A recent and far-reaching decision by the Italian Data Protection Authority (Garante) has significantly altered the rules governing marketing privacy consent in Italy, introducing a potential obligation to adopt a double opt-in mechanism for collecting consent, that exceeds the requirements in other EU countries.

Why This Case Matters: A Shift in Privacy Consent

Continue Reading Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?

The NIS2 Directive has significantly reshaped the cybersecurity landscape across the EU. Since the implementation deadline in October 2024, EU Member States have been working to incorporate new standards into their national laws, fostering a dynamic and rapidly evolving regulatory environment. Recently, Ireland’s National Cyber Security Centre (NCSC) published the draft NIS2 Risk Management Measures

Continue Reading Ireland: NIS2 revamps Ireland’s cybersecurity landscape: Old regulators, new powers

The Spanish Data Protection Authority (“AEPD“) has published its 2024 annual report, which includes the AEPD’s awareness-raising activities; the collaboration and inspection activities of the Spanish authorities; relevant reports and procedures published during 2024; and an analysis of regulatory trends and key privacy challenges for the coming months. The annual report’s key elements

Continue Reading Spain: Spanish Data Protection Authority Publishes Annual Report

The potential criminalization of activities associated with ransomware cyber attacks, including ransom payments by victims, has long been an unresolved issue. This concern has now led Italy to introduce a ground breaking legislative proposal aimed at enhancing cybersecurity and mitigating threats posed by digital extortionists.

Recognizing ransomware cyberattacks not merely as economic disturbances but as

Continue Reading Italy: Ransomware and Crime – A Proposal to Tackle Cyber Extortion in Italy

On 17th June 2025, the Spanish Data Protection Authority (“AEPD”) published guidance in relation to Royal Decree 933/2021, which regulates document registration and information obligations relating to accommodation and motor vehicle rental activities (“Royal Decree“). In particular, the AEPD has clarified that the Royal Decree does not authorise requests for copies

Continue Reading Spain: AEPD Guidance – Important Update on Royal Decree 933/2021

On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act“) was passed and received Royal Assent on 19th June 2025.

The government first announced plans for the new DUA Act in the King’s speech back in July 2024. The DUA Act introduces reforms to data protection and e-privacy laws

Continue Reading UK: Data (Use and Access) Bill passes through Parliament

On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent

Continue Reading EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance

On 20 March 2025, the Nigeria Data Protection Commission (Commission), issued the General Application and Implementation Directive (GAID).  The GAID serves as a regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It provides practical guidance for organisations handling personal data and aims to ensure uniform compliance

Continue Reading Nigeria: NDPC Issues GAID – Key Compliance Insights

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the

Continue Reading Europe: European Commission publishes proposal for simplification of the GDPR

Following Malaysia’s introduction of data breach notification and data protection officer (“DPO”) appointment requirements in last year’s significant amendments to the Personal Data Protection Act (“PDPA”) (click here for our summary), the Personal Data Protection Commissioner of Malaysia (“Commissioner”) recently released guidelines that flesh out such requirements, titled the

Continue Reading Malaysia: Guidelines Issued on Data Breach Notification and Data Protection Officer Appointment