While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.

By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte

On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal…

The measures, which take effect on November 1, 2025, position China with one of the more rigorous cybersecurity incident notification regimes in Asia.

By Hui Xu, Rhys McWhirter, and Bianca H. Lee

The Cyberspace Administration of China (CAC) issued the Measures on National Cybersecurity Incident Reporting (the Measures) on September 11, 2025. The Measures will take effect on…

New privacy regulations provide insights into California’s approach to ADMT, cybersecurity audits, and risk assessments, while amendments impact compliance with consumer rights obligations.

By Michael H. Rubin, Jennifer Howes, Austin Anderson, Eric Gonzalez, and Sherry Tseng

Long-awaited revisions to the California Consumer Privacy Act (CCPA) Regulations were recently approved by the California Office of Administrative Law…

The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.

By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth

The Court of Justice of the European Union (CJEU) has…

The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.

By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean

The EU Data…

EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.

By Ian Felstead, Tim Wybitul, Wolf-Tassilo Böhm, Hayley M. Pizzey, Isabelle Brams, and Clarence Cheong

On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court…

The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.

By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar

In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes…

The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.

By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth

The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing…

The administration has signaled a potential softening of cyber regulation for domestic entities, with increasing focus on national security priorities and preparing for the future.

By Antony (Tony) Kim and Michael H. Rubin

The Trump administration’s focus on reshaping the cyber regulatory environment continues with executive order 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order…

The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.

By Hui Xu and Bianca H. Lee

The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect…

The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.

By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin

On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy…

DOJ emphasizes need to come into full compliance with its new rule by July 8.

By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn

On April 11, 2025, the US Department of Justice (DOJ) released guidance regarding its final rule, known as the “Data Security Program”…