Three years after its investigation commenced, the Office of the Australian Information Commissioner (OAIC) has found that retail giant Kmart Australia Limited (Kmart) breached the Privacy Act 1988 (Cth) (Privacy Act) through its use of facial recognition technology (FRT) in 28 retail stores between June 2020 and
Continue Reading Australia: Facial Recognition Technology Continues to Breach Australian Privacy Act
The Cyberspace Administration of China (“CAC“) has recently published the Administrative Measures for Network Security Incident Reporting (“Measures“), which provide further guidance on when and how to report network security incidents under existing laws such as the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. The Measures
Continue Reading CHINA: new stricter and 4-hour data breach reporting requirements for certain incidents
What is data scraping?
Data scraping is an automated process through which computer programs extract vast amounts of data from the internet at a faster rate than manual data collection methods.
Some businesses scrape data for internal purposes, such as generating leads, or to create products and services available for public use, such as price
Continue Reading Australia: Scraping the barrel – when data scraping breaches the Privacy Act
The EU General Court has dismissed a French MEP’s challenge to the EU-U.S. Data Privacy Framework (“DPF”) for the transfer of personal data between the European Union (“EU”) and the United States (“U.S”). While the decision is welcome news to organisations relying on the DPF for transfers underpinning their
Continue Reading EU-U.S. Data Privacy Framework Survives First Challenge
Since the full enforcement of Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) in June 2022, the Personal Data Protection Committee (“PDPC”) has moved decisively from awareness-building to active enforcement. The transition emerged in 2024 when a leading e-commerce company was fined THB 7 million for breaching the law.
In
Continue Reading Thailand: PDPA Crackdown 2025: Are You Next? – Major Fines and Lessons from Thailand’s Latest Enforcement
In its judgment of May 13, 2025 (case number VI ZR 186/22), the German Federal Court of Justice (Bundesgerichtshof – “BGH”) continued its case law on the compensability of non-material damages under Article 82 GDPR, in particular with regard to whether the mere loss of control over personal data was sufficient for a
Continue Reading Germany: Further Judgment on Non-Material Damages for Loss of Control over Personal Data
In response to the UK’s new Data (Use and Access) Act 2025 (DUA Act) coming into force, the UK Information Commissioner (ICO) has launched two public consultations. The consultations, which aim to shape final guidance on amendments introduced by the DUA Act, address the new lawful basis of “recognised legitimate interests”
Continue Reading UK: ICO launches consultations on the new Data (Use and Access) Act 2025
On June 26, 2025, the European Union Agency for Cybersecurity (ENISA) published two sets of guidelines to help businesses ensure their organizational compliance with the NIS2 Directive.
The aim of the guidelines is to support companies in understanding how legal requirements translate into operational activities, particularly regarding (i) roles and skills for professionals within essential
Continue Reading EU: ENISA Guidelines on Compliance with NIS 2 Directive Published
CrowdStrike’s 2025 Threat Hunting Report offers key insights into the current cyber threat landscape. Drawing on data from July 2024 to June 2025, the report showcases how adversaries are becoming more sophisticated, scalable, and business-like in their operations. These “enterprising adversaries” are not only innovating their tactics but also exploiting emerging technologies such as generative
Continue Reading Key Insights from the CrowdStrike 2025 Threat Hunting Report
In a decision issued on 18 July 2025 against Google LLC, the Personal Data Protection Office (PDPO) has affirmed that the data protection compliance obligations under Ugandan law apply to all entities that handle the personal data of Ugandan citizens, regardless of where they are based.
The office has also clarified that a
Continue Reading Uganda: Data protection Regulator Clarifies Compliance Requirements for Offshore Entities
