Data protection developments lead the way this month. In the EU, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) chimed in with comments on the Commissions' proposed Digital Omnibus which proposes changes to a number of laws relating to data, cyber and digital platforms. We have written an article EDPB and EDPS opine on bold changes to European digital regulation as proposed in Digital Omnibus outlining ten key areas where we think the regulators’ views may be particularly influential as legislative negotiations progress. In the UK key provisions of the Data (Use and Access) Act came into force, introducing significant amendments to UK data protection law. We have also written an article – Key aspects of the Data (Use and Access) Act take effect – on this development setting out the main changes and their implications for organisations operating under UK data protection law. Elsewhere, Singapore updated guidance on identity number use, Saudi Arabia issued new accreditation certificate rules for data controllers and processors, and Japan's data regulator clarified its role under the country's data laws.

It wasn't all data. February also saw heightened cyber ­risks, and escalating concerns over AI misuse. From Australia’s quantum security guidance and Japan’s proposed cybersecurity requirements for crypto asset exchanges, to Senegal’s national ID system shutdown after a ransomware attack, there was a growing focus on the need for higher operational resilience across critical digital infrastructure. Vietnam and the US focussed on the use of AI use in financial services, whilst Egypt joined the ever-growing list of countries announcing plans to prevent children from accessing social media.

APAC (Excluding China)

Australia

Australia Issues Guidance on Quantum Computing Cybersecurity Threats

On 19 February 2026, the Australian Cyber Security Centre (ACSC) released guidance on the unique cybersecurity challenges posed by quantum computing. The guidance highlights risks to encrypted data, digital signatures, and secure communications, warning that malicious actors could harvest encrypted data for future decryption. The guidance also addresses potential supply chain vulnerabilities, risks associated with cloud-based quantum services, and a shortage of skilled quantum and post-quantum cryptography experts.

Japan

Japan Updates Business Guide on Personal Information Protection

On 2 February 2026, Japan’s Personal Information Protection Commission (PPC) updated its Business Guide, clarifying its role under the Act on the Protection of Personal Information (APPI). The update covers the APPI’s structure and objectives, the PPC’s organizational framework, oversight of the My Number System, and  issues such as cross-border data transfers, artificial intelligence, and global privacy regulations.

Japan FSA Publishes Draft Policy to Strengthen Cybersecurity for Crypto‑Asset Businesses

On 10 February 2026, Japan’s Financial Services Agency (FSA) released its “Draft Policy to Strengthen Cybersecurity in Crypto Asset Exchange Services” for consultation. The draft reflects growing concern over large‑scale, sophisticated, and cross‑border cyber incidents involving crypto asset businesses. Recognising that exchanges now function as financial infrastructure, the FSA warns that cybersecurity failures could undermine user protection, market confidence, and economic security. Although non‑binding, the policy outlines supervisory expectations, signalling that basic compliance no longer suffices. The consultation is open until 11 March 2026, after which the policy is expected to be finalised.

Singapore

Singapore Enhances Public Sector Governance with New Bill

On 13 February 2026, Singapore passed a bill amending the Public Sector (Governance) Act. The bill aims to strengthen governance across public authorities, statutory boards, and key institutions by improving accountability, regulatory oversight, and compliance. It outlines detailed duties for office holders, boards, and employees, emphasizing robust internal controls and regulatory cooperation.

Singapore PDPC to Intensify Enforcement on NRIC Misuse by 2027

On 2 February 2026, the Personal Data Protection Commission (PDPC) of Singapore announced that it will ramp up enforcement against the misuse of National Registration Identity Card (NRIC) numbers by private entities from 1 January  2027. Using NRIC numbers for authentication is flagged as a security risk and a breach of the PDPA. The PDPC and Cyber Security Agency (CSA) had previously issued a joint advisory recommending more secure alternatives, and the PDPC has published guidance on addressing common compliance failures.

Vietnam

Vietnam SBV Launches Consultation on AI in Banking Sector

On 13 February 2026, the State Bank of Vietnam (SBV) launched a consultation on a draft circular regulating AI deployment in the banking sector. The draft outlines requirements for operational safety, data governance, incident management, and risk classification. It mandates human oversight for AI systems and requires impact assessments for high-risk applications, referencing both national AI law and international norms. There is a proposed transitional period for compliance.

Europe

European Union

European Parliament Presents Draft Report on the Digital Omnibus on AI

On 5 February 2026, the European Parliament presented a draft report on the Digital Omnibus on Artificial Intelligence, aimed at simplifying and clarifying the implementation of the EU AI Act. The report responds to practical challenges identified since the adoption of  the act, in particular the complexity of compliance and the risk of inconsistent enforcement across Member States. It supports targeted amendments to improve legal certainty, reduce administrative burdens, especially for SMEs, and ensures a more uniform application of the rules. Key elements include adjustments to AI literacy obligations, a clearer legal basis for processing sensitive data for bias detection and streamlined conformity assessment procedures. The draft also addresses governance issues by strengthening coordination between national authorities and the EU AI Office. In addition, it proposes postponing the application of certain high-risk AI obligations to allow time for standards and guidance to be finalized. Overall, the report positions the Digital Omnibus as a pragmatic step to make the AI Act more workable while preserving its core objectives of safety, fundamental rights protection, and innovation support.

EDPB and EDPS issue joint opinion on the Digital Omnibus Proposal

On 11 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued Joint Opinion 2/2026 on the Commission’s Digital Omnibus proposal to simplify the EU digital legislative framework. The Opinion welcomes elements intended to improve coherence, consistency and legal certainty, as well as measures designed to reduce administrative burdens. At the same time, it identifies concerns regarding some proposed amendments, notably those affecting the definition and scope of personal data, which are considered capable of reducing the level of protection for individuals.

Court of Justice confirms admissibility of WhatsApp’s challenge to EDPB decision

On 10 February 2026, the Court of Justice confirmed that an EDPB decision is an act open to challenge before the EU Courts. The ruling arose from the Irish Data Protection Commission’s ex officio investigation into WhatsApp Ireland’s compliance with GDPR transparency obligations. After supervisory authorities failed to agree on a draft decision, the matter was referred to the EDPB, whose Decision 1/2021 identified infringements and required amendments, including to proposed fines. WhatsApp sought annulment before the General Court, which dismissed the action as inadmissible. The Court of Justice set aside that order, finding the decision directly concerned WhatsApp, and referred the case back for a ruling on the merits.

United Kingdom

Further provisions of the Data (Use and Access) Act enter into force

On 5 February 2026, key provisions of the Data (Use and Access) Act came into force, introducing significant amendments to UK data protection law. Changes include narrowing the prohibition on solely automated decision‑making, expanding the circumstances in which cookie consent is not required under the Privacy and Electronic Communications Regulations (PECR), and creating a new ‘recognised legitimate interests’ legal basis for processing. The Act also updates rules for research and statistical purposes, clarifies when personal data may be re‑used for further processing, and raises PECR fines to GDPR‑level penalties. The ICO’s enforcement powers have been expanded, and a new “not materially lower” test now applies to international data transfers.

We have written an article – Key aspects of the Data (Use and Access) Act take effect – setting out the main changes and their implications for organisations operating under UK data protection law.

ICO fines Imgur owner MediaLab over children’s privacy failures

On 5 February 2026, the ICO fined MediaLab.AI, Inc. £247,590 for unlawfully processing children’s personal data through its Imgur platform. The ICO found that MediaLab failed to implement any age‑assurance measures, collected and used the data of children under 13 without parental consent, and did not conduct a data protection impact assessment, exposing children to harmful and inappropriate content. The contraventions occurred between September 2021 and September 2025. The ICO noted MediaLab’s acceptance of its provisional findings and stated that further action may follow if the platform resumes UK operations without the required safeguards.

Americas

The United States of America

U.S. Senate Unanimously Passes DEFIANCE Act Addressing AI‑Generated Non‑Consensual Sexual Deepfakes

On 13 January 2026, the U.S. Senate unanimously passed the Disrupt Explicit Forged Images and Non‑Consensual Edits (DEFIANCE) Act, establishing a federal civil cause of action for victims of AI‑generated non‑consensual intimate imagery, commonly known as sexually explicit deepfakes. The bill would allow identifiable victims to sue creators and distributors of such content for statutory damage and injunctive relief, filling gaps left by inconsistent state laws. The DEFIANCE Act represents one of Congress’s first targeted legislative responses to AI‑specific harms and, if enacted, would have nationwide implications for AI developers, digital platforms, and content moderation practices.

Treasury Unveils Public-Private Initiative to Strengthen AI Cybersecurity in Financial Services

On 18 February 2026, the U.S. Department of the Treasury announced the completion of a significant public-private initiative aimed at enhancing cybersecurity and risk management for artificial intelligence within the financial services sector, in alignment with the President’s AI Action Plan. Throughout February, the Treasury intends to release six resources developed collaboratively with industry stakeholders and federal and state regulators, which aims to support secure and resilient AI adoption across the financial system. The Artificial Intelligence Executive Oversight Group, comprising senior executives from financial institutions and regulatory bodies, focuses on addressing gaps in AI use and creating practical tools to manage AI-specific cybersecurity risks. These resources, particularly for small and mid-sized institutions, are meant to facilitate the secure deployment of AI, improve cyber defenses, and encourage innovation. The initiative seeks to emphasize practical implementation over prescriptive requirements, aiming to strengthen the sector’s resilience while supporting technological advancement.

Middle East

Saudi Arabia

Saudi Data and AI Authority (SDAIA) Issues Rules on Accreditation Certificates for Controllers and Processors

On 17 February 2026, the Saudi Data and AI Authority (SDAIA) issued new rules governing the issuance of accreditation certificates for controllers and processors, effective upon online publication. The framework sets out requirements for Applicants, including registration in the National Register of Controllers, disclosure of prior violations, and maintaining qualified staff. It also  establishes a maximum 90‑business‑day assessment period. Successful entities receive accreditation valid for two years, with renewal required 30 business days before expiry. The rules aim to strengthen compliance with the Personal Data Protection Law, its Implementing Regulations, and Transfer Regulations, ensuring that organisations demonstrate robust data‑protection practices.

United Arab Emirates

ADGM Registration Authority Issues Proposed Guidance on Crypto Mining

On 28 January 2026, the Abu Dhabi Global Market (ADGM) Registration Authority released proposed guidance outlining how crypto mining activities will be licensed and supervised in the free zone. While crypto mining remains outside the financial services perimeter, the framework formalises it as a licensable commercial activity requiring an RA Commercial Licence. The guidance sets expectations on governance, corporate transparency, operational resilience, and record keeping, and confirms that lawfully mined digital assets are recognised as property under ADGM law.

Africa

Egypt

House of Representatives announces plan to regulate children’s use of social media

On 25 January 2026, Egypt’s House of Representatives announced its intention to draft legislation regulating children’s use of social media applications and websites to address psychological and behavioural risks. The proposal aims to combat digital addiction and mitigate harmful online environments. The draft will be developed through specialised parliamentary committees, which will seek input from the Ministry of Parliamentary, Legal and Political Communication Affairs, the Ministry of Communications and Information Technology, the National Telecommunications Regulatory Authority, and the National Council for Motherhood and Childhood.

Kenya

Cabinet approves accession to Budapest Convention on Cybercrime

On 3 February 2026, Kenya’s Cabinet approved accession to the Budapest Convention on Cybercrime. According to the National Computer and Cybercrimes Coordination Committee (NC4), accession will modernise and harmonise Kenya’s cybercrime laws with international standards and strengthen procedural powers for investigations. It will also enhance access to rapid cross‑border cooperation mechanisms for evidence preservation and information‑sharing, and provide opportunities for capacity‑building through initiatives such as GLACY‑e and Octopus. The NC4 noted that accession is expected to support data protection, intellectual property enforcement, and confidence in Kenya’s digital economy.

Senegal

Government closes national ID office following ransomware attack

On 5 February 2026, Senegal’s Directorate of File Automation (DAF) announced the temporary suspension of national ID card production after a ransomware attack disrupted its systems. The agency, which also manages passports and biometric services, stated that operations were halted to contain the incident and assess its impact, while assuring citizens that data integrity remained intact. A group calling itself Green Blood Group claimed responsibility, alleging the theft of 139 GB of sensitive data. The latest cyber‑attack on DAF’s infrastructure follows an October 2025 incident in which Senegal’s tax agency was also targeted by hackers.

Key Dates on the Horizon

March 2026

• 1 March 2026 China’s Measures on Classification of Online Information Affecting Minors take effect. CAC link
• 11 March 2026
  Deadline for feedback on the EU Digital Fitness Check consultation and call for evidence, which could result in further reform to a wide range of EU digital legislation. Consultation link
• 11 March 2026 Deadline for public comments on Japan FSA Draft Policy on crypto‑asset cybersecurity. Consultation link
• 18 March 2026 Deadline for UK report and economic impact assessment on Copyright and AI. More info

May 2026

• Mid-May 2026 WhatsApp must comply with DSA VLOP obligations. Designation

August 2026

• 2 August 2026
  • Providers of GPAI models that have been placed on the market / put into service before this date need to be compliant with the EU AI Act by this date.* EU AI Act
  • Transparency requirements for certain AI systems under Article 50 of the EU AI Act expected to enter into force, following the development of guidelines and a voluntary code of practice.* EU AI Act

January 2027

• 1 January 2027 China’s mandatory standard on information erasure in electronic products takes effect. More info
• 1 January 2027 Singapore PDPC will increase enforcement on NRIC misuse.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.