On April 7, 2025, South Africa’s Information Regulator announced a new requirement for organizations to report data breaches—referred to under local law as “security compromises”—via an online eServices Portal. The announcement marks a significant procedural shift in how companies must comply with the Protection of Personal Information Act, 2013
Continue Reading South Africa Introduces Mandatory e-Portal Reporting for Data BreachesUncategorized
European Health Data Space Published
On March 5, 2025, the Regulation on the European Health Data Space (“EHDS”) was published in the Official Journal (see here). The text enters into force on March 25, 2025, however it only becomes applicable in a staggered manner over several years.
The section on secondary use of the…
Continue Reading European Health Data Space PublishedCalifornia Passes Law to Protect Minors from “Addictive Feeds”
On September 20, 2024, California Governor Newsom signed into law SB 976, the Protecting Our Kids from Social Media Addiction Act (the “Act”). The Act defines and prohibits an “addictive internet-based service or platform” from providing an “addictive feed” to a minor unless the platform has previously obtained verifiable parental consent. The Act will take effect on January 1, 2025, and the California Attorney General will promulgate regulations on age assurance and parental consent by January 1, 2027. This post summarizes the law’s key provisions. The law includes several technical definitions and exceptions, which are explained at the end of this post.Continue Reading California Passes Law to Protect Minors from “Addictive Feeds”
California Enacts Health AI Bill and Protections for Neural Data
On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”). This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA) to cover “neural data.” We discuss each bill in turn below.
AB 3030Continue Reading California Enacts Health AI Bill and Protections for Neural Data
FTC Reaches Settlement with NGL Labs Over Children’s Privacy & AI
On July 9, 2024, the FTC and California Attorney General settled a case against NGL Labs (“NGL”) and two of its co-founders. NGL Labs’ app, “NGL: ask me anything,” allows users to receive anonymous messages from their friends and social media followers. The complaint alleged violations of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), the Children’s Online Privacy Protection Act (COPPA), and California laws prohibiting deceptive advertising and prohibiting unfair and deceptive business practices.Continue Reading FTC Reaches Settlement with NGL Labs Over Children’s Privacy & AI
HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy
HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy
On April 26, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health. We previously covered the proposed rule (hereinafter, “the NPRM”), which was published on April 17, 2023. The final rule aligns closely with the NPRM.Continue Reading HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy
Congress Passes Bill Prohibiting Sharing or Selling Americans’ Sensitive Data to Entities Controlled by Foreign Adversaries
On April 24, 2024, President Biden signed into law H.R. 815, which includes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“the Act”), a bill that passed the House 414-0 as H.R. 7520 on March 20. The Act is one of several recent actions by the U.S. government to regulate transfers of U.S. personal data for national security reasons, with a particular focus on China. While the ultimate policy objectives are similar, the Act takes a different approach by comparison to the Biden Administration’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (“the EO”), which the U.S. Department of Justice (“DOJ”) is in the process of implementing. We summarize below some key features of the Act, which will go into effect on June 23, 2024.Continue Reading Congress Passes Bill Prohibiting Sharing or Selling Americans’ Sensitive Data to Entities Controlled by Foreign Adversaries
Florida Enacts Social Media Bill Restricting Access for Teens Under the Age of Sixteen
On Monday, March 25, Florida Governor Ron DeSantis signed SB 3 into law. At a high level, the bill requires social media platforms to terminate the accounts of individuals under the age of 14, while seeking parental consent for accounts of those 14 or 15 years of age. The law will become effective January 1, 2025. Continue Reading Florida Enacts Social Media Bill Restricting Access for Teens Under the Age of Sixteen
China Eases Restrictions on Cross-Border Data Flows
After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here). The Provisions take effect immediately.
The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime. These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations. Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification. As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers. Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows
FTC Returns to Bipartisan Commission with Confirmation of Two New Republican Commissioners
On Thursday, March 7, 2024, the U.S. Senate confirmed two nominees for the open seats on the Federal Trade Commission: Andrew N. Ferguson, former solicitor general of the Commonwealth of Virginia; and Melissa Holyoak, former solicitor general with the Utah Attorney General’s Office. With this confirmation of two new Republican Commissioners, the FTC is one step closer to a full slate of five bipartisan Commissioners. The Senate also re-confirmed Commissioner Rebecca Kelly Slaughter for a second term. President Biden had nominated Ferguson and Holyoak on July 11, 2023, and renominated Slaughter on February 13, 2023. Continue Reading FTC Returns to Bipartisan Commission with Confirmation of Two New Republican Commissioners