Organisations doing business in India should note the differences between GDPR and DPDPA requirements, including potential programmes that may need uplift to ensure compliance.
By Gail E. Crawford, Calum Docherty, Fiona M. Maclean, Rhys McWhirter, Esther Franks, Danielle van der Merwe, Bianca H. Lee, and Amy Smyth
The Parliament of India enacted the country’s first comprehensive data protection law, the Digital Personal Data Protection Act 2023 (the DPDPA), on 11 August 2023. The
While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.
By Tim Wybitul, Isabelle Brams, Timo Hager, and Thies Schmitte
On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),1 which concerned a press release by the
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.
By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean
The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected
Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB (Opinion), considering various questions on the scope of personal data regulated by the EU
The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and
The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.
By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty
On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines
Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.
By James Lloyd and Sami Qureshi
In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and
The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.
By Brian A. Meenagh and Lucy Tucker
The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.