The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.

By Hui Xu and Bianca H. Lee

The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect since November 1, 2021. There was no formal guidance on or implementation of this requirement prior to the publication of the Measures, aside from a draft version of the Measures. The Measures took effect on May 1, 2025 (an unofficial English translation can be found here). 

Compliance audits are mandatory for personal information processors (PI Processors) subject to PIPL, as stipulated in Articles 54 and 64 of the PIPL and Article 27 of the Regulations on Network Data Security Management (Network Data Regulations).

Close up of a young boy using a tablet computer

The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.

By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin

On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule)1 in the Federal Register. The published amendments will become effective on June 23, 2025

Facade Flags Justice Department Building Washington DC

DOJ emphasizes need to come into full compliance with its new rule by July 8.

By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn

On April 11, 2025, the US Department of Justice (DOJ) released guidance regarding its final rule, known as the “Data Security Program” (DSP). The DSP, originally issued on December 27, 2024, and effective on April 8, 2025 (with certain diligence, auditing, and

GettyImages-1194981801_Abstract blue

The draft law proposes a data embassy ecosystem and comprehensive framework in Saudi Arabia, promoting its position as a global AI hub.

By Brian Meenagh, Ksenia Koroleva, and Faisal Imam*

On April 14, 2025, Saudi Arabia’s Communications, Space and Technology Commission (CST) issued a consultation draft of a “Global AI Hub Law.” This draft law marks Saudi Arabia as the first G20 nation to publish a draft of a comprehensive legal framework that embraces the

artificial intelligence machine learning big data concept

The EU regulation designed to facilitate secondary use of clinical data for research brings benefits for health research, but also poses challenges for companies.

By Deniz Tschammler, Danielle van der Merwe, Oliver Mobasser

On 5 March 2025, Regulation 2025/327 creating the European Health Data Space (the EHDS Regulation) was published in the Official Journal of the European Union and entered into force on 26 March 2025. The European Commission also published FAQs on the European Health Data Space

Internet Security Concept

The guidelines specify the requirements for data controllers to conduct risk assessments related to the transfer or disclosure of personal data outside the Kingdom.

By Brian Meenagh, Calum Docherty, Faisal Imam,* and Ksenia Koroleva

The Saudi Data & Artificial Intelligence Authority (SDAIA) has released non-binding guidelines for assessing risks when transferring or disclosing personal data outside the Kingdom (the Guidelines). The Guidelines supplement the updated Regulations on Personal Data Transfer Outside the Kingdom (the Regulations), which were

Padlock on laptop

Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.

By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth

Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB (Opinion), considering various questions on the scope of personal data regulated by the EU

general data protection regulation GDPR

The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.

By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth

The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and

GettyImages-1194981801_Abstract blue

Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.

By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger

On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.

HongKong_157700245

The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.

By Hui Xu and Bianca H. Lee

On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.

The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.