Topics

Adtech

EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR ComplianceUK: Data protection authority issues reprimand to gambling operator for unlawfully processing personal data

Africa

Nigeria: NDPC Issues GAID – Key Compliance Insights

App Privacy

CHINA: Recent Enforcement Trends

Artificial Intelligence

Spain: Spanish Data Protection Authority Publishes Annual ReportEU: EDPB Opinion on AI Provides Important Guidance though Many Questions RemainIreland: Increased regulatory convergence of AI and data protection: X suspends training of AI chatbot with EU user data after Irish regulator issues High Court proceedings

Audits and mapping

CHINA: Mandatory Data Protection Compliance Audits from 1 May 2025CHINA: Mandatory data protection compliance (self) audits on their wayChina: Important new guidance on defining sensitive personal information

China

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026CHINA: new stricter and 4-hour data breach reporting requirements for certain incidentsCHINA: definition and handling of Sensitive Personal Information helpfully clarified

CJEU

EU: CJEU Insight EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests

Class actions

Europe/Germany:  Right to bring collective action for violations of information obligations under GDPR

Compliance programs and policies

CHINA: Mandatory Data Protection Compliance Audits from 1 May 2025VIETNAM, MALAYSIA AND INDONESIA: what you need to know about the new SE Asia data protection lawsCHINA: Enhanced and clarified data compliance obligations on handlers of "network data", covering personal information and important data, and operators of online platforms from 1 January 2025

Cookies

UK: Google’s U-Turn on Device Fingerprinting: ICO’s Response and Subsequent GuidanceUK: Data protection authority issues reprimand to gambling operator for unlawfully processing personal data

Cyber security

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026Insider Threat: Client Considerations and JustificationsAustralian Clinical Labs ordered to pay AUD5.8 million following cyber incident

Cyber-crime

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026Thailand: PDPA Crackdown 2025: Are You Next? - Major Fines and Lessons from Thailand’s Latest EnforcementKey Insights from the CrowdStrike 2025 Threat Hunting Report

Data analythics

Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?China: new rules on use of algorithms for digital business, data analytics and decision-making

Data Protection Officers

ITALY: Personal data anonymization and the risk of the DPO being an executorCHINA: DPOs must be registered before 29 August 2025Malaysia: Guidelines Issued on Data Breach Notification and Data Protection Officer Appointment

Data retention

Italy: The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach

Data security and breaches

Australian Clinical Labs ordered to pay AUD5.8 million following cyber incidentCHINA: new stricter and 4-hour data breach reporting requirements for certain incidentsThailand: PDPA Crackdown 2025: Are You Next? - Major Fines and Lessons from Thailand’s Latest Enforcement

Data Sharing

EU/UK: Data-Sharing Frameworks - A State of Play in the EU and the UK

Data transfers

EU-U.S. Data Privacy Framework Survives First ChallengeUganda: Data protection Regulator Clarifies Compliance Requirements for Offshore EntitiesUS: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to "countries of concern"

Digital Decade

EU: ENISA Guidelines on Compliance with NIS 2 Directive PublishedSpain: Spanish Data Protection Authority Publishes Annual ReportEU: Cyber Resilience Act published in EU Official Journal

Digital transformation

EU: Cyber Resilience Act published in EU Official JournalEU/UK: Data-Sharing Frameworks - A State of Play in the EU and the UK

Direct marketing

Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?UK: Google’s U-Turn on Device Fingerprinting: ICO’s Response and Subsequent GuidanceCalifornia Attorney General Settles with DoorDash over Alleged Sale of Personal Information

e-health

EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.UK: New National Strategy for Health Data

ECJ; Article 29 Working Party;

EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.Europe/Germany:  Right to bring collective action for violations of information obligations under GDPR

EDBP (European Data Protection Board)

EU: EDPB Opinion on AI Provides Important Guidance though Many Questions RemainEU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and managementEurope: EDPB issues Opinion on ‘consent or pay’ models deployed by large online platforms

Employment

Italy: Garante issues fine for use of employee's private chats in disciplinary actions

Enforcement

Dutch DPA fines Experian €2.7m for breaches of the GDPRICO v Clearview – a test of the ICO's reach?CHINA: new stricter and 4-hour data breach reporting requirements for certain incidents

ePrivacy

Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?UK: Google’s U-Turn on Device Fingerprinting: ICO’s Response and Subsequent GuidanceCJEU ruling clarifies data protection and e-privacy issues in the ad-tech space

EU Commission

Europe: European Commission publishes proposal for simplification of the GDPREU: Data Act Frequently Asked Questions answered by the EU CommissionEU/UK: Data-Sharing Frameworks - A State of Play in the EU and the UK

EU data governance

EU: ENISA Guidelines on Compliance with NIS 2 Directive PublishedIreland: NIS2 revamps Ireland's cybersecurity landscape: Old regulators, new powersSpain: Spanish Data Protection Authority Publishes Annual Report

EU Digital Decade

EU: ENISA Guidelines on Compliance with NIS 2 Directive PublishedIreland: NIS2 revamps Ireland's cybersecurity landscape: Old regulators, new powersSpain: Spanish Data Protection Authority Publishes Annual Report

EU privacy

EU: ENISA Guidelines on Compliance with NIS 2 Directive PublishedITALY: Personal data anonymization and the risk of the DPO being an executorItaly: Garante issues fine for use of employee's private chats in disciplinary actions

FTC

US: Executive Order on federal agenciesFTC Reiterates that Hashed and Pseudonymized Data is Still Identifiable DataUS: The FTC Cracks Down on Sensitive Personal Information Disclosures

General Data Protection Regulation

Dutch DPA fines Experian €2.7m for breaches of the GDPRICO v Clearview – a test of the ICO's reach?Germany: Further Judgment on Non-Material Damages for Loss of Control over Personal Data

geolocation

US: Google to pay $29.5 million to Indiana and District of Columbia to settle location privacy suits

Global data transfer management

CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers

Health Data

EU: EHDS – Access to health data for secondary use under the European Health Data SpaceEU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.China: Important new guidance on defining sensitive personal information

Internet of Things

EU Regulatory Data Protection: A first appraisal of the European Commission's proposal for a 'Data Act'

Lawful basis

Dutch DPA fines Experian €2.7m for breaches of the GDPRUK: ICO launches consultations on the new Data (Use and Access) Act 2025EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests

Legitimate Interests

Dutch DPA fines Experian €2.7m for breaches of the GDPRUK: ICO launches consultations on the new Data (Use and Access) Act 2025Italy: Garante issues fine for use of employee's private chats in disciplinary actions

Network and Information Security Directive

EU: ENISA Guidelines on Compliance with NIS 2 Directive PublishedIreland: NIS2 revamps Ireland's cybersecurity landscape: Old regulators, new powersEU: NIS2 Member State implementation deadline has arrived

New laws

CHINA: Amendments to Cybersecurity Law Effective 1 January 2026UK: ICO launches consultations on the new Data (Use and Access) Act 2025Dubai International Financial Centre: Updates to the DIFC Protection Laws

Privacy Law

Dutch DPA fines Experian €2.7m for breaches of the GDPRCHINA: Amendments to Cybersecurity Law Effective 1 January 2026ICO v Clearview – a test of the ICO's reach?

Processors

Germany: Monitoring and auditing obligations of controllers with respect to their processors

Ransomware

UK: Consultation on Ransomware payments

SEC

US: Executive Order on federal agenciesUS: Understanding Governance--A Path for Privacy and Security Governance

Sensitive personal data

CHINA: definition and handling of Sensitive Personal Information helpfully clarified

Supervisory authority relations

Germany: New government plans to centralize data protection supervision and reduce regulation for small and medium-sized companies

Tracking technologies

CHINA: Recent Enforcement TrendsUK: Google’s U-Turn on Device Fingerprinting: ICO’s Response and Subsequent Guidance

Transparency

Dutch DPA fines Experian €2.7m for breaches of the GDPRCHINA: Recent Enforcement TrendsEurope/Germany:  Right to bring collective action for violations of information obligations under GDPR

UK

ICO v Clearview – a test of the ICO's reach?UK: ICO launches consultations on the new Data (Use and Access) Act 2025UK: Data (Use and Access) Bill passes through Parliament

Uncategorized

China: CAC publishes official Q&As for cross-border data transfer regulationUS: Executive Order on federal agenciesHong Kong: A Practical Guide to the Proposed Critical Infrastructure Cybersecurity Legislation