Since its announcement during the King’s Speech on 17 July 2024, there has been much anticipation over the contents of the Cyber Security and Resilience Bill (“CS&R Bill“) and in particular the extent to which it will bring the UK into alignment with its European counterpart, the NIS2 directive. Currently, cyber regulation in

Continue Reading UK: Will UK cyber reforms keep step with NIS2?

In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.  

The controller (defendant) operates an online music

Continue Reading Germany: Monitoring and auditing obligations of controllers with respect to their processors

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types

Continue Reading US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”

On April 9, 2025, the coalition agreement of the future German Federal Government, consisting of the three German parties CDU, CSU and SPD, was published. The document entitled “Responsibility for Germany” contains several plans, including some that may fundamentally change the German data protection supervisory authority structure and that aim to ease the regulatory burden

Continue Reading Germany: New government plans to centralize data protection supervision and reduce regulation for small and medium-sized companies

Recently, the Cyberspace Administration of China (CAC), which is the primary data regulator in China, published a newsletter about the government authorities’ enforcement of Apps and websites that violated personal data protection and cybersecurity laws during the year 2024.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or

Continue Reading CHINA: Recent Enforcement Trends

Following Malaysia’s introduction of data breach notification and data protection officer (“DPO”) appointment requirements in last year’s significant amendments to the Personal Data Protection Act (“PDPA”) (click here for our summary), the Personal Data Protection Commissioner of Malaysia (“Commissioner”) recently released guidelines that flesh out such requirements, titled the

Continue Reading Malaysia: Guidelines Issued on Data Breach Notification and Data Protection Officer Appointment

Chinese data regulators are intensifying their focus on the data protection compliance audit obligations under the Personal Information Protection Law (“PIPL“), with the release of the Administrative Measures for Personal Information Protection Compliance Audits (“Measures“), effective 1 May 2025.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested

Continue Reading CHINA: Mandatory Data Protection Compliance Audits from 1 May 2025

Since the full implementation of Thailand’s Personal Data Protection Act (PDPA) in June 2022, the Personal Data Protection Committee (PDPC) has been instrumental in shaping the nation’s data protection framework. Recently, the PDPC provided detailed clarifications on data breach notification requirements by responding to the public consultation, offering essential guidance for

Continue Reading Thailand: PDPC’s Clarification on Personal Data Breach Notification

In a December, the Information Commissioner’s Office (ICO) responded to Google’s decision to lift a prohibition on device fingerprinting (which involves collecting and combining information about a device’s software and hardware, for the purpose of identifying the device) for organisations using its advertising products, effective from 16 February 2025 (see an overview of

Continue Reading UK: Google’s U-Turn on Device Fingerprinting: ICO’s Response and Subsequent Guidance