On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board
Privacy law
Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services
Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by…
New Horizons in Data Protection: Malaysia’s Personal Data Protection (Amendment) Act 2024



On 24 December 2024, Malaysia’s Minister of Digital stipulated the dates on which the provisions of the Malaysian Personal Data Protection (Amendment) Act 2024 (Amendment Act) will come into force. The Amendment Act will take effect in three…
Facial recognition and privacy: Updated OAIC guidance

The Office of the Australian Information Commissioner (OAIC) has issued guidance to private sector organisations who are considering using facial recognition technology (FRT) for identification purposes in commercial or retail settings. The guidance follows a determination of the Privacy Commissioner…
TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara
In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…
Bill C-26: Advancing towards cybersecurity governance in Canada



Content On September 19, the Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, marking a significant step forward in the legislative process since…

Lessons on international transfers to the US to organisations caught by the GDPR
The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…

Recent regulatory developments in training AI models under the GDPR



In 2024, many organisations have been eager to look at how they can use the data they hold to debut or build on their artificial intelligence (AI) programme. Many are looking to use that data to train AI models, or…
EDPB opines on the use of facial recognition in airports


Co-written by Swaathi Balajawahar, Trainee Solicitor
Introduction
On 23 May 2024, the European Data Protection Board (EDPB) issued Opinion 11/2024 on the use of facial recognition to streamline airport passengers’ flow (the Opinion). The Opinion considered the use of facial…
Minnesota enacts comprehensive privacy law





On May 24, 2024, the Minnesota Governor signed the Minnesota Consumer Data Privacy Act (“MCDPA”), making Minnesota the eighteenth state to enact a comprehensive privacy law. The new law takes effect on July 31, 2025, for most regulated entities, with…