Data protection

UK data protection reform – what you need to know and do

By Marcus Evans (UK), Fiona Bundy-Clarke (UK) & Rosie Nance on July 23, 2025

The Data (Use and Access) Act (DUAA) received Royal Assent on 19 June 2025. The DUAA enacts the changes to the UK’s data protection regime that have been contemplated since the Data: a new direction consultation in…

Do your technology and outsourcing contracts properly address liability for cyber incidents?

By James Russell & Kerri Gevers (SG) on July 2, 2025

Most incidents handled by our Norton Rose Fulbright cyber team originate from the customer’s service provider. In many cases it is the service provider’s systems, infrastructure and environment which proves to be the most vulnerable to cyber breaches and security…

AI and Job Postings: Navigating Ontario’s Upcoming Requirements

By Imran Ahmad (CA), Domenic Presta (CA), Joseph Cohen-Lyons & Humna Shaikh on June 16, 2025

On March 21, the Ontario’s Bill 149, Working for Workers Four Act, 2024 (“Bill 149”) received Royal Assent.

Navigating regulatory challenges in data centres

By Marcus Evans (UK) on May 1, 2025

Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements. Ensuring compliance is important for lender and investor due diligence and is crucial to avoiding fines, penalties and contractual or regulatory breaches that…

What do organisations need to disclose to individuals about AI and automated decisions?

By Marcus Evans (UK), Farah Mukaddam (UK) & Rosie Nance on March 10, 2025

Individuals have the right to receive meaningful information about solely automated decisions with significant effects under the General Data Protection Regulation (GDPR). This includes decisions that will impact an individual’s finances or employment. But how much information are…

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

By Marcus Evans (UK), Rosie Nance & Alice Knowles on February 10, 2025

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…

US Dept of Health proposes Security Rule amendments that includes new deadlines

By Will Daugherty (US), David Kessler (US), Sarah Knight (US), Susan Ross (US) & Megan Kunnel (US) on February 4, 2025

On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.

Learn more about the…

New Horizons in Data Protection: Malaysia’s Personal Data Protection (Amendment) Act 2024

By Wilson Ang, Jeremy Lua & Terence De Silva on January 17, 2025

On 24 December 2024, Malaysia’s Minister of Digital stipulated the dates on which the provisions of the Malaysian Personal Data Protection (Amendment) Act 2024 (Amendment Act) will come into force. The Amendment Act will take effect in three…

TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara on December 3, 2024

By Shan Nanayakkara

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

Lessons on international transfers to the US to organisations caught by the GDPR

By Jurriaan Jansen, Naomi Schuitema, Marcus Evans (UK) & Rosie Nance on September 11, 2024

The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…

Data Protection Report