U.S.: Texas AG Sues Shein Over Alleged Deceptive Practices and Data Privacy Risks

By Andrew Serwin on February 23, 2026

Posted in AG Enforcement, China, Texas AG

On February 20, 2026, Texas Attorney General Ken Paxton filed suit against Shein US Services, LLC, alleging false, deceptive, and misleading practices in violation of the Texas Deceptive Trade Practices Act. The complaint targets both product safety concerns and alleged misrepresentations regarding consumer data practices.

Shein, founded in China in 2008, is a global fast‑fashion…

EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI

By Muhammed Demircan, Ciara Kelly & Rachel de Souza on February 17, 2026

Posted in Artificial Intelligence, EDBP (European Data Protection Board), EU Digital Decade, EU privacy, Privacy Law

Navigating Simplification Without Sacrificing Safeguards: Key Takeaways

As the EU begins the complex task of making the European Artificial Intelligence Act [1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules…

Australia’s Social Media “Ban” and the eSafety Commissioner’s Social Media Minimum Age Regulatory Guidance

By Sarah Birkett & Clarissa Kwee on February 17, 2026

Posted in ePrivacy, New laws

Australia’s world-first social media “ban” has been in the global spotlight since its introduction in late 2025. As other jurisdictions look to follow suit, parents and tech giants alike continue to grapple with a key question: how will the ban be practically enforced?

Application of the “social media ban”

On 10 December 2025, the Online…

EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities

By Rachel de Souza & Heidi Waem on February 6, 2026

Posted in Cyber security, Cyber-crime, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws, Privacy Law

On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised…

UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

China: New guidance on data transfer and identification of important data in the automotive sector

By Carolyn Bigg & Amanda Ge on February 4, 2026

Posted in Uncategorized

On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the…

EU: NIS2 Update – EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities

By Heidi Waem, Lorcan Moylan Burke, Henry Kilding & Alanna Grogan on February 3, 2026

Posted in Cyber security, Digital Decade, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws

The NIS2 Directive continues to evolve – and organisations must keep pace. On 20 January 2026, the Commission unveiled a set of targeted amendments to the NIS2 Directive (“the Proposal“), signalling the next phase of its push to modernise and streamline the EU’s cybersecurity legal framework.

Positioned within a broader legislative package, also…

Supreme Court to Clarify Meaning of “Consumer” Under VPPA

By Andrew Serwin on January 28, 2026

Posted in Privacy Litigation, Uncategorized, Video Privacy

By: Andrew Serwin, Isabelle Ord, Jeffrey DeGroot, Hayley Curry, and Matt Danaher

On January 26, 2026, the U.S. Supreme Court granted certiorari in Salazar v. Paramount Global to clarify the scope of the Video Privacy Protection Act (“VPPA”) and resolve a circuit split on the issue. See Salazar v. Paramount Global, No. 25-459 (S. Ct.).

Australia: Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages

By Sarah Birkett & Clarissa Kwee on January 16, 2026

Posted in Privacy Law

From 1 July 2026, entities that use an alphanumeric sender ID for SMS/MMS messages in Australia must register that ID on the SMS Sender ID Register.

Sender IDs are used to send SMS/MMS messages from a named entity (i.e. a name displayed at the top of a text message to show who the message is…

CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026

By Carolyn Bigg & Amanda Ge on January 7, 2026

Posted in Children's data, China, New laws, Privacy Law

All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any…