Latham & Watkins

Subscribe to Latham & Watkins's Posts

The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.

By Hui Xu and Bianca H. Lee

The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect since November 1, 2021. There was no formal guidance on or implementation of this requirement prior to the publication of the Measures, aside from a draft version of the Measures. The Measures took effect on May 1, 2025 (an unofficial English translation can be found here). 

Compliance audits are mandatory for personal information processors (PI Processors) subject to PIPL, as stipulated in Articles 54 and 64 of the PIPL and Article 27 of the Regulations on Network Data Security Management (Network Data Regulations).

GettyImages-1194981801_Abstract blue

Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.

By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger

On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.

HongKong_157700245

The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.

By Hui Xu and Bianca H. Lee

On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.

The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.

GettyImages-1194981801_Abstract blue

The deadline is fast approaching for in-scope financial entities and their ICT service providers to conform to the EU’s new digital operational resilience regulation.

By Christian F. McDermott and Alain Traill

With effect from 17 January 2025, a broad range of EU financial entities will be subject to the new EU regulation on digital operational resilience for the financial sector (DORA), with significant impact for firms and their third-party ICT service providers. As the new landscape takes shape, below is an overview of some of the key changes and steps that impacted financial entities and providers should be taking ahead of the deadline.

Covered institutions will need to review their cybersecurity and incident response policies and procedures ahead of the applicable compliance deadline.

By Robert Blamires, Laura Ferrell, Daniel Filstrup, Jennifer Howes, and Sarah Zahedi

The Securities and Exchange Commission (SEC) recently1 adopted amendments to Regulation S-P that expand the scope of requirements applicable to brokers, dealers, investment companies, SEC-registered investment advisers, and foreign (non-resident) SEC-registered brokers, dealers, investment companies, and investment advisers (together, Covered Institutions) in order

iStock_000038860070_Large-669x669

Businesses need to be proactive in updating their compliance measures to meet the ever-evolving set of privacy laws and regulatory expectations in 2024 and beyond.

By Michael H. Rubin, Robert W. Brown, Max G. Mazzelli, Jennifer Howes, and Sarah Zahedi

Following the notable uptick in state-level privacy laws in 2023, a wave of new comprehensive state privacy laws and state laws seeking to regulate health privacy, youth privacy, online platforms, and data brokers are set to take effect this year. While a draft federal comprehensive privacy law — the American Privacy Rights Act — aimed at harmonizing this patchwork of state laws was introduced last month, until such a law actually passes, the quickly evolving state regulatory landscape will continue to set the standards for how most businesses must handle personal information in the US.

Privacy concept: Home on digital background

The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.

By Brian A. Meenagh and Lucy Tucker

The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.  

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2]

UK government sets out ambitious proposal for reforming the UK data protection landscape.

By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth

On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.

These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.

This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex.

The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data.

By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth

Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation of an individual’s right of access to their data under Article 15 GDPR (often known as a data subject access request, or DSAR/SAR). Specifically, the Opinion addresses an individual’s right to access information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”, pursuant to Article 15(1)(c) GDPR. The AG delivered the Opinion in the context of Case C-154/21 (the Case), which is currently pending before the CJEU.