- The Amendments broaden the scope of overseas activities
China’s Cybersecurity Law Amendments Increase Penalties, Broaden Extraterritorial Enforcement
UAE’s Child Digital Safety Law: What Every Digital Platform and ISP Should Know
The law has extraterritorial reach over digital platforms and internet service providers that operate in, or target users in, the UAE.
By Brian A. Meenagh, Danielle van der Merwe, Ksenia Koroleva, and Fady Saleh
The United Arab Emirates (UAE) has enacted Federal Decree‑Law No. 26 of 2025 on Child Digital Safety (the CDS Federal Law), establishing a comprehensive framework to protect children online with extraterritorial reach over digital platforms and internet service providers that operate in, or
Digital Omnibus: EU Commission Proposes to Streamline GDPR and EU AI Act
- Seeking a more practical and flexible EU digital regulation landscape: The European Commission seeks to consolidate overlapping aspects of the GDPR, the EU AI Act, and other EU
GCEU Awards €50,000 in Non‑Material Damages for Unlawful OLAF Data Disclosure
While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.
By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte
On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the
CJEU Confirms Personal Data as a Relative Concept
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
EU Data Act — What Businesses Need to Know
The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.
By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean
The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected
EU Data Act: Significant New Switching Requirements Due to Take Effect for Data Processing Services
The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.
By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar
In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes with the potential to reshape established market dynamics, presenting significant challenges and opportunities for affected organisations. The Data Act is
UK Adequacy Holds Firm Under New Data (Use and Access) Act 2025
The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018
Cybersecurity Regulation in Flux as Trump Administration Focuses on Evolving Foreign and Tech Threats
The administration has signaled a potential softening of cyber regulation for domestic entities, with increasing focus on national security priorities and preparing for the future.
By Antony (Tony) Kim and Michael H. Rubin
The Trump administration’s focus on reshaping the cyber regulatory environment continues with executive order 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO 14306), which was released on June 6, 2025, and issues sweeping amendments
Data Protection Compliance Audits to Take Effect in China in 2025
The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.
By Hui Xu and Bianca H. Lee
The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect since November 1, 2021. There was no formal guidance on or implementation of this requirement prior to the publication of the Measures, aside from a draft version of the Measures. The Measures took effect on May 1, 2025 (an unofficial English translation can be found here).
Compliance audits are mandatory for personal information processors (PI Processors) subject to PIPL, as stipulated in Articles 54 and 64 of the PIPL and Article 27 of the Regulations on Network Data Security Management (Network Data Regulations).