Skyscrapers and highways of downtown Dubai, United Arab Emirates, at sunset

The law has extraterritorial reach over digital platforms and internet service providers that operate in, or target users in, the UAE.

By Brian A. Meenagh, Danielle van der Merwe, Ksenia Koroleva, and Fady Saleh

The United Arab Emirates (UAE) has enacted Federal Decree‑Law No. 26 of 2025 on Child Digital Safety (the CDS Federal Law), establishing a comprehensive framework to protect children online with extraterritorial reach over digital platforms and internet service providers that operate in, or

2to1 - EU Flag_185165281.jpg_13770

While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.

By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte

On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the

Hong Kong in the springtime

The measures, which take effect on November 1, 2025, position China with one of the more rigorous cybersecurity incident notification regimes in Asia.

By Hui Xu, Rhys McWhirter, and Bianca H. Lee

The Cyberspace Administration of China (CAC) issued the Measures on National Cybersecurity Incident Reporting (the Measures) on September 11, 2025. The Measures will take effect on November 1, 2025, establishing a comprehensive framework for the classification, reporting, and management of cybersecurity incidents within the People’s Republic

Binary 3D Tunnel

New privacy regulations provide insights into California’s approach to ADMT, cybersecurity audits, and risk assessments, while amendments impact compliance with consumer rights obligations.

By Michael H. Rubin, Jennifer Howes, Austin Anderson, Eric Gonzalez, and Sherry Tseng

Long-awaited revisions to the California Consumer Privacy Act (CCPA) Regulations were recently approved by the California Office of Administrative Law on September 22, 2025. These revisions come after a year-long process of debate and public comment and will take effect

The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.

By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth

The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by

Abstract Blue Globe With Glowing Networks - Europe

The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.

By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean

The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected

Digital fingerprint scanning verification process

EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.

By Ian Felstead, Tim Wybitul, Wolf-Tassilo Böhm, Hayley M. Pizzey, Isabelle Brams, and Clarence Cheong

On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court dismissed Latombe’s action for annulment of the EU-US Data Privacy Framework (DPF) and upheld the European Commission’s Adequacy Decision (Adequacy

The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.

By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar

In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes with the potential to reshape established market dynamics, presenting significant challenges and opportunities for affected organisations. The Data Act is