The differences between non-disclosure, exfiltration and notice – a court’s view

By David Kessler (US) & Susan Ross (US) on March 19, 2025

By David Kessler and Sue Ross

Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another…

What do organisations need to disclose to individuals about AI and automated decisions?

By Marcus Evans (UK), Farah Mukaddam (UK) & Rosie Nance on March 10, 2025

Individuals have the right to receive meaningful information about solely automated decisions with significant effects under the General Data Protection Regulation (GDPR). This includes decisions that will impact an individual’s finances or employment. But how much information are…

Prohibited practices under the AI Act: Answered and unanswered questions in the Commission’s guidelines

By Marcus Evans (UK) & Rosie Nance on March 5, 2025

The EU AI Act’s prohibitions came into effect on 2 February 2025 and carry fines of 7% worldwide annual turnover for non-compliance. The prohibitions at Article 5 and accompanying recitals (particularly recitals 28-44) set out a complex set of provisions.

Federal government announces latest National Cyber Security Strategy

By Imran Ahmad (CA), John Cassell (CA) & Travis Walker on February 27, 2025

On February 6, the Government of Canada announced its latest National Cyber Security Strategy (the NCSS), detailing the federal government’s plan to help Canadian organizations prepare for and respond to the rapidly evolving and increasingly sophisticated cyber security threats of…

Happy Information Governance Day

By David Kessler (US) & Andrea D'Ambra (US) on February 20, 2025

Happy February 20^th and Information Governance Day! Today is an opportunity to reflect on the evolution of information governance and, more importantly, its future. In our view, information governance is in its ascendency and is only becoming more and…

New York changes data breach law—in December and February

By Annmarie Giblin (US), Susan Ross (US), Gerar Mazarakis (US) & Phillip Pang (US) on February 19, 2025

New York just finished a series of adjustments to its data breach notification requirements. Effective immediately, organizations must notify impacted individuals of a data breach within 30 days of its discovery instead of “in the most expedient time possible and…

FTC settlement requires disconnection of hardware from all no longer supported software

By David Kessler (US) & Susan Ross (US) on February 18, 2025

On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world: GoDaddy. According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its…

The Commission’s guidelines on AI systems – what can we infer?

By Rosie Nance, Marcus Evans (UK) & Peter McBurney on February 13, 2025

The EU’s AI Act imposes extensive obligations on the development and use of AI. Most of the obligations in the AI Act look to regulate the impact of the specific use cases on health, safety, or fundamental rights. These sets…

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

By Marcus Evans (UK), Rosie Nance & Alice Knowles on February 10, 2025

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…

US Dept of Health proposes Security Rule amendments that includes new deadlines

By Will Daugherty (US), David Kessler (US), Sarah Knight (US), Susan Ross (US) & Megan Kunnel (US) on February 4, 2025

On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.

Learn more about the…

Data Protection Report

The differences between non-disclosure, exfiltration and notice – a court’s view

What do organisations need to disclose to individuals about AI and automated decisions?

Prohibited practices under the AI Act: Answered and unanswered questions in the Commission’s guidelines

Federal government announces latest National Cyber Security Strategy

Happy Information Governance Day

New York changes data breach law—in December and February

FTC settlement requires disconnection of hardware from all no longer supported software

The Commission’s guidelines on AI systems – what can we infer?

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

US Dept of Health proposes Security Rule amendments that includes new deadlines

Employment law changes in April 2025

Published in OJ – MiCA Delegated Regulations on adjustment of own funds requirement, data and remuneration

APPG on Investment Fraud and Fairer Financial Services publishes supplementary report on FCA

FCA publishes voluntary survey for ESG ratings providers

FCA sets out next steps on Consumer Duty rule review

FCA publishes new 5-year strategy for 2025-2030

BoE launches 2025 Bank Capital Stress Test

Commission adopts DORA RTS specifying the elements that a financial entity has to determine when subcontracting ICT services

Trilogue negotiating positions on the CMDI framework

About

Topics

Archives