On 19 March 2025, Hong Kong’s Legislative Council enacted the Protection of Critical Infrastructures (Computer Systems) Bill, which was gazetted as the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) on 28 March 2025. The Ordinance, which is set to take effect on 1 January 2026, aims to enhance cybersecurity standards in relation to the providers of essential services in eight sectors deemed crucial to the normal functioning of the society, namely energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services, as well as critical societal or economic activities (such as those managing major sports and performance venues, as well as research and development parks) in Hong Kong.

Join Us at the 3rd Edition of the Latin America Healthcare and Life Sciences 360 Conference
We are excited to announce we will be joining the 3rd edition of the Latin America Healthcare and Life Sciences 360 Conference on May 6th in São Paulo. This event, organized by Trench Rossi Watanabe brings together key industry leaders and Baker McKenzie speakers to discuss the latest trends and developments in healthcare and life sciences.
The conference agenda promises a day full of insightful discussions on a variety of critical topics, including market expectations, regulatory changes, market access, data privacy, and ethical AI. Our roster of expert speakers will provide valuable insights and share their extensive knowledge on these subjects.

In addition to the stimulating sessions, attendees will have the opportunity to network with industry experts and peers. Don’t miss out on this chance to gain a deeper understanding of the healthcare and life sciences landscape in Latin America.

For more details and to register for the event, please click here. We look forward to seeing you there!

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) entered into force on 16 January 2023. It had to be transposed into national law by 17 October 2024. Only a small number of member states (among them Hungary, Belgium and Croatia) have transposed the provisions of the NIS2 Directive into national law so far, and it is likely that a significant number of member states will need some time.

In December 2024, privacy concerns were raised after the new Bizfile portal of the Accounting, Corporate and Regulatory Authority of Singapore displayed names and full National Registration Identity Card numbers for free in its search results.
The Personal Data Protection Commission has since clarified the appropriate use and misuse of NRIC numbers.

On 17 December 2024, the Bipartisan House Task Force on Artificial Intelligence released a report on “guiding principles, forward-looking recommendations, and policy proposals to ensure America continues to lead the world in responsible AI innovation.” The report focuses on 15 key areas, including intellectual property, data privacy, healthcare and federal preemption of state law. These principles, recommendations and policy proposals are meant to be a tool rather than the final word on AI. As such, it is anticipated that future AI legislators will use the report to craft AI policy.

Various agencies led by the Department of Trade and Industry (DTI) have signed Joint Administrative Order No. 24-03, Series of 2024 containing the Implementing Rules and Regulations (IRR) of Republic Act No. 11967, or The Internet Transactions Act of 2023 (ITA).
The ITA is intended to regulate e-commerce, protect consumer rights and data privacy, and uphold intellectual property rights.
The IRR clarifies the scope and coverage of the ITA, the enforcement powers of the DTI vis-à-vis other agencies, and the applicable procedure for imposition of fines.

On 27 June 2024, the Personal Information Protection Commission (PPC), Japan’s data protection authority, released the “Interim Report on Considerations for the Triennial Review of the Act on Protection of Personal Information” (“Interim Report”). The Interim Report summarizes discussions within the PPC on issues surrounding the Act on Protection of Personal Information (APPI) from November 2023 to June 2024. The Interim Report is in accordance with amendments made to the APPI in 2020 requiring the PPC to review the provisions of the APPI every three years.

On October 23, 2015, the Portuguese Data Protection Authority issued a statement on transfers of personal data to the US which invalidated the European Commission decision 2000/520 / EC (Safe Harbor Decision),

The Court of Justice of the European Union, following the opinion of the Advocate General, invalidated European Commission Decision 2000/520 dated July 27, 2000, which allowed transfers of personal data to US companies that self-certified under the US/EU Safe Harbor Program.

The Bavarian Data Protection Authority (DPA) in Germany has fined two implicated companies – both seller and purchaser – for unlawfully transferring customer data as part of an asset deal.