Organisations doing business in India should note the differences between GDPR and DPDPA requirements, including potential programmes that may need uplift to ensure compliance.
By Gail E. Crawford, Calum Docherty, Fiona M. Maclean, Rhys McWhirter, Esther Franks, Danielle van der Merwe, Bianca H. Lee, and Amy Smyth
The Parliament of India enacted the country’s first comprehensive data protection law, the Digital Personal Data Protection Act 2023 (the DPDPA), on 11 August 2023. The
The executive actions emphasize public-private partnerships, enhanced information sharing, and leveraging commercial cybersecurity capabilities.
By Jennifer C. Archie, Marissa R. Boynton, Antony (Tony) Kim, Clayton Northouse, Michael H. Rubin, and Serrin Turner
On March 6, 2026, President Trump signed an executive order titled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (the Order) that directs an interagency coalition to improve existing policy frameworks to address cyber threats and target transnational criminal organizations. The White
The law has extraterritorial reach over digital platforms and internet service providers that operate in, or target users in, the UAE.
By Brian A. Meenagh, Danielle van der Merwe, Ksenia Koroleva, and Fady Saleh
The United Arab Emirates (UAE) has enacted Federal Decree‑Law No. 26 of 2025 on Child Digital Safety (the CDS Federal Law), establishing a comprehensive framework to protect children online with extraterritorial reach over digital platforms and internet service providers that operate in, or
While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.
By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte
On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.
By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean
The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected
The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.
By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar
In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes with the potential to reshape established market dynamics, presenting significant challenges and opportunities for affected organisations. The Data Act is
The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018