Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.

By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger

On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.

The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.

By Hui Xu and Bianca H. Lee

On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.

The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.

The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.

By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty

On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines

Considerations for UK and US companies that are already or considering relying on the UK-US Data Bridge for personal data transfers.

By Fiona M. Maclean and Clayton Northouse

Latham & Watkins and Privacy Laws & Business recently co-hosted a webinar looking back on the first eight months since the UK-US Data Bridge entered into force. Speakers from the UK Information Commissioner’s Office (ICO) and the US Privacy and Civil Liberties Oversight Board joined the panel for a broad discussion on the practical implementation and future outlook of the UK-US Data Bridge.

Below are key takeaways from the discussion and practical tips for UK and US organisations relying on the UK-US Data Bridge to facilitate personal data transfers to the US from the UK (and Gibraltar) while ensuring data is protected consistent with the standard imposed by UK law.

Businesses need to be proactive in updating their compliance measures to meet the ever-evolving set of privacy laws and regulatory expectations in 2024 and beyond.

By Michael H. Rubin, Robert W. Brown, Max G. Mazzelli, Jennifer Howes, and Sarah Zahedi

Following the notable uptick in state-level privacy laws in 2023, a wave of new comprehensive state privacy laws and state laws seeking to regulate health privacy, youth privacy, online platforms, and data brokers are set to take effect this year. While a draft federal comprehensive privacy law — the American Privacy Rights Act — aimed at harmonizing this patchwork of state laws was introduced last month, until such a law actually passes, the quickly evolving state regulatory landscape will continue to set the standards for how most businesses must handle personal information in the US.

Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.

By James Lloyd and Sami Qureshi

In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and

The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.

By Brian A. Meenagh and Lucy Tucker

The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.  

The proposed amendments are expansive and would significantly affect how companies comply with the Children’s Online Privacy Protection Act.

By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Gabriela Aroca Montaner, Samantha M. Laufer, and Molly Whitman

Key Points:

  • The proposed amendments, which clarify or expand many of the COPPA Rule’s existing provisions, would be the first updates to the Rule in over a decade and would formalize recent FTC guidance and enforcement in

Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting.

By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman

The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.

On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.

The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.*

By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes

Key Takeaways:

  • On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
  • On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act into law. The law will take effect on January 1, 2025.
  • The Oregon law expands individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
  • Unlike most of the other new state general data privacy laws (and several other existing data privacy regimes), both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
  • Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.