Current edition
Summer 2025
- The ICO launches consultation on a new approach to low-risk online advertising
- EDPB clarifies rules for data transfers in response to non-EU authority requests
- Italy’s DPA rules double opt-in as critical best practice for valid marketing consent
- Luxembourg’s CNPD publishes guidelines for payment service providers
- Abu Dhabi Global Market’s Registration Authority issues consultation on amendments to the Data Protection Regulations 2021
Previous editions
Spring 2025
- DeepSeek under scrutiny by the Italian Data Protection Authority
- Amazon's fine of €746 million confirmed in Luxembourg
- UK's adequacy decision may be extended until the end of 2025
- Saudi implements transfer risk assessment
- China implements new CCTV regulations
Winter 2025
- The EDPB has adopted its first reports on the review of the EU-U.S. Data Privacy Framework.
- The French Data Protection Authority has issued a EUR 50 million fine against Orange
- The Italian Data Protection Authority has issued a decision against the transfer of personal data contained in newspaper archives to OpenAI.
- The Dutch Data Protection Authority has issued a EUR 4.75 million fine against Netflix for lack of transparency.
- The Protection of Critical Infrastructures (Computer Systems) Bill has been published in Hong Kong.
- Saudi Data & AI Authority has published guidance on the handling personal data breaches.
Autumn 2024
- The European Commission publishes its second report on the enforcement of the GDPR, highlighting a total of €4.2 billion in fines since the GDPR came into effect.
- The ECJ and EDPB provide further insights on what should be considered legitimate interests under Article 6 GDPR
- German law makers publish a draft on a Federal Employee Data Protection Act to supplement the GDPR and the AI Act.
- The Italian Data Protection Authority (Garante) publishes a favourable opinion on the draft Italian bill implementing the EU AI Act.
- The Singapore government announces plans for safety guidelines requiring Generative AI developers to disclose model functionalities and risks, aiming to ensure transparency and trust.
- The Beijing Free Trade Zone publishes a "Negative List" for data export, detailing "Important Data" for specific sectors and requiring security assessments for data transfers out of the PRC, along with adjustments to cross-border personal information transfer protocols.
- The grace period for the KSA Personal Data Protection Law has now ended, making compliance mandatory for organisations, with the Saudi Data & AI Authority (SDAIA) now enforcing the regulations.
- The SDAIA publishes draft guidelines for feedback on managing deepfakes in Saudi Arabia, offering advice on risk assessments, consent, watermarking and consumer protection against technology misuse.
Summer 2024
- In Harrison v Cameron & anr [2024] EWHC 1377 (KB), the court rules on the extent to which data controllers must disclose specific recipients of personal data in response to Data Subject Access Requests (DSARs), considering the rights and freedoms of the recipients.
- Noyb files complaints against Microsoft for GDPR breaches in its “365 Education services””
- The National Commission for Data Protection (CNPD) in Luxembourg issues a warning for GDPR purpose limitation breaches after investigating a complaint about the misuse of video surveillance data for employee dismissal.
- The Kingdom of Saudi Arabia’s National Data Governance Platform has been enhanced ahead of the KSA Personal Data Protection Law (PDPL) enforcement date
- Hong Kong's Privacy Commissioner for Personal Data issues the Artificial Intelligence: Model Personal Data Protection Framework
Spring 2024
- The UK’s ICO continues to build on its consultation series on generative AI
- Singapore’s PDPC has recently published Advisory Guidelines on AI
- The French CNIL has shared its set of recommendations and good practices regarding the use of AI
Winter 2024
- France’s CNIL has fined Amazon for employee monitoring
- The ECJ has confirmed that organisations can limit damages when proving that a fault was not attributable to them whilst making it clear that a fine can only be imposed if some kind of fault is established
- The CJEU has clarified the conditions under which national supervisory authorities may impose an administrative fine.
- China released new guidelines facilitating cross-border personal data flow within Greater Bay Area
- HKMA issued a circular on managing cyber risks on third party service providers; and
- The Monetary Authority of Singapore released responses to proposal on mandatory reference checks.
- Saudi has launched National Data Governance Platform for registration and compliance services under its new Data Protection Law and issued its first official guidance for its new Data Protection Law.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
