Data Protection

EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive

By Ciara Kelly, Rachel de Souza & Benjamin Fellows on March 26, 2026

Posted in CJEU, Data subject access and opposition rights, ECJ; Article 29 Working Party;, EU privacy, General Data Protection Regulation, Privacy Law

Summary

On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-526/24, Brillen Rottler, clarifying that a data subject’s first request for access to personal data under Article 15 of the General Data Protection Regulation (GDPR) may be refused as “excessive”.

Key Takeaways from the S-RM Cyber Incident Insights Report 2026

By Ross McKean & David Cook on March 16, 2026

Posted in Cyber security, Cyber-crime, Data loss prevention, Data security and breaches, Ransomware

S‑RM’s 2026 Cyber Incident Insights Report offers one of the clearest indicators yet of how rapidly the global threat landscape is shifting. Drawing on more than 800 incidents handled throughout 2025, the report reveals a ransomware ecosystem that is expanding, fragmenting and becoming less predictable, while AI adoption(on both sides of the divide) introduces new…

EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI

By Muhammed Demircan, Ciara Kelly & Rachel de Souza on February 17, 2026

Posted in Artificial Intelligence, EDBP (European Data Protection Board), EU Digital Decade, EU privacy, Privacy Law

Navigating Simplification Without Sacrificing Safeguards: Key Takeaways

As the EU begins the complex task of making the European Artificial Intelligence Act [1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules…

EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities

By Rachel de Souza & Heidi Waem on February 6, 2026

Posted in Cyber security, Cyber-crime, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws, Privacy Law

On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised…

UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

Australia: Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages

By Sarah Birkett & Clarissa Kwee on January 16, 2026

Posted in Privacy Law

From 1 July 2026, entities that use an alphanumeric sender ID for SMS/MMS messages in Australia must register that ID on the SMS Sender ID Register.

Sender IDs are used to send SMS/MMS messages from a named entity (i.e. a name displayed at the top of a text message to show who the message is…

CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026

By Carolyn Bigg & Amanda Ge on January 7, 2026

Posted in Children's data, China, New laws, Privacy Law

All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any…

Singapore: Key Amendments to the Cybersecurity Act Now in Force

By Carolyn Bigg & Qiuyang Zhao on December 3, 2025

Posted in Cyber security, New laws, Privacy Law

Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity  (Amendment)  Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory…

EU: Digital Autofocus – Will Europe’s Digital Omnibus bring clarity to Regulation?

By Rachel de Souza on November 24, 2025

Posted in Artificial Intelligence, Cyber security, Digital transformation, EU Commission, EU data governance, EU Digital Decade, EU privacy, General Data Protection Regulation, New laws, Privacy Law

Over the last decade, the EU has launched an unprecedented constellation of laws: GDPR, the AI Act, the Data Act, NIS2, the Cyber Resilience Act, DORA, DSA, DMA, eIDAS 2.0 and more. Together – under the ‘Digital Decade’ banner – they aim to form a powerful framework to protect fundamental rights, promote trustworthy technology and…

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026

By Carolyn Bigg, Qiuyang Zhao & Amanda Ge on November 3, 2025

Posted in China, Cyber security, Cyber-crime, New laws, Privacy Law

On 28 October 2025, China passed amendments to the Cybersecurity Law, marking the first update since its enactment in 2016. These amendments reflect China’s heightened focus on cybersecurity and AI governance and are scheduled to take effect on 1 January 2026.

Key Updates

The amendments primarily focus on the law’s enforcement provisions. Key updates include:…