International

On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.

The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.

A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. Continue Reading Roundup of Cross-Border Data Transfer Developments

On September 17, 2025, Brazil enacted the Digital Statute of the Child and Adolescent (“Digital ECA”), establishing a pioneering regulatory framework for protecting children (under 12 years of age) and adolescents (between the ages of 12 and 18) online. Brazil’s Congress approved the new law in a matter of just a few days in response to parents’ pressure, after a well-known Brazilian digital influencer published a series of online videos on the “adultization” of children on the internet.Continue Reading Brazil Adopts Law Protecting Minors Online

***Update (January 27, 2026): The EU and Brazil have now formally adopted mutual adequacy decisions, confirming that both jurisdictions ensure comparable levels of data protection and enabling the free and safe flow of personal data between the EU and Brazil without the need for additional transfer mechanisms.***

On September 5, 2025, the European Commission announced the launch of the process to adopt an adequacy decision for Brazil under the General Data Protection Regulation (GDPR), involving an assessment of whether Brazil ensures an adequate level of personal data protection comparable to that in the EU. Once adopted, the decision would permit personal data to flow freely between Brazil and the EU without the need for additional safeguards, covering flows from businesses, public authorities, and research projects.

The Brazilian federal government, through the National Data Protection Authority (ANPD), announced that it is simultaneously considering adopting an equivalent adequacy decision to facilitate the uninterrupted flow of data from Brazil to the EU. The parallel initiatives highlight a mutual commitment to aligning privacy and data protection standards across the Atlantic, and take place in a context of closer bilateral relations and increased U.S. scrutiny of Brazilian and European digital policies.Continue Reading EU and Brazil Adopt Mutual Adequacy Decision

On July 18, 2025, the Cyberspace Administration of China (“CAC”) issued an announcement (“Announcement”) launching a mandatory online registration system and requiring “personal information processing entities” (equivalent to “data controller” under EU’s General Data Protection Rules) that process personal information of one million or more individuals to report the details of their personal information protection officer (“DPO”) through the “Personal Information Protection Business System.”

This development follows the finalization of the Measures for Personal Information Protection Compliance Audits (“Audit Measures”), effective May 1, 2025, which clarified the DPO responsibilities in conducting audits and confirmed the appointment threshold (i.e., 1 million individuals).

The obligation to appoint a DPO has been in place since China’s Personal Information Protection Law (“PIPL”) took effect in 2021.  Under the PIPL, entities processing data that exceeds “a certain volume” are required to appoint a DPO and to report certain information about the DPO — to include name and contact information — to CAC.  However, the specific threshold triggering this requirement was not defined until the release of the Audit Measures in February 2025.  The Announcement now provides further detail on the reporting process.Continue Reading China’s DPO Reporting Requirement Now in Effect

On February 4, 2025, the Japanese Government announced its intention to position Japan as “the most AI-friendly country in the world”, with a lighter regulatory approach than that of the EU and some other nations.  This statement follows: (i) the Japanese government’s recent submission of an AI bill to Japan’s Parliament, and (ii) the Japanese Personal Data Protection Commission’s (“PPC”) proposals to amend the Japanese Act on the Protection of Personal Information (“APPI”) to facilitate the use of personal data for the development of AI.Continue Reading Japan Plans to Adopt AI-Friendly Legislation

On March 14, 2025, the Cyberspace Administration of China (“CAC”) released the final Measures for Labeling Artificial Intelligence-Generated Content and the mandatory national standard GB 45438-2025 Cybersecurity Technology – Labeling Method for Content Generated by Artificial Intelligence (collectively “Labeling Rules”).  The rules will take effect on

Continue Reading China Releases New Labeling Requirements for AI-Generated Content

The UK Government has announced that it intends to introduce the Cyber Security and Resilience Bill (the “Bill”) to Parliament in 2025. Formally proposed as part of the King’s Speech in July, this Bill is intended to strengthen the UK’s cross-sectoral cyber security legislation to better protect the UK’s economy and infrastructure. This Bill will update the existing NIS Regulations, which derive from EU law. Part of the UK Government’s motivation seems to be to keep pace with updates to EU law in this area, specifically relating to the NIS2 Directive that starts to apply this month (see our blog post on this, here).Continue Reading What to expect from the UK’s Cyber Security and Resilience Bill (and when)

On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22Joined Cases C‑664/22 and C‑666/22C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines.  In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services.  The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.

We provide below an overview of Court’s key findings.Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU

On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it

Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health Data