Spain’s data protection agency, the Agencia Española de Protección de Datos (AEPD), has fined Amadeus IT Group, S.A. (Amadeus) €18 million in relation to a traveller profiling pilot project. The enforcement decision, published in May 2026
Compliance and risk management
UK data protection complaints – new complaints handling obligations for controllers from 19 June

The changes to data controllers’ complaints handling obligations, made via the Data (Use and Access) Act, will come into force on 19 June 2026. These include a new obligation to acknowledge complaints within 30 days, respond without undue delay, and…
Cybersecurity and Personal Data: The CNIL toughens its stance


On 9 February 2026, the Commission Nationale de l’Informatique et des Libertés (CNIL) published its 2025 report on its enforcement action. Beyond the €487 million – in cumulative fines – largely driven (unsurprisingly) by two sanctions related to cookies, another…
Tax authorities’ access to individuals’ banking data: the European Court of Human Rights sets privacy limits in the case of Ferrieri and Bonassisa v. Italy

The 2026 opened with a notable decision by the European Court of Human Rights (ECtHR) in the case of Ferrieri and Bonassisa v. Italy.
The ECtHR found the violation of Article 8 of the Convention for the Protection…
Agentic AI: the ICO’s early thoughts on the data protection implications

The ICO has kicked off 2026 with sharing its early thoughts on the data protection implications of agentic AI in its ICO tech futures: Agentic AI report. The report considers the novel data protection risks presented by agentic AI.
UK Cyber Security and Resilience Bill – new obligations for the data centre sector

This blog post includes headline points on new obligations for the data centre sector proposed under the Cyber Security and Resilience Bill, and existing obligations under the NIS Regulations.
NIS Regulations Keeling Schedule for the Cyber Security and Resilience Bill – changes to the UK’s cyber security law

The Cyber Security and Resilience Bill proposes changes to the UK’s NIS Regulations. Without a ‘Keeling Schedule’ marking up the amendments, these can be difficult to track. We have prepared a mark-up reflecting the proposed changes.
Changes to EU and UK data protection law – a tale of two GDPRs?

The EU Commission recently held a call for evidence on “simplification” of legislation in the data, cybersecurity, and AI space, ahead of a “Digital Omnibus” Act. These changes look to make the EU’s digital rulebook more innovation-friendly, supporting the Commission’s…
Italy’s Law No. 132/2025 on Artificial Intelligence
On September 23, 2025, Italy adopted Law no. 132/2025 on Artificial Intelligence (AI). The law will enter into force on 10 October 2025 and aims, inter alia, to complement the Regulation EU 2024/1689 (EU AI Act).
Can you access your outsourced data?
Financial regulators globally emphasise the importance of financial entities being operationally resilient, which includes the ability to manage and recover from disruptions caused by their service providers. The topic receives significant attention in the financial services sector because the sector…
