EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance

By Heidi Waem, Verena Grentzenberg & Luca Sawatzki on June 11, 2025

Posted in Adtech, General Data Protection Regulation

On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent…

Italy: The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach

By Giulio Coraggio on June 4, 2025

Posted in Data retention, Enforcement, EU privacy, General Data Protection Regulation, Privacy Law

The Italian Data Protection Authority (the Garante) has issued its first GDPR fine for, among other breaches, unlawful retention of metadata from employees’ emails and web browsing activities. The decision applies, for the first time, the Garante’s highly discussed guidelines of 2024 on the use of metadata in workplace email systems.

The Processing…

Nigeria: NDPC Issues GAID – Key Compliance Insights

By Adewumi Salami & Caleb Nmeribe on June 3, 2025

Posted in Africa, New laws, Privacy Law

On 20 March 2025, the Nigeria Data Protection Commission (Commission), issued the General Application and Implementation Directive (GAID). The GAID serves as a regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It provides practical guidance for organisations handling personal data and aims to ensure uniform compliance…

Europe: European Commission publishes proposal for simplification of the GDPR

By Rachel de Souza & Heidi Waem on May 28, 2025

Posted in EU Commission, EU privacy, General Data Protection Regulation

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the…

China: CAC publishes official Q&As for cross-border data transfer regulation

By Amanda Ge on April 22, 2025

Posted in Uncategorized

The Cyberspace Administration of China (CAC) released an important Q&A on cross-border data transfer requirements and policies in early April, providing clarification on a number of issues of concern to companies in China. Key points include:

Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle…

UK: Will UK cyber reforms keep step with NIS2?

By Nicholas De Lacy-Brown, Josh Turner & James McGachie on April 17, 2025

Posted in Cyber security, New laws, UK

Since its announcement during the King’s Speech on 17 July 2024, there has been much anticipation over the contents of the Cyber Security and Resilience Bill (“CS&R Bill“) and in particular the extent to which it will bring the UK into alignment with its European counterpart, the NIS2 directive. Currently, cyber regulation in…

Germany: Monitoring and auditing obligations of controllers with respect to their processors

By Verena Grentzenberg & Ali Umutlu on April 16, 2025

Posted in EU privacy, General Data Protection Regulation, Privacy Law, Processors

In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.

The controller (defendant) operates an online music…

US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”

By Morven Henderson, Hayley Curry & Rachel de Souza on April 16, 2025

Posted in Cyber security, Data transfers, New laws, Privacy Law

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types…

Germany: New government plans to centralize data protection supervision and reduce regulation for small and medium-sized companies

By Verena Grentzenberg, Lucas Blum & Luca Sawatzki on April 14, 2025

Posted in General Data Protection Regulation, Supervisory authority relations

On April 9, 2025, the coalition agreement of the future German Federal Government, consisting of the three German parties CDU, CSU and SPD, was published. The document entitled “Responsibility for Germany” contains several plans, including some that may fundamentally change the German data protection supervisory authority structure and that aim to ease the regulatory burden…

CHINA: Recent Enforcement Trends

By Carolyn Bigg & Amanda Ge on March 12, 2025

Posted in App Privacy, Cyber security, Enforcement, Privacy Law, Tracking technologies, Transparency

Recently, the Cyberspace Administration of China (CAC), which is the primary data regulator in China, published a newsletter about the government authorities’ enforcement of Apps and websites that violated personal data protection and cybersecurity laws during the year 2024.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or…

Privacy Matters

UK: Data (Use and Access) Bill passes through Parliament