Data transfers

UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

EU-U.S. Data Privacy Framework Survives First Challenge

By John Magee, Rachel de Souza, Alexa Smith, Giulio Coraggio, Tommaso Ricci, Denise Lebeau-Marianna, Heidi Waem, John Gevertz & Daniel Caprio on September 4, 2025

Posted in Data transfers

The EU General Court has dismissed a French MEP’s challenge to the EU-U.S. Data Privacy Framework (“DPF”) for the transfer of personal data between the European Union (“EU”) and the United States (“U.S”). While the decision is welcome news to organisations relying on the DPF for transfers underpinning their…

Uganda: Data protection Regulator Clarifies Compliance Requirements for Offshore Entities

By Paul Mbuga & Ruth Muhawe on August 6, 2025

Posted in Data transfers, Enforcement, Privacy Law

In a decision issued on 18 July 2025 against Google LLC, the Personal Data Protection Office (PDPO) has affirmed that the data protection compliance obligations under Ugandan law apply to all entities that handle the personal data of Ugandan citizens, regardless of where they are based.

The office has also clarified that a…

US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”

By Morven Henderson, Hayley Curry & Rachel de Souza on April 16, 2025

Posted in Cyber security, Data transfers, New laws, Privacy Law

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types…

CHINA: Draft Regulation on Certification for Cross-Border Data Transfers Published

By Carolyn Bigg, Amanda Ge & Qiuyang Zhao on January 14, 2025

Posted in China, Data transfers, New laws, Privacy Law

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data…

China: Important new guidance on defining sensitive personal information

By Carolyn Bigg, Amanda Ge & Qinyan Jiang on August 6, 2024

Posted in Audits and mapping, Data transfers, Health Data, Privacy Law

While the definition of sensitive personal information in China has always been different to other jurisdictions, with a focus on risk of harm at its heart, new draft guidance should make it easier for organisations to map their processing of China sensitive personal information, which is increasingly important in light of new cross-border data transfer…

Indonesia: prepare now for the new Personal Data Protection Law

By Juliet McNulty on September 15, 2023

Posted in Data transfers, General Data Protection Regulation

Following the passing of the long-awaited Personal Data Protection Law (“PDPL”) in Indonesia, on 31 August 2023, the Ministry of Communications and Information Technology published the draft government regulation (“Draft Regulation”) on the implementation of the PDPL for public consultation. The public consultation will close on 14 September 2023. The Draft…

CHINA: uncertainties helpfully clarified on various key data compliance activities

By Juliet McNulty on August 22, 2023

Posted in Data transfers, New laws

Helpful guidance on some previously uncertain areas of China data protection compliance programmes have been provided by the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (“Draft Measures”), which were published for public consultation on 3 August 2023 by the Cyberspace Administration of China (“CAC”).

The Draft Measures…

CHINA: only 100 days to file SCCs for cross-border data transfers – practical tips and insights

By Juliet McNulty on August 21, 2023

Posted in Data transfers

Authors: Carolyn Bigg and Amanda Ge

Businesses who must follow the China SCCs route to legitimize their cross-border transfers of personal data must file their signed China SCCs together with the supporting personal information impact assessment (“PIIA”) report with their local CAC branch by no later than 30 November 2023. This requires significant effort, and…

CHINA: New draft proposes more stringent requirements for processing data in the financial services industry

By Juliet McNulty on August 8, 2023

Posted in Data transfers

Authors: Carolyn Bigg, Amanda Ge and Venus Cheung

On July 24, 2023, the People’s Bank of China (“PBOC”) released the Measures for the Management of Data Security in the Business Areas Falling into PBOC’s Jurisdiction (Draft for Comment) (“Draft Measures”) for public consultation, which closes on August 24, 2023.

The Draft…