New laws

U.S. Privacy Laws Legislative Update

By Andrew Serwin, Leila Javanshir, Kieran de Terra & Madison Bucci on March 10, 2026

After a legislative lull last year, 2026 has brought a new wave of state privacy lawmaking activity.

A number of states have introduced comprehensive state privacy bills during the legislative cycle, reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data.

While many…

Australia’s Social Media “Ban” and the eSafety Commissioner’s Social Media Minimum Age Regulatory Guidance

By Sarah Birkett & Clarissa Kwee on February 17, 2026

Posted in ePrivacy, New laws

Australia’s world-first social media “ban” has been in the global spotlight since its introduction in late 2025. As other jurisdictions look to follow suit, parents and tech giants alike continue to grapple with a key question: how will the ban be practically enforced?

Application of the “social media ban”

On 10 December 2025, the Online…

EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities

By Rachel de Souza & Heidi Waem on February 6, 2026

Posted in Cyber security, Cyber-crime, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws, Privacy Law

On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised…

UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

EU: NIS2 Update – EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities

By Heidi Waem, Lorcan Moylan Burke, Henry Kilding & Alanna Grogan on February 3, 2026

Posted in Cyber security, Digital Decade, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws

The NIS2 Directive continues to evolve – and organisations must keep pace. On 20 January 2026, the Commission unveiled a set of targeted amendments to the NIS2 Directive (“the Proposal“), signalling the next phase of its push to modernise and streamline the EU’s cybersecurity legal framework.

Positioned within a broader legislative package, also…

CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026

By Carolyn Bigg & Amanda Ge on January 7, 2026

Posted in Children's data, China, New laws, Privacy Law

All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any…

Singapore: Key Amendments to the Cybersecurity Act Now in Force

By Carolyn Bigg & Qiuyang Zhao on December 3, 2025

Posted in Cyber security, New laws, Privacy Law

Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity  (Amendment)  Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory…

EU: Digital Autofocus – Will Europe’s Digital Omnibus bring clarity to Regulation?

By Rachel de Souza on November 24, 2025

Posted in Artificial Intelligence, Cyber security, Digital transformation, EU Commission, EU data governance, EU Digital Decade, EU privacy, General Data Protection Regulation, New laws, Privacy Law

Over the last decade, the EU has launched an unprecedented constellation of laws: GDPR, the AI Act, the Data Act, NIS2, the Cyber Resilience Act, DORA, DSA, DMA, eIDAS 2.0 and more. Together – under the ‘Digital Decade’ banner – they aim to form a powerful framework to protect fundamental rights, promote trustworthy technology and…

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026

By Carolyn Bigg, Qiuyang Zhao & Amanda Ge on November 3, 2025

Posted in China, Cyber security, Cyber-crime, New laws, Privacy Law

On 28 October 2025, China passed amendments to the Cybersecurity Law, marking the first update since its enactment in 2016. These amendments reflect China’s heightened focus on cybersecurity and AI governance and are scheduled to take effect on 1 January 2026.

Key Updates

The amendments primarily focus on the law’s enforcement provisions. Key updates include:…

UK: ICO launches consultations on the new Data (Use and Access) Act 2025

By Rachel de Souza on August 26, 2025

Posted in Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

In response to the UK’s new Data (Use and Access) Act 2025 (DUA Act) coming into force, the UK Information Commissioner (ICO) has launched two public consultations. The consultations, which aim to shape final guidance on amendments introduced by the DUA Act, address the new lawful basis of “recognised legitimate interests” …