DOJ emphasizes need to come into full compliance with its new rule by July 8.
By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn
On April 11, 2025, the US Department of Justice (DOJ) released guidance regarding its final rule, known as the “Data Security Program” (DSP). The DSP, originally issued on December 27, 2024, and effective on April 8, 2025 (with certain diligence, auditing, and
The EU regulation designed to facilitate secondary use of clinical data for research brings benefits for health research, but also poses challenges for companies.
By Deniz Tschammler, Danielle van der Merwe, Oliver Mobasser
On 5 March 2025, Regulation 2025/327 creating the European Health Data Space (the EHDS Regulation) was published in the Official Journal of the European Union and entered into force on 26 March 2025. The European Commission also published FAQs on the European Health Data Space
The guidelines specify the requirements for data controllers to conduct risk assessments related to the transfer or disclosure of personal data outside the Kingdom.
By Brian Meenagh, Calum Docherty, Faisal Imam,* and Ksenia Koroleva
The Saudi Data & Artificial Intelligence Authority (SDAIA) has released non-binding guidelines for assessing risks when transferring or disclosing personal data outside the Kingdom (the Guidelines). The Guidelines supplement the updated Regulations on Personal Data Transfer Outside the Kingdom (the Regulations), which were
Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB (Opinion), considering various questions on the scope of personal data regulated by the EU
The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.
By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty
On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines
Considerations for UK and US companies that are already or considering relying on the UK-US Data Bridge for personal data transfers.
By Fiona M. Maclean and Clayton Northouse
Latham & Watkins and Privacy Laws & Business recently co-hosted a webinar looking back on the first eight months since the UK-US Data Bridge entered into force. Speakers from the UK Information Commissioner’s Office (ICO) and the US Privacy and Civil Liberties Oversight Board joined the panel for a broad discussion on the practical implementation and future outlook of the UK-US Data Bridge.
Below are key takeaways from the discussion and practical tips for UK and US organisations relying on the UK-US Data Bridge to facilitate personal data transfers to the US from the UK (and Gibraltar) while ensuring data is protected consistent with the standard imposed by UK law.
The Act establishes the world’s first comprehensive regulatory framework for AI, and is expected to shape the future of AI regulation and governance both within and beyond the EU.
By Elisabetta Righini, Hanno F. Kaiser, Tim Wybitul, Fiona M. Maclean, and Michael H. Rubin
After three years of legislative debate, the Council of the European Union cast its final vote on the European Union (EU) Artificial Intelligence (AI) Act on 21 May 2024. Once published in
Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.
By James Lloyd and Sami Qureshi
In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and
The amended rules follow the Biden Administration’s “whole of government” approach to maximizing notifications to executive agencies of cybersecurity events.
By Jennifer C. Archie, Matthew A. Brill, Gabriela Aroca Montaner, Chad Kenney, and Molly Whitman
On December 21, 2023, a divided Federal Communications Commission (FCC or the Commission) released a Report and Order updating its data breach reporting rules for certain telecommunications providers. The updated rules require that providers of telecommunications services, interconnected Voice over Internet