Latham & Watkins LLP

Subscribe to Latham & Watkins LLP's Posts
Abstract Blue Globe With Glowing Networks - Europe

The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.

By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean

The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected

The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.

By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar

In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes with the potential to reshape established market dynamics, presenting significant challenges and opportunities for affected organisations. The Data Act is

iStock_000038860070_Large-669x669

The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.

By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth

The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018

The administration has signaled a potential softening of cyber regulation for domestic entities, with increasing focus on national security priorities and preparing for the future.

By Antony (Tony) Kim and Michael H. Rubin

The Trump administration’s focus on reshaping the cyber regulatory environment continues with executive order 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO 14306), which was released on June 6, 2025, and issues sweeping amendments

Close up of a young boy using a tablet computer

The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.

By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin

On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule)1 in the Federal Register. The published amendments will become effective on June 23, 2025

Facade Flags Justice Department Building Washington DC

New DOJ guidance helps companies understand their obligations under the DSP, which
could severely impact investment agreements and ordinary commercial data transactions.

By Jennifer ArchieHeather B. DeixlerClayton NorthouseMichael RubinMax MazzelliBrianna Gordon, and Kiara Vaughn

On April 11, 2025, the US Department of Justice (DOJ) released new guidance on its final rule, known as the “Data Security Program” (DSP), which went into effect on April 8, 2025. The DSP

GettyImages-1194981801_Abstract blue

The draft law proposes a data embassy ecosystem and comprehensive framework in Saudi Arabia, promoting its position as a global AI hub.

By Brian Meenagh, Ksenia Koroleva, and Faisal Imam*

On April 14, 2025, Saudi Arabia’s Communications, Space and Technology Commission (CST) issued a consultation draft of a “Global AI Hub Law.” This draft law marks Saudi Arabia as the first G20 nation to publish a draft of a comprehensive legal framework that embraces the

general data protection regulation GDPR

The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.

By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth

The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and

general data protection regulation GDPR

Companies subject to India’s new data protection law should assess practical implications.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth

The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:

  1. an independent agency responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and
  2. the Indian government has framed the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology).

The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.