On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P).  In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).

In essence, the case turns on the question of whether

Continue Reading CJEU Advocate General Supports Pragmatic Definition of Personal Data

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.

The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online.  Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency. 

The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.Continue Reading CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket

On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacks.Continue Reading European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers

With the 119th Congress now assembled, Republicans control both the House and Senate, and will control the White House starting on January 20th.  If history is any guide, this change in party control of the White House, plus unified control of Congress by the president’s party, will pave the way for Republicans to deploy the Congressional Review Act (CRA) to overturn a number of regulations issued by the Biden Administration.  When President Trump first took office in 2017, congressional Republicans used the CRA to overturn more than a dozen rules promulgated by the Obama Administration.   Continue Reading Biden Administration Rulemakings at Risk for Congressional Review Act Cancellation in New Congress

On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach affecting New York residents.  Specifically, businesses now must disclose data breaches affecting New York residents within thirty days from the discovery of a breach.  Additionally, the amendment adds the New York Department of Financial Services (“NYDFS”) to the list of state regulators that must be notified whenever a breach requiring notification to New York residents occurs. Continue Reading New York Adopts Amendment to the State Data Breach Notification Law

On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule.  According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.
Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule

Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities.  Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go into effect on January 1, 2025 in the state.Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial Intelligence

On November 6, 2024, the UK Information Commissioner’s Office (ICO) released its AI Tools in recruitment audit outcomes report (“Report”). This Report documents the ICO’s findings from a series of consensual audit engagements conducted with AI tool developers and providers. The goal of this process was to assess compliance with data protection law, identify any risks or room for improvement, and provide recommendations for AI providers and recruiters. The audits ran across sourcing, screening, and selection processes in recruitment, but did not include AI tools used to process biometric data, or generative AI. This work follows the publication of the Responsible AI in Recruitment guide by the Department for Science, Innovation, and Technology (DSIT) in March 2024.Continue Reading ICO Audit on AI Recruitment Tools

In the final quarter of 2024, there have been significant developments in the EU cybersecurity legal landscape. Most prominently, the EU institutions adopted the Cyber Resilience Act and mid-October marked the deadline for Member States to transpose the NIS2 Directive into national law. Most Member States failed to meet the NIS2 transposition deadline, which resulted in the European Commission sending a formal notice to 23 Member States, urging them to transpose the Directive. These 23 Member States have been given two months to respond. (For more information on the Cyber Resilience Act and NIS2 Directive, see our blog posts here and here.)Continue Reading Three Recent Developments in the EU Cyber Landscape

2024 was an incredibly busy year for health privacy.  As the year draws to a close and we look ahead to 2025, we share several areas that we are watching in the coming year, which we expect to be similarly busy with federal- and state-level activity:Continue Reading Health Privacy Developments to Watch in 2025