Rachel de Souza

Subscribe to Rachel de Souza's Posts

Navigating Simplification Without Sacrificing Safeguards: Key Takeaways

As the EU begins the complex task of making the European Artificial Intelligence Act[1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules

Continue Reading EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI

On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised

Continue Reading EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms

Continue Reading UK: Commencement of the data protection provisions in the Data (Use and Access) Act

Over the last decade, the EU has launched an unprecedented constellation of laws: GDPR, the AI Act, the Data Act, NIS2, the Cyber Resilience Act, DORA, DSA, DMA, eIDAS 2.0 and more. Together – under the ‘Digital Decade’ banner – they aim to form a powerful framework to protect fundamental rights, promote trustworthy technology and

Continue Reading EU: Digital Autofocus – Will Europe’s Digital Omnibus bring clarity to Regulation? 

The EU General Court has dismissed a French MEP’s challenge to the EU-U.S. Data Privacy Framework (“DPF”) for the transfer of personal data between the European Union (“EU”) and the United States (“U.S”). While the decision is welcome news to organisations relying on the DPF for transfers underpinning their

Continue Reading EU-U.S. Data Privacy Framework Survives First Challenge

In response to the UK’s new Data (Use and Access) Act 2025 (DUA Act) coming into force, the UK Information Commissioner (ICO) has launched two public consultations. The consultations, which aim to shape final guidance on amendments introduced by the DUA Act, address the new lawful basis of “recognised legitimate interests” 

Continue Reading UK: ICO launches consultations on the new Data (Use and Access) Act 2025

On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act“) was passed and received Royal Assent on 19th June 2025.

The government first announced plans for the new DUA Act in the King’s speech back in July 2024. The DUA Act introduces reforms to data protection and e-privacy laws

Continue Reading UK: Data (Use and Access) Bill passes through Parliament

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the

Continue Reading Europe: European Commission publishes proposal for simplification of the GDPR

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types

Continue Reading US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”