On April 7, 2026, the Alabama legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act. The bill cleared the House 104-0 and the Senate 34-0, making Alabama the 21st state to enact a comprehensive consumer privacy statute. If signed by Governor Kay Ivey, the law will take effect on May 1
Continue Reading U.S.: Alabama Becomes 21st State to Enact Comprehensive Privacy Law
UK: ICO Report on Automated Decision-Making in Recruitment
Organisations are increasingly turning to AI-enabled tools throughout the recruitment lifecycle, from CV filtering and suitability scoring to online assessments and behavioural analysis. These tools can offer real advantages, including faster hiring processes and the potential to reduce human bias that inevitably exists in traditional recruitment. However, their use often creates a tension with data
Continue Reading UK: ICO Report on Automated Decision-Making in Recruitment
EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive
Summary
On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-526/24, Brillen Rottler, clarifying that a data subject’s first request for access to personal data under Article 15 of the General Data Protection Regulation (GDPR) may be refused as “excessive”.
Continue Reading EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive
Key Takeaways from the S-RM Cyber Incident Insights Report 2026
S‑RM’s 2026 Cyber Incident Insights Report offers one of the clearest indicators yet of how rapidly the global threat landscape is shifting. Drawing on more than 800 incidents handled throughout 2025, the report reveals a ransomware ecosystem that is expanding, fragmenting and becoming less predictable, while AI adoption(on both sides of the divide) introduces new
Continue Reading Key Takeaways from the S-RM Cyber Incident Insights Report 2026
EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI
Navigating Simplification Without Sacrificing Safeguards: Key Takeaways
As the EU begins the complex task of making the European Artificial Intelligence Act[1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules
Continue Reading EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI
EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities
On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised
Continue Reading EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities
UK: Commencement of the data protection provisions in the Data (Use and Access) Act
On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.
The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms
Continue Reading UK: Commencement of the data protection provisions in the Data (Use and Access) Act
Australia: Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages
From 1 July 2026, entities that use an alphanumeric sender ID for SMS/MMS messages in Australia must register that ID on the SMS Sender ID Register.
Sender IDs are used to send SMS/MMS messages from a named entity (i.e. a name displayed at the top of a text message to show who the message is
Continue Reading Australia: Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages
CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026
All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any
Continue Reading CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026
Singapore: Key Amendments to the Cybersecurity Act Now in Force
Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity (Amendment) Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory
Continue Reading Singapore: Key Amendments to the Cybersecurity Act Now in Force