It’s well-known that China’s data protection laws define sensitive personal information very differently to other jurisdictions. Instead of a closed list of data types, sensitive personal information in China has traditionally been defined by reference to a broad “risk of harm” test. A new national standard, which will come into force on 1 November 2025
Continue Reading CHINA: definition and handling of Sensitive Personal Information helpfully clarified
The Irish Supreme Court, on 24 July 2025, issued a landmark decision offering greater clarity on non-material damages in the context of privacy claims under the General Data Protection Regulation (GDPR). The judgment in Dillon v Irish Life Assurance plc[1] (Dillon) marks a significant development for both individuals seeking compensation
Continue Reading Ireland: GDPR, PIAB, and the Personal Injury Puzzle – The Irish Supreme Court Decides
The Italian Data Protection Authority (Garante) has fined a company EUR 420,000 for violating privacy laws in the workplace. The decision focuses on the employer’s use of content from Facebook, WhatsApp, and Messenger— shared from the employee’s personal accounts—for disciplinary purposes.
This ruling will have serious repercussions for any employer operating in Italy, especially those
Continue Reading Italy: Garante issues fine for use of employee’s private chats in disciplinary actions
While appointing and registering a DPO has been mandatory in China for many years, a portal has now finally been established for organisations to register those DPOs with the China data protection authority. This resolves long-standing uncertainty over how DPOs must be registered, and over relevant qualifications and location of the DPO. The deadline for
Continue Reading CHINA: DPOs must be registered before 29 August 2025
A recent and far-reaching decision by the Italian Data Protection Authority (Garante) has significantly altered the rules governing marketing privacy consent in Italy, introducing a potential obligation to adopt a double opt-in mechanism for collecting consent, that exceeds the requirements in other EU countries.
Why This Case Matters: A Shift in Privacy Consent
Continue Reading Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?
The NIS2 Directive has significantly reshaped the cybersecurity landscape across the EU. Since the implementation deadline in October 2024, EU Member States have been working to incorporate new standards into their national laws, fostering a dynamic and rapidly evolving regulatory environment. Recently, Ireland’s National Cyber Security Centre (NCSC) published the draft NIS2 Risk Management Measures
Continue Reading Ireland: NIS2 revamps Ireland’s cybersecurity landscape: Old regulators, new powers
The Spanish Data Protection Authority (“AEPD“) has published its 2024 annual report, which includes the AEPD’s awareness-raising activities; the collaboration and inspection activities of the Spanish authorities; relevant reports and procedures published during 2024; and an analysis of regulatory trends and key privacy challenges for the coming months. The annual report’s key elements
Continue Reading Spain: Spanish Data Protection Authority Publishes Annual Report
The potential criminalization of activities associated with ransomware cyber attacks, including ransom payments by victims, has long been an unresolved issue. This concern has now led Italy to introduce a ground breaking legislative proposal aimed at enhancing cybersecurity and mitigating threats posed by digital extortionists.
Recognizing ransomware cyberattacks not merely as economic disturbances but as
Continue Reading Italy: Ransomware and Crime – A Proposal to Tackle Cyber Extortion in Italy
On 17th June 2025, the Spanish Data Protection Authority (“AEPD”) published guidance in relation to Royal Decree 933/2021, which regulates document registration and information obligations relating to accommodation and motor vehicle rental activities (“Royal Decree“). In particular, the AEPD has clarified that the Royal Decree does not authorise requests for copies
Continue Reading Spain: AEPD Guidance – Important Update on Royal Decree 933/2021
On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act“) was passed and received Royal Assent on 19th June 2025.
The government first announced plans for the new DUA Act in the King’s speech back in July 2024. The DUA Act introduces reforms to data protection and e-privacy laws
Continue Reading UK: Data (Use and Access) Bill passes through Parliament
