Organisations doing business in India should note the differences between GDPR and DPDPA requirements, including potential programmes that may need uplift to ensure compliance.
By Gail E. Crawford, Calum Docherty, Fiona M. Maclean, Rhys McWhirter, Esther Franks, Danielle van der Merwe, Bianca H. Lee, and Amy Smyth
The Parliament of India enacted the country’s first comprehensive data protection law, the Digital Personal Data Protection Act 2023 (the DPDPA), on 11 August 2023. The
The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018
The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and
Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.
By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger
On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.
The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.
By Hui Xu and Bianca H. Lee
On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.
The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.
The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.
By Brian A. Meenagh and Lucy Tucker
The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.
Companies subject to India’s new data protection law should assess practical implications.
By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth
The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:
The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.
The final Implementing Regulations are generally business-friendly and bring the law closer to the EU GDPR.
By Brian A. Meenagh and Lucy Tucker
The Saudi Data & AI Authority (SDAIA) recently issued the final Implementing and Transfer Regulations for the upcoming Personal Data Protection Law (PDPL), the first comprehensive data protection law in Saudi Arabia. This follows the publication of consultation drafts of the Implementing and Transfer Regulations in April 2023 (the Consultation Draft). The PDPL was issued under Royal
The updated reform legislation provides welcome guidance and clarifications on aspects such as legitimate interests and accountability, without substantially shifting the approach proposed under the existing reform bill.
By Gail E. Crawford, Fiona M. Maclean, Timothy Neo, Irina Vasile, and Amy Smyth
On 8 March 2023, the UK government introduced the second draft of its UK data protection reform legislation, the Data Protection and Digital Information (No.2) Bill (the No. 2 Bill). The No. 2 Bill supersedes the original Data Protection and Digital Information Bill (the Original Bill), which the government first introduced last summer, following the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post; for more details on the proposed changes in the first version of the Bill, see this Latham overview and deep dive.)
The No. 2 Bill details how the government proposes to reform the current UK data protection regime, which consists primarily of the UK Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
UK government sets out ambitious proposal for reforming the UK data protection landscape.
By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth
On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.
These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.
This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex.