- The Amendments broaden the scope of overseas activities
China’s Cybersecurity Law Amendments Increase Penalties, Broaden Extraterritorial Enforcement
GCEU Awards €50,000 in Non‑Material Damages for Unlawful OLAF Data Disclosure
While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.
By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte
On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the
Navigating New Obligations Under the CCPA’s Updated Regulations
New privacy regulations provide insights into California’s approach to ADMT, cybersecurity audits, and risk assessments, while amendments impact compliance with consumer rights obligations.
By Michael H. Rubin, Jennifer Howes, Austin Anderson, Eric Gonzalez, and Sherry Tseng
Long-awaited revisions to the California Consumer Privacy Act (CCPA) Regulations were recently approved by the California Office of Administrative Law on September 22, 2025. These revisions come after a year-long process of debate and public comment and will take effect
CJEU Confirms Personal Data as a Relative Concept
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
EU-US Data Privacy Framework on Personal Data Transfers Survives Legal Challenge
EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.
By Ian Felstead, Tim Wybitul, Wolf-Tassilo Böhm, Hayley M. Pizzey, Isabelle Brams, and Clarence Cheong
On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court dismissed Latombe’s action for annulment of the EU-US Data Privacy Framework (DPF) and upheld the European Commission’s Adequacy Decision (Adequacy
FTC Publishes Updates to COPPA Rule
The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.
By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin
On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule)1 in the Federal Register. The published amendments will become effective on June 23, 2025
Preparing for the European Health Data Space — Opportunities and Challenges for Europe’s Digital Future
The EU regulation designed to facilitate secondary use of clinical data for research brings benefits for health research, but also poses challenges for companies.
By Deniz Tschammler, Danielle van der Merwe, Oliver Mobasser
On 5 March 2025, Regulation 2025/327 creating the European Health Data Space (the EHDS Regulation) was published in the Official Journal of the European Union and entered into force on 26 March 2025. The European Commission also published FAQs on the European Health Data Space
Kingdom of Saudi Arabia Issues New Data Transfer Risk Assessment Guidelines
The guidelines specify the requirements for data controllers to conduct risk assessments related to the transfer or disclosure of personal data outside the Kingdom.
By Brian Meenagh, Calum Docherty, Faisal Imam,* and Ksenia Koroleva
The Saudi Data & Artificial Intelligence Authority (SDAIA) has released non-binding guidelines for assessing risks when transferring or disclosing personal data outside the Kingdom (the Guidelines). The Guidelines supplement the updated Regulations on Personal Data Transfer Outside the Kingdom (the Regulations), which were
Personal Data: A Relative Concept?
Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB (Opinion), considering various questions on the scope of personal data regulated by the EU
Data (Use and Access) Bill: Automated Decision-Making in the Spotlight
Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.
By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger
On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.