

Continue Reading EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance

The Italian Data Protection Authority (the Garante) has issued its first GDPR fine for, among other breaches, unlawful retention of metadata from employees’ emails and web browsing activities. The decision applies, for the first time, the Garante’s highly discussed guidelines of 2024 on the use of metadata in workplace email systems.

The Processing

Continue Reading Italy: The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach

On 20 March 2025, the Nigeria Data Protection Commission (Commission), issued the General Application and Implementation Directive (GAID).  The GAID serves as a regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It provides practical guidance for organisations handling personal data and aims to ensure uniform compliance

Continue Reading Nigeria: NDPC Issues GAID – Key Compliance Insights

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the

Continue Reading Europe: European Commission publishes proposal for simplification of the GDPR

The Cyberspace Administration of China (CAC) released an important Q&A on cross-border data transfer requirements and policies in early April, providing clarification on a number of issues of concern to companies in China. Key points include:

Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle

Continue Reading China: CAC publishes official Q&As for cross-border data transfer regulation

Since its announcement during the King’s Speech on 17 July 2024, there has been much anticipation over the contents of the Cyber Security and Resilience Bill (“CS&R Bill“) and in particular the extent to which it will bring the UK into alignment with its European counterpart, the NIS2 directive. Currently, cyber regulation in

Continue Reading UK: Will UK cyber reforms keep step with NIS2?

In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.  

The controller (defendant) operates an online music

Continue Reading Germany: Monitoring and auditing obligations of controllers with respect to their processors

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types

Continue Reading US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”

On April 9, 2025, the coalition agreement of the future German Federal Government, consisting of the three German parties CDU, CSU and SPD, was published. The document entitled “Responsibility for Germany” contains several plans, including some that may fundamentally change the German data protection supervisory authority structure and that aim to ease the regulatory burden

Continue Reading Germany: New government plans to centralize data protection supervision and reduce regulation for small and medium-sized companies

Recently, the Cyberspace Administration of China (CAC), which is the primary data regulator in China, published a newsletter about the government authorities’ enforcement of Apps and websites that violated personal data protection and cybersecurity laws during the year 2024.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or

Continue Reading CHINA: Recent Enforcement Trends