Following the UK government’s earlier proposals to reform the data protection regime, the Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025. The DUAA amends the existing UK data protection framework—including the UK GDPR, the Data Protection Act 2018, and PECR—and forms part of the government’s wider strategy to create
Data & Cyber Security
Navigating global privacy and AI regulations: Key insights for multinational organizations
Multinational organizations are facing an increasingly complex landscape of global privacy and artificial intelligence (AI) regulations. Recent developments highlight the need for companies to stay informed about evolving legal requirements, particularly as governments introduce new frameworks to address data protection, AI governance, and cross-border data transfers. Organizations must proactively assess their compliance strategies, adapt internal…
Key takeaways on AI governance from the IAPP Global Privacy Summit
AI was a hot topic at this year’s International Association of Privacy Professionals’ (“IAPP”) Global Privacy Summit, ranging from fine-tuning AI and algorithms with real-live data to best practices in AI governance. The IAPP’s Summit offered privacy professionals insights from policy makers, tech companies and start-ups, authors, and entrepreneurs.
As it relates to AI governance…

Direct marketing ad profiling: Recent fines
Data protection authorities across Europe have recently imposed significant fines on companies for violations of data protection laws. We bring to your attention decisions related to breaches of direct marketing and profiling below.
A telecommunications company fined €50 million by the French Supervisory Authority
On 23 January 2025, the French Supervisory Authority (CNIL) fined a…
2025: Upcoming regulations in the EU and Germany for tech and online businesses
The European Union (EU) is introducing new regulations for online and tech businesses to create a consistent legal framework across various sectors. By 2025, several European and German laws will come into effect. Want to know which ones? Keep reading! This alert provides a quick overview of what these 2025 frameworks are about, who they…
Cybersecurity law updates in the UK and the EU
UK NIS and critical national infrastructure updates
The UK government recently created a page on the new Cybersecurity and Resilience Bill updating the Network and Information Systems (NIS) Regulations 2018. There is no draft of the bill available yet, but it is confirmed the Bill will cover five sectors (transport, energy, drinking water, health, and…
Managing GenAI risk: Key takeaways from NIST’s updated guidance
In a rapidly evolving technological landscape, the National Institute of Standards and Technology (NIST) has released crucial guidance on managing risks associated with generative AI (GenAI). Our latest client alert delves into the newly published GenAI Profile (NIST AI 600-1), which outlines 12 potential high-level risks and offers actionable strategies for mitigation by breaking down…
New Target in Sight: FTC Zeroes in on Algorithmic Pricing Models Based on Personal Data
Witnessing the race to harness the power of Artificial Intelligence (“AI”) by markets and businesses, the Federal Trade Commission (“FTC”), recently issued a warning over the emerging technology and its ever-widening use cases. Citing its authority under Section 6(b) of the FTC Act, the Commissioners voted 5-0 on July 19 in favor of issuing investigative…
Germany’s government plans to introduce a statutory ‘right to encryption’ for users of messaging and cloud storage services
The German Federal Ministry for Digital and Transport (Bundesministerium für Digitales und Verkehr – BMDV) has drawn up a new draft bill which shall introduce:
- (i) a statutory obligation for providers of number-independent interpersonal communication services (e.g. instant messaging services) to allow their users to use end-to-end encryption (“E2EE”), and (ii) a statutory transparency obligation for such providers to inform their users accordingly; and
- a statutory transparency obligation for providers of certain cloud services to inform their users about how to use continuous and secure encryption (“Draft Bill”).
The Draft Bill (status 7 February 2024), which does not have any basis in EU law, is available here (German content).Continue Reading Germany’s government plans to introduce a statutory ‘right to encryption’ for users of messaging and cloud storage services
UK & US cybersecurity agencies release new ‘Guidelines for Secure AI System Development’
On 26 November 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), together with the UK’s National Cyber Security Centre (NCSC), published joint ‘Guidelines for Secure AI System Development’ (the Guidelines).
The Guidelines were formulated by CISA and the NCSC, in cooperation with 21 other international agencies and ministries, as well as industry experts.Continue Reading UK & US cybersecurity agencies release new ‘Guidelines for Secure AI System Development’