Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by
Regulatory response
TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara
In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

Lessons on international transfers to the US to organisations caught by the GDPR
The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…

Recent regulatory developments in training AI models under the GDPR



In 2024, many organisations have been eager to look at how they can use the data they hold to debut or build on their artificial intelligence (AI) programme. Many are looking to use that data to train AI models, or…
UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill
The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime.
The government set out very high level principles for a Data…
The aftermath of an incident – why keeping records of data breaches and privacy incidents matters
As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is…
FTC Signals Additional Scrutiny for Data Breaches


On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification…
The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack


On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection…
The UK Government unveils its post-Brexit plans to shake up data protection laws


On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention…
“Am I a CII operator?” – New regulation in China provides more clarity


China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated…