The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.

By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar

In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes…

The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.

By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth

The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing…

The administration has signaled a potential softening of cyber regulation for domestic entities, with increasing focus on national security priorities and preparing for the future.

By Antony (Tony) Kim and Michael H. Rubin

The Trump administration’s focus on reshaping the cyber regulatory environment continues with executive order 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order…

The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.

By Hui Xu and Bianca H. Lee

The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect…

The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.

By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin

On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy…

DOJ emphasizes need to come into full compliance with its new rule by July 8.

By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn

On April 11, 2025, the US Department of Justice (DOJ) released guidance regarding its final rule, known as the “Data Security Program”…

New DOJ guidance helps companies understand their obligations under the DSP, which
could severely impact investment agreements and ordinary commercial data transactions.

By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn

On April 11, 2025, the US Department of Justice (DOJ) released new guidance on its…

The draft law proposes a data embassy ecosystem and comprehensive framework in Saudi Arabia, promoting its position as a global AI hub.

By Brian Meenagh, Ksenia Koroleva, and Faisal Imam*

On April 14, 2025, Saudi Arabia’s Communications, Space and Technology Commission (CST) issued a consultation draft of a “Global AI Hub Law.” This draft law…

The EU regulation designed to facilitate secondary use of clinical data for research brings benefits for health research, but also poses challenges for companies.

By Deniz Tschammler, Danielle van der Merwe, Oliver Mobasser

On 5 March 2025, Regulation 2025/327 creating the European Health Data Space (the EHDS Regulation) was published in the Official Journal of the European Union…

The guidelines specify the requirements for data controllers to conduct risk assessments related to the transfer or disclosure of personal data outside the Kingdom.

By Brian Meenagh, Calum Docherty, Faisal Imam,* and Ksenia Koroleva

The Saudi Data & Artificial Intelligence Authority (SDAIA) has released non-binding guidelines for assessing risks when transferring or disclosing personal data outside the…

Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.

By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth

Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union…

The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.

By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth

The penalties provisions of the EU General Data Protection Regulation (GDPR) include…