Uncategorized

Subscribe to Uncategorized via RSS

On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the

Continue Reading China: New guidance on data transfer and identification of important data in the automotive sector

By: Andrew Serwin, Isabelle Ord, Jeffrey DeGroot, Hayley Curry, and Matt Danaher

On January 26, 2026, the U.S. Supreme Court granted certiorari in Salazar v. Paramount Global to clarify the scope of the Video Privacy Protection Act (“VPPA”) and resolve a circuit split on the issue. See Salazar v. Paramount Global, No. 25-459 (S. Ct.).

Continue Reading Supreme Court to Clarify Meaning of “Consumer” Under VPPA

The Cyberspace Administration of China (CAC) released an important Q&A on cross-border data transfer requirements and policies in early April, providing clarification on a number of issues of concern to companies in China. Key points include:

Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle

Continue Reading China: CAC publishes official Q&As for cross-border data transfer regulation

Hong Kong is following other jurisdictions, including Mainland China, Singapore and the UK, in proposing to enhance cybersecurity obligations on IT systems of those operating critical infrastructure (“CI“). While the proposed new law, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill (the“proposed legislation”), is still at an early stage

Continue Reading Hong Kong: A Practical Guide to the Proposed Critical Infrastructure Cybersecurity Legislation

On 18th July, the European Supervisory Authorities (“ESAs“) published the final versions of the second batch of their draft regulatory technical standards (RTS) and implementing technical standards (ITS), developed under the Digital Operational Resilience Act (DORA), as well as two sets of Guidelines.

Summary of draft

Continue Reading EU: European Supervisory Authorities issue second batch of technical standards under DORA

The UK has made several consequential amendments to its primary electronic surveillance law, the Investigatory Powers Act (“IPA”). These changes have the potential to impact the development of certain privacy-enhancing services by technology companies, whilst also widening the scope of the government’s access to certain electronic datasets. There is also the possibility of

Continue Reading UK: Changes to UK surveillance and communications law: the Investigatory Powers (Amendment) Act 2024.

On 7 March 2024, the Court of Justice of the European Union (CJEU) issued its judgment in the Endemol Shine case (C-740/22), holding that the concept of ‘processing’ under the GDPR includes the oral disclosure of personal data.

In its judgment, the CJEU not only provided clarity on the definition of “processing”

Continue Reading EU: CJEU confirms oral disclosures are considered ‘processing’ under the GDPR

In the evolving legal landscape of data protection, several decisions by data protection regulators and courts across the EU and UK underscore the importance of proactive GDPR compliance from a contractual perspective. These issues are being scrutinised more closely in corporate due diligence transactions and by regulators in the event of a data breach or

Continue Reading EU and UK: The importance of data processing agreements