EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.
By Ian Felstead, Tim Wybitul, Wolf-Tassilo Böhm, Hayley M. Pizzey, Isabelle Brams, and Clarence Cheong
On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court dismissed Latombe’s action for annulment of the EU-US Data Privacy Framework (DPF) and upheld the European Commission’s Adequacy Decision (Adequacy
The changes are expected to radically alter the market dynamics both between service providers and their customers and among competing service providers.
By Gail E. Crawford, Susan Kempe-Mueller, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Alain Traill, and Komal Shemar
In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes with the potential to reshape established market dynamics, presenting significant challenges and opportunities for affected organisations. The Data Act is
The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018
The administration has signaled a potential softening of cyber regulation for domestic entities, with increasing focus on national security priorities and preparing for the future.
By Antony (Tony) Kim and Michael H. Rubin
The Trump administration’s focus on reshaping the cyber regulatory environment continues with executive order 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO 14306), which was released on June 6, 2025, and issues sweeping amendments
The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.
By Hui Xu and Bianca H. Lee
The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect since November 1, 2021. There was no formal guidance on or implementation of this requirement prior to the publication of
The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.
By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin
On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule)1 in the Federal Register. The published amendments will become effective on June 23, 2025
DOJ emphasizes need to come into full compliance with its new rule by July 8.
By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn
On April 11, 2025, the US Department of Justice (DOJ) released guidance regarding its final rule, known as the “Data Security Program” (DSP). The DSP, originally issued on December 27, 2024, and effective on April 8, 2025 (with certain diligence, auditing, and
New DOJ guidance helps companies understand their obligations under the DSP, which
could severely impact investment agreements and ordinary commercial data transactions.
By Jennifer Archie, Heather B. Deixler, Clayton Northouse, Michael Rubin, Max Mazzelli, Brianna Gordon, and Kiara Vaughn
On April 11, 2025, the US Department of Justice (DOJ) released new guidance on its final rule, known as the “Data Security Program” (DSP), which went into effect on April 8, 2025. The DSP
The draft law proposes a data embassy ecosystem and comprehensive framework in Saudi Arabia, promoting its position as a global AI hub.
By Brian Meenagh, Ksenia Koroleva, and Faisal Imam*
On April 14, 2025, Saudi Arabia’s Communications, Space and Technology Commission (CST) issued a consultation draft of a “Global AI Hub Law.” This draft law marks Saudi Arabia as the first G20 nation to publish a draft of a comprehensive legal framework that embraces the
The EU regulation designed to facilitate secondary use of clinical data for research brings benefits for health research, but also poses challenges for companies.
By Deniz Tschammler, Danielle van der Merwe, Oliver Mobasser
On 5 March 2025, Regulation 2025/327 creating the European Health Data Space (the EHDS Regulation) was published in the Official Journal of the European Union and entered into force on 26 March 2025. The European Commission also published FAQs on the European Health Data Space