The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), in collaboration with the United Kingdom’s National Cyber Security Centre and other international partners,...more
11/4/2025
/ Critical Infrastructure Sectors ,
Cybersecurity ,
EU ,
Government Agencies ,
Industrial Sector ,
Information Technology ,
Infrastructure ,
International Harmonization ,
Network Security ,
New Guidance ,
Popular ,
Regulatory Requirements ,
Risk Management ,
Supply Chain ,
Third-Party Risk ,
UK ,
United States
The Court of Justice of the European Union (ECJ) has issued a landmark decision in European Data Protection Supervisor v Single Resolution Board (C-413/23 P), narrowing the circumstances in which pseudonymised data is...more
11/3/2025
/ Data Management ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Transfers ,
Data-Sharing ,
EU ,
European Court of Justice (ECJ) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Popular ,
Privacy Laws ,
Regulatory Requirements ,
Transparency
On 22 August 2025, the UK Court of Appeal issued its judgment in Farley v Paymaster. The case related to the Sussex Police, whose pension scheme members’ “annual benefit statements” were posted to out-of-date addresses. The...more
11/3/2025
/ Class Action ,
Collective Actions ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Damages ,
Data Breach ,
Data Protection ,
EU ,
EU Directive ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Privacy Laws ,
Private Right of Action ,
UK ,
UK GDPR
On 12 September 2025, the European Data Protection Board (EDPB) issued draft guidelines (Guidance) on the interplay between the EU General Data Protection Regulation (GDPR) and the Digital Services Act (DSA), the latter of...more
10/31/2025
/ Algorithms ,
Automated Decision Systems (ADS) ,
Cybersecurity ,
Data Protection ,
Digital Platforms ,
Digital Services ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Online Platforms ,
Personal Data ,
Privacy Laws
On September 23 2025, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA’s) regulations under the California Consumer Privacy Act (CCPA). The final regulations create three...more
10/3/2025
/ Automated Decision Systems (ADS) ,
California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Privacy ,
New Regulations ,
Popular ,
Risk Assessment ,
State Privacy Laws
This coordinated enforcement sweep builds on the “Consortium of Privacy Regulators” announcement earlier this year, which, as we have written, marked a shift toward joint, multistate privacy enforcement. The Consortium of...more
10/3/2025
/ California ,
California Privacy Protection Agency (CPPA) ,
California Privacy Rights Act (CPRA) ,
Colorado ,
Connecticut ,
Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Opt-Outs ,
Privacy Laws ,
State Attorneys General ,
State Privacy Laws
On September 29, 2025, California Governor Gavin Newsom signed into law Senate Bill 53 (SB 53), known as the Transparency in Frontier Artificial Intelligence Act (TFAIA). This landmark legislation establishes the nation’s...more
10/3/2025
/ Artificial Intelligence ,
California ,
Compliance ,
Cybersecurity ,
Disclosure Requirements ,
New Legislation ,
Popular ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management ,
State and Local Government ,
Whistleblowers
On September 10, 2025, the U.S. Department of Defense (DoD) published its final rule implementing the contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) Program. The rule (CMMC DFARS Rule),...more
9/19/2025
/ Corporate Counsel ,
Cybersecurity ,
Cybersecurity Maturity Model Certification (CMMC) ,
Defense Contracts ,
Department of Defense (DOD) ,
False Claims Act (FCA) ,
Federal Acquisition Regulations (FAR) ,
Federal Contractors ,
Final Rules ,
Subcontractors ,
Supply Chain
Under the EU General Data Protection Regulation (GDPR), the European Commission can issue “adequacy” decisions allowing data to be transferred from the EU to a non-EEA country without additional security measures such as...more
9/10/2025
/ Adequacy Requirement ,
Appeals ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Data Privacy ,
Data Protection ,
EU ,
European Commission ,
European Court of Justice (ECJ) ,
General Court of the European Union (GCEU) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Privacy Laws
The FTC’s letters highlight the commission’s concern that tech companies may adopt content moderation or data security policies that, while designed to meet foreign legal requirements, could impermissibly infringe upon U.S....more
9/5/2025
/ Censorship ,
Consumer Privacy Rights ,
Data Security ,
Digital Services ,
Encryption ,
EU ,
Federal Trade Commission (FTC) ,
FTC Act ,
Online Platforms ,
Regulatory Requirements ,
Section 5 ,
UK ,
Unfair or Deceptive Trade Practices
During the Biden administration, boards of directors needed to be mindful of the potential for AI regulations that could constrain widespread AI adoption. This has now changed with the Trump administration, which has adopted...more
9/5/2025
/ Artificial Intelligence ,
Data Centers ,
Executive Orders ,
Federal Funding ,
Government Agencies ,
Infrastructure ,
Innovative Technology ,
Machine Learning ,
Regulatory Agenda ,
Regulatory Reform ,
Request For Information ,
Semiconductors ,
Tax Credits ,
Trump Administration
- What is new: On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published guidance documents setting out security measures that regulated organisations should have in place to comply with the EU’s critical...more
- What is new: The EU AI Act’s obligations on general-purpose AI providers have now come into force alongside the publication of guidance, a code of practice and a disclosure template that flesh out GPAI model providers’...more
- What is new: DOJ announced a $9.8 million FCA settlement with Illumina Inc. to resolve claims arising out of alleged cybersecurity deficiencies in DNA sequencing systems Illumina sold to government agencies.
- Why it...more
8/8/2025
/ Compliance ,
Cybersecurity ,
Department of Justice (DOJ) ,
False Claims Act (FCA) ,
Food and Drug Administration (FDA) ,
Government Agencies ,
Life Sciences ,
Medical Devices ,
Medical Technology Companies ,
Popular ,
Whistleblowers
- What is new: The ICO is proposing to relax its enforcement of cookie consent requirements, meaning user consent would not be required for lower-risk advertising cookies.
- Why it matters: The proposals aim to address...more
8/6/2025
/ Advertising ,
Consent ,
Cookies ,
Corporate Counsel ,
Data Privacy ,
Data Protection ,
Information Commissioner's Office (ICO) ,
New Guidance ,
Privacy Laws ,
UK ,
Web Tracking
- What is new: The Trump administration’s AI Action Plan reflects a striking shift in approach, with the federal government driving development, expansion and regulation, focusing on deregulation, permitting, procurement and...more
7/30/2025
/ Artificial Intelligence ,
Deregulation ,
Export Controls ,
Federal Contractors ,
Government Agencies ,
Infrastructure ,
Innovation ,
National Security ,
Popular ,
Regulatory Reform ,
Technology ,
Trump Administration
- What is new: The EU’s Delegated Regulation on Subcontracting has come into force, completing the legal framework of the Digital Operational Resilience Act (DORA). Attention will now turn to enforcement.
- Why it matters:...more
As federal privacy enforcement shows signs of slowing, states are aggressively stepping in to fill the void.
On July 1, 2025, the California attorney general (AG) announced a $1.55 million settlement with Healthline Media,...more
7/22/2025
/ California ,
California Consumer Privacy Act (CCPA) ,
Connecticut ,
Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Opt-Outs ,
Privacy Acts ,
Privacy Laws ,
Sensitive Personal Information ,
State Attorneys General ,
State Privacy Laws
In recent weeks, the EU and UK have both introduced changes to their respective versions of Europe’s landmark privacy legislation, the General Data Protection Regulation (GDPR). These reforms mark the first substantial...more
7/11/2025
/ Compliance ,
Cookies ,
Data Privacy ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
Member State ,
New Legislation ,
Personal Data ,
Regulatory Agenda ,
Regulatory Reform ,
Regulatory Requirements ,
UK
On 25 June 2025, the European Commission announced its proposal for a “Space Act” that would introduce a new regulatory framework for EU space activities. The proposed framework includes cyber-resilience obligations for EU...more
7/9/2025
/ Compliance ,
Cybersecurity ,
Data Privacy ,
Enforcement ,
EU ,
National Security ,
Outer Space ,
Privacy Laws ,
Proposed Legislation ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management
- On 26 March 2025, the European Health Data Space (EHDS) Regulation entered into force. The regulation establishes a comprehensive framework for health-data sharing and access in the EU, with the dual aim of supporting the...more
6/26/2025
/ Compliance ,
Data Privacy ,
Data Security ,
Data-Sharing ,
Electronic Protected Health Information (ePHI) ,
EU ,
Health Care Providers ,
Healthcare ,
Healthcare Reform ,
Intellectual Property Protection ,
Life Sciences ,
Noncompliance ,
Personal Data ,
Regulatory Agenda ,
Regulatory Requirements ,
Shareholders
Executive Summary -
The EU Data Act, whose requirements apply from 12 September 2025, establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive...more
6/24/2025
/ Cloud Computing ,
Competition ,
Contract Terms ,
DATA Act ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
Enforcement ,
EU ,
General Data Protection Regulation (GDPR) ,
New Legislation ,
Regulatory Requirements ,
UK
On April 23 and 24, 2025, regulators, industry leaders and data privacy leaders from across the globe convened in Washington, D.C. for the 2025 International Association of Privacy Professionals (IAPP) Global Privacy Summit....more
5/5/2025
/ Artificial Intelligence ,
California Consumer Privacy Act (CCPA) ,
Corporate Counsel ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
EU ,
General Data Protection Regulation (GDPR) ,
Machine Learning ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
State Privacy Laws ,
Technology ,
UK
In its first major initiative, on March 21, 2025, the Federal Communications Commission’s (FCC’s) newly formed Council on National Security (Council) launched an investigation into the “ongoing U.S. operations” of businesses...more
On March 26, 2025, the Department of Justice (DOJ) entered into a settlement agreement with MORSECORP, Inc. (MORSE), resolving False Claims Act (FCA) allegations that MORSE submitted false claims for payment under Department...more