The Italian Data Protection Authority (the Garante) has issued its first GDPR fine for unlawful retention of metadata from employees’ emails and web browsing activities. The decision applies the Garante’s highly discussed guidelines of 2024 on the use of metadata in workplace email systems.

The Processing of Metadata in the Employment Relations

Metadata

Continue Reading Italy: The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach

On 20 March 2025, the Nigeria Data Protection Commission (Commission), issued the General Application and Implementation Directive (GAID).  The GAID serves as a regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It provides practical guidance for organisations handling personal data and aims to ensure uniform compliance

Continue Reading Nigeria: NDPC Issues GAID – Key Compliance Insights

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the

Continue Reading Europe: European Commission publishes proposal for simplification of the GDPR

The Cyberspace Administration of China (CAC) released an important Q&A on cross-border data transfer requirements and policies in early April, providing clarification on a number of issues of concern to companies in China. Key points include:

Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle

Continue Reading China: CAC publishes official Q&As for cross-border data transfer regulation

Since its announcement during the King’s Speech on 17 July 2024, there has been much anticipation over the contents of the Cyber Security and Resilience Bill (“CS&R Bill“) and in particular the extent to which it will bring the UK into alignment with its European counterpart, the NIS2 directive. Currently, cyber regulation in

Continue Reading UK: Will UK cyber reforms keep step with NIS2?

In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.  

The controller (defendant) operates an online music

Continue Reading Germany: Monitoring and auditing obligations of controllers with respect to their processors

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types

Continue Reading US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”

On April 9, 2025, the coalition agreement of the future German Federal Government, consisting of the three German parties CDU, CSU and SPD, was published. The document entitled “Responsibility for Germany” contains several plans, including some that may fundamentally change the German data protection supervisory authority structure and that aim to ease the regulatory burden

Continue Reading Germany: New government plans to centralize data protection supervision and reduce regulation for small and medium-sized companies

Recently, the Cyberspace Administration of China (CAC), which is the primary data regulator in China, published a newsletter about the government authorities’ enforcement of Apps and websites that violated personal data protection and cybersecurity laws during the year 2024.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or

Continue Reading CHINA: Recent Enforcement Trends

Following Malaysia’s introduction of data breach notification and data protection officer (“DPO”) appointment requirements in last year’s significant amendments to the Personal Data Protection Act (“PDPA”) (click here for our summary), the Personal Data Protection Commissioner of Malaysia (“Commissioner”) recently released guidelines that flesh out such requirements, titled the

Continue Reading Malaysia: Guidelines Issued on Data Breach Notification and Data Protection Officer Appointment