On April 7, 2026, the Alabama legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act. The bill cleared the House 104-0 and the Senate 34-0, making Alabama the 21st state to enact a comprehensive consumer privacy statute. If signed by Governor Kay Ivey, the law will take effect on May 1
Continue Reading U.S.: Alabama Becomes 21st State to Enact Comprehensive Privacy Law
UK: ICO Report on Automated Decision-Making in Recruitment
Organisations are increasingly turning to AI-enabled tools throughout the recruitment lifecycle, from CV filtering and suitability scoring to online assessments and behavioural analysis. These tools can offer real advantages, including faster hiring processes and the potential to reduce human bias that inevitably exists in traditional recruitment. However, their use often creates a tension with data
Continue Reading UK: ICO Report on Automated Decision-Making in Recruitment
Australia: Exposure draft of Children’s Online Privacy Code signals tougher standards
The Office of the Australian Information Commissioner (OAIC) has published an exposure draft of the landmark Privacy (Children’s Online Privacy) Code 2026 (Code), which crystallises expectations around how personal information of children must be collected and handled under the Privacy Act 1988 (Cth) (Privacy Act).
The Code applies on
Continue Reading Australia: Exposure draft of Children’s Online Privacy Code signals tougher standards
EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive
Summary
On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-526/24, Brillen Rottler, clarifying that a data subject’s first request for access to personal data under Article 15 of the General Data Protection Regulation (GDPR) may be refused as “excessive”.
Continue Reading EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive
U.S.: CalPrivacy Continues Enforcement Momentum: Settlement Over Opt-Out of Sale/Sharing Violations
On March 5, 2026, the California Privacy Protection Agency (CalPrivacy or the Agency) announced a $375,703 settlement with Ford Motor Company (Ford), stemming from its long-running investigation into the privacy practices of connected vehicle manufacturers, an inquiry the Agency has been pursuing since 2023.
The Ford matter was announced just days after CalPrivacy’s settlement with
Continue Reading U.S.: CalPrivacy Continues Enforcement Momentum: Settlement Over Opt-Out of Sale/Sharing Violations
U.S. Privacy Laws Legislative Update
After a legislative lull last year, 2026 has brought a new wave of state privacy lawmaking activity.
A number of states have introduced comprehensive state privacy bills during the legislative cycle, reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data.
While many
Continue Reading U.S. Privacy Laws Legislative Update
U.S.: Ninth Circuit Expands Personal Jurisdiction Over Foreign Tech Platforms in Data Breach Cases
On March 2, 2026, the U.S. Court of Appeals for the Ninth Circuit issued a significant decision, in Freeman v. 3Commas Technologies OÜ, reversing a district court’s dismissal of a class action against an Estonian software company for lack of personal jurisdiction.[1] The ruling provides valuable guidance on when foreign technology companies can
Continue Reading U.S.: Ninth Circuit Expands Personal Jurisdiction Over Foreign Tech Platforms in Data Breach Cases
EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI
Navigating Simplification Without Sacrificing Safeguards: Key Takeaways
As the EU begins the complex task of making the European Artificial Intelligence Act[1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules
Continue Reading EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI
EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities
On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised
Continue Reading EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities
UK: Commencement of the data protection provisions in the Data (Use and Access) Act
On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.
The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms
Continue Reading UK: Commencement of the data protection provisions in the Data (Use and Access) Act