The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides protections for sharing cybersecurity threat information with the federal government and others, was reauthorized under the funding bill to reopen the federal government, which was enacted on November 12, 2025.  The information sharing mechanisms and protections under CISA 2015, which had previously sunset on September 30, 2025, will now extend through January 30, 2026.Continue Reading Cybersecurity Information Sharing Act of 2015 Reauthorized Through January 2026

On October 30, 2025, California Attorney General Bonta announced a $530,000 settlement related to allegations that Sling TV, an internet-based live TV service, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law. This is the first enforcement action arising from the California Department of Justice’s (“DOJ”) investigative sweep of streaming services and connected TVs, which was announced in January 2024.Continue Reading California Attorney General Announces $530,000 CCPA Settlement with Sling TV

Last week, the Global Privacy Enforcement Network (“GPEN”)—a global network of over 30 national data protection authorities—announced the launch of its annual privacy sweep. The purpose of the sweep is to examine how websites and mobile applications commonly used by children handle minors’ personal information. Members of GPEN include regulators who have long prioritized protections for children and teens, such as the Federal Trade Commission (“FTC”), the California Attorney General, the California Privacy Protection Agency, the UK Information Commissioner’s Office, the French Commission Nationale de l’Informatique et des Libertés (“CNIL”), and the Irish Data Protection Commission.Continue Reading Global Privacy Regulators Launch Enforcement Sweep Focused on Children’s Data Protection

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. Continue Reading Roundup of Cross-Border Data Transfer Developments

On September 23, 2025, the California Privacy Protection Agency announced that the state’s Office of Administrative Law approved regulations that update existing California Consumer Privacy Act (“CCPA”) regulations and introduce new regulations covering cybersecurity audits, risk assessments, and automated decision-making technology.  The updates to the existing regulations—which take effect on January 1, 2026—expand business obligations under the CCPA and give consumers more control over their personal information.  This blog post highlights key updates to the existing regulations. Continue Reading California Finalizes Updates to Existing CCPA Regulations

In a new post on Inside Global Tech, we discuss the European Commission’s call for evidence on the best approach to addressing structural problems in the areas of research, industrial capacity, and supply chain resilience. This call for evidence will feed into the European Commission’s broader Quantum Strategy.

Continue Reading European Commission launches a call for evidence on the impact assessment for the forthcoming EU Quantum Act

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).Continue Reading EDPB to Focus on Transparency in 2026 Enforcement

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers

Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.Continue Reading China Amends Cybersecurity Law and Incident Reporting Regime to Address AI and Infrastructure Risks

On 8 October 2025, the European Commission published its Apply AI Strategy (the “Strategy”), a comprehensive policy framework aimed at accelerating the adoption and integration of artificial intelligence (“AI”) across strategic industrial sectors and the public sector in the EU.

The Strategy is structured around three pillars: (1) introducing sectoral flagships to boost AI use in key industrial sectors; (2) addressing cross-cutting challenges; and (3) establishing a single governance mechanism to provide sectoral stakeholders a way to participate in AI policymaking.

The Apply AI Strategy is accompanied by the AI in Science Strategy, and it will be complemented by the Data Union Strategy (which is anticipated later this year).Continue Reading European Commission Publishes Apply AI Strategy to Accelerate Sectoral AI Adoption Across the EU