Organisations doing business in India should note the differences between GDPR and DPDPA requirements, including potential programmes that may need uplift to ensure compliance.
By Gail E. Crawford, Calum Docherty, Fiona M. Maclean, Rhys McWhirter, Esther Franks, Danielle van der Merwe, Bianca H. Lee, and Amy Smyth
The Parliament of India enacted the country’s first comprehensive data protection law, the Digital Personal Data Protection Act 2023 (the DPDPA), on 11 August 2023. The
The executive actions emphasize public-private partnerships, enhanced information sharing, and leveraging commercial cybersecurity capabilities.
By Jennifer C. Archie, Marissa R. Boynton, Antony (Tony) Kim, Clayton Northouse, Michael H. Rubin, and Serrin Turner
On March 6, 2026, President Trump signed an executive order titled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (the Order) that directs an interagency coalition to improve existing policy frameworks to address cyber threats and target transnational criminal organizations. The White
The law has extraterritorial reach over digital platforms and internet service providers that operate in, or target users in, the UAE.
By Brian A. Meenagh, Danielle van der Merwe, Ksenia Koroleva, and Fady Saleh
The United Arab Emirates (UAE) has enacted Federal Decree‑Law No. 26 of 2025 on Child Digital Safety (the CDS Federal Law), establishing a comprehensive framework to protect children online with extraterritorial reach over digital platforms and internet service providers that operate in, or
While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.
By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte
On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the
The measures, which take effect on November 1, 2025, position China with one of the more rigorous cybersecurity incident notification regimes in Asia.
By Hui Xu, Rhys McWhirter, and Bianca H. Lee
The Cyberspace Administration of China (CAC) issued the Measures on National Cybersecurity Incident Reporting (the Measures) on September 11, 2025. The Measures will take effect on November 1, 2025, establishing a comprehensive framework for the classification, reporting, and management of cybersecurity incidents within the People’s Republic
New privacy regulations provide insights into California’s approach to ADMT, cybersecurity audits, and risk assessments, while amendments impact compliance with consumer rights obligations.
By Michael H. Rubin, Jennifer Howes, Austin Anderson, Eric Gonzalez, and Sherry Tseng
Long-awaited revisions to the California Consumer Privacy Act (CCPA) Regulations were recently approved by the California Office of Administrative Law on September 22, 2025. These revisions come after a year-long process of debate and public comment and will take effect
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.
By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean
The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected