New laws

Spain: Government approves the draft Organic Law on the proper use and governance of artificial intelligence

By Paula Gonzalez de Castejón & Elisa Lorenzo Sanchez on May 28, 2026

Posted in Artificial Intelligence, EU data governance, EU privacy, New laws

On 26 May 2026, Spain’s Council of Ministers approved a draft Organic Law on the proper use and governance of artificial intelligence, aligning Spain’s national law with Regulation (EU) 2024/1689 (the “EU AI Act”). The legislation aims to create a framework for trustworthy, human‑centric AI, combining regulatory oversight while supporting innovation.

Governance…

UK: The King’s Speech 2026 – Cybersecurity at the Forefront

By Rachel de Souza on May 18, 2026

Posted in Cyber security, Cyber-crime, Data security and breaches, Digital transformation, New laws, Privacy Law, UK

The UK Government’s legislative agenda, set out in the King’s Speech on 13 May 2026, places cybersecurity and digital resilience firmly at the centre of national policy. Against a backdrop of increasing geopolitical instability and rapidly evolving technological risks, the proposed measures continue the shift towards a more interventionist and systemic approach to safeguarding the…

U.S.: Comprehensive Federal Privacy Legislation Introduced

By Andrew Serwin & Daniel Caprio on April 29, 2026

Posted in FTC, New laws, Privacy Law, SECURE Data Act, Sensitive personal data

The SECURE Data Act 2026 and GUARD Financial Data Act were introduced on April 22, 2026. This legislation would impose major data restrictions and requirements across the U.S. economy. The bill would give the U.S. Department of Commerce and the Federal Trade Commission (FTC) expanded powers to oversee data collection and use.

The SECURE Data…

U.S. Privacy Laws Legislative Update

By Andrew Serwin, Leila Javanshir, Kieran de Terra & Madison Bucci on March 10, 2026

Posted in New laws, Privacy Law

After a legislative lull last year, 2026 has brought a new wave of state privacy lawmaking activity.

A number of states have introduced comprehensive state privacy bills during the legislative cycle, reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data.

While many…

Australia’s Social Media “Ban” and the eSafety Commissioner’s Social Media Minimum Age Regulatory Guidance

By Sarah Birkett & Clarissa Kwee on February 17, 2026

Posted in ePrivacy, New laws

Australia’s world-first social media “ban” has been in the global spotlight since its introduction in late 2025. As other jurisdictions look to follow suit, parents and tech giants alike continue to grapple with a key question: how will the ban be practically enforced?

Application of the “social media ban”

On 10 December 2025, the Online…

EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities

By Rachel de Souza & Heidi Waem on February 6, 2026

Posted in Cyber security, Cyber-crime, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws, Privacy Law

On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised…

UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

EU: NIS2 Update – EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities

By Heidi Waem, Lorcan Moylan Burke, Henry Kilding & Alanna Grogan on February 3, 2026

Posted in Cyber security, Digital Decade, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws

The NIS2 Directive continues to evolve – and organisations must keep pace. On 20 January 2026, the Commission unveiled a set of targeted amendments to the NIS2 Directive (“the Proposal“), signalling the next phase of its push to modernise and streamline the EU’s cybersecurity legal framework.

Positioned within a broader legislative package, also…

CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026

By Carolyn Bigg & Amanda Ge on January 7, 2026

Posted in Children's data, China, New laws, Privacy Law

All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any…

Singapore: Key Amendments to the Cybersecurity Act Now in Force

By Carolyn Bigg & Qiuyang Zhao on December 3, 2025

Posted in Cyber security, New laws, Privacy Law

Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity  (Amendment)  Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory…