Regulatory response

Subscribe to Regulatory response via RSS

Pseudonymised data could fall outside data protection law – introducing the “means reasonably likely” assessment

By Marcus Evans (UK) & Rosie Nance on September 4, 2025

The Court of Justice of the European Union (CJEU) has delivered its judgment on case C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB). The CJEU has confirmed that pseudonymised…

Dutch DPA publishes report on personal data breaches

By Naomi Schuitema, Jurriaan Jansen, Alexander McGuire & Tim Jones on September 3, 2025

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (Dutch DPA) recently published a report on personal data breaches, which provides valuable insights into the Dutch DPA’s views on incident response. It also contains some helpful statistics.

Increase…

AI and Job Postings: Navigating Ontario’s Upcoming Requirements

By Imran Ahmad (CA), Domenic Presta (CA), Joseph Cohen-Lyons & Humna Shaikh on June 16, 2025

On March 21, the Ontario’s Bill 149, Working for Workers Four Act, 2024 (“Bill 149”) received Royal Assent.

Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services

By Farah Mukaddam (UK), Marcus Evans (UK) & Rosie Nance on January 28, 2025

Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by…

TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara on December 3, 2024

By Shan Nanayakkara

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

Lessons on international transfers to the US to organisations caught by the GDPR

By Jurriaan Jansen, Naomi Schuitema, Marcus Evans (UK) & Rosie Nance on September 11, 2024

The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…

Recent regulatory developments in training AI models under the GDPR

By Marcus Evans (UK), Rosie Nance & Olivia Wint on August 22, 2024

In 2024, many organisations have been eager to look at how they can use the data they hold to debut or build on their artificial intelligence (AI) programme. Many are looking to use that data to train AI models, or…

UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill

By Marcus Evans (UK), Fiona Bundy-Clarke (UK) & Shiv Daddar (UK) on June 22, 2022

The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime.

The government set out very high level principles for a Data…

The aftermath of an incident – why keeping records of data breaches and privacy incidents matters

By Jeremie Wyatt (CA), Imran Ahmad (CA) & Sara A. Levine, QC (CA) on June 14, 2022

As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is…

FTC Signals Additional Scrutiny for Data Breaches

By Anna Rudawski (US) & Chris Cwalina (US) on May 25, 2022

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification…

Data Protection Report