On June 26, 2025, the European Union Agency for Cybersecurity (ENISA) published two sets of guidelines to help businesses ensure their organizational compliance with the NIS2 Directive.

The aim of the guidelines is to support companies in understanding how legal requirements translate into operational activities, particularly regarding (i) roles and skills for professionals within essential

Continue Reading EU: ENISA Guidelines on Compliance with NIS 2 Directive Published

CrowdStrike’s 2025 Threat Hunting Report offers key insights into the current cyber threat landscape. Drawing on data from July 2024 to June 2025, the report showcases how adversaries are becoming more sophisticated, scalable, and business-like in their operations. These “enterprising adversaries” are not only innovating their tactics but also exploiting emerging technologies such as generative

Continue Reading Key Insights from the CrowdStrike 2025 Threat Hunting Report

In a decision issued on 18 July 2025 against Google LLC, the Personal Data Protection Office (PDPO) has affirmed that the data protection compliance obligations under Ugandan law apply to all entities that handle the personal data of Ugandan citizens, regardless of where they are based.

The office has also clarified that a

Continue Reading Uganda: Data protection Regulator Clarifies Compliance Requirements for Offshore Entities

The Italian Data Protection Authority’s recent decision provided guidance on the true meaning of personal data anonymization and the crucial distinction between the DPO as a monitor – not an executor. In a world driven by AI and public surveillance, both concepts are more relevant than ever.

On April 10, 2025, the Garante issued a

Continue Reading ITALY: Personal data anonymization and the risk of the DPO being an executor

On 8 July 2025, the DIFC Data Protection Law No. 5 of 2020 (DIFC Data Protection Law) was amended to introduce several substantive changes, including the landmark creation of a private right of action for data subjects, clarifications to the extraterritorial scope, and increased financial penalties for non-compliance.

The changes broadly reflect those

Continue Reading Dubai International Financial Centre: Updates to the DIFC Protection Laws

It’s well-known that China’s data protection laws define sensitive personal information very differently to other jurisdictions. Instead of a closed list of data types, sensitive personal information in China has traditionally been defined by reference to a broad “risk of harm” test. A new national standard, which will come into force on 1 November 2025

Continue Reading CHINA: definition and handling of Sensitive Personal Information helpfully clarified

The Irish Supreme Court, on 24 July 2025, issued a landmark decision offering greater clarity on non-material damages in the context of privacy claims under the General Data Protection Regulation (GDPR). The judgment in Dillon v Irish Life Assurance plc[1] (Dillon) marks a significant development for both individuals seeking compensation

Continue Reading Ireland: GDPR, PIAB, and the Personal Injury Puzzle – The Irish Supreme Court Decides

The Italian Data Protection Authority (Garante) has fined a company EUR 420,000 for violating privacy laws in the workplace. The decision focuses on the employer’s use of content from Facebook, WhatsApp, and Messenger— shared from the employee’s personal accounts—for disciplinary purposes.

This ruling will have serious repercussions for any employer operating in Italy, especially those

Continue Reading Italy: Garante issues fine for use of employee’s private chats in disciplinary actions

While appointing and registering a DPO has been mandatory in China for many years, a portal has now finally been established for organisations to register those DPOs with the China data protection authority. This resolves long-standing uncertainty over how DPOs must be registered, and over relevant qualifications and location of the DPO. The deadline for

Continue Reading CHINA: DPOs must be registered before 29 August 2025

A recent and far-reaching decision by the Italian Data Protection Authority (Garante) has significantly altered the rules governing marketing privacy consent in Italy, introducing a potential obligation to adopt a double opt-in mechanism for collecting consent, that exceeds the requirements in other EU countries.

Why This Case Matters: A Shift in Privacy Consent

Continue Reading Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?