The CJEU’s March 19, 2026, judgment in Case C-526/24 marks a significant development in GDPR enforcement, holding for the first time that even a single data access request may be refused as “excessive” under Article 12(5) GDPR if made in bad faith, while also confirming that an unjustified refusal to comply with such a request can itself give rise to damages liability under Article 82(1) GDPR.
Continue Reading CJEU: First Request for Access May Be Rejected as Abusive Under GDPR
The Federal Trade Commission remains focused on children’s privacy and the Children’s Online Privacy Protection Act.
Continue Reading FTC Signals Relaxed COPPA Enforcement for Age-Verification Technologies
The amended Cybersecurity Law of China (CSL) entered into force on Jan. 1, 2026. These amendments, officially approved by China’s top legislature in October 2025, mark the first major changes to the law since it took effect in 2017.
Continue Reading China’s Amended Cybersecurity Law Takes Effect
With its Russmedia judgment (C-492/23, Grand Chamber, 2 December 2025), the Court of Justice of the European Union (CJEU or Court) fundamentally reshapes how online marketplaces and other platforms hosting user-generated content must approach data protection compliance.
Continue Reading CJEU’s Russmedia Decision Expands Platform Controller Duties Under GDPR
Cybersecurity incidents pose a fundamental challenge: How do you reassure stakeholders while acknowledging that many facts remain unknown early in forensic investigations?
Continue Reading How to Reassure Stakeholders When Facts Are Still Unknown During Cyber Incidents
On Dec. 5, 2025, the German act implementing the EU NIS 2 Directive was published.
Continue Reading NIS2 in Germany: The New BSI Act Makes Cybersecurity a Board-Level Issue
The last remaining provisions of the amendments to the New York Department of Financial Services’ (DFS) cybersecurity regulation called Part 500 came into effect Nov. 1, 2025.
Continue Reading NYDFS Final Cybersecurity Rules – MFA, Asset Inventory, and Third-Party Risk
The German data protection supervisory authorities have released their take on international data transfers in medical research.
Continue Reading New DSK Guidelines Aim to Set the Standard for International Research Collaborations
In September, DoD finalized the CMMC Program, along with the accompanying contract clauses, with an effective date of Nov. 10, 2025.
Continue Reading Preparing for a CMMC Audit: The System Security Plan
On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors.
Continue Reading Recapping CMMC Level 3: Considerations for Government Contractors