Search results for: growth

Squire Patton Boggs (US) LLP has continued the growth of its globally recognized Data Privacy, Cybersecurity & Digital Assets and related litigation practices with the promotion of CPW’s Kristin Bryan and Kyle Fath to Partner.

Kristin Bryan is a litigation partner who is part of the firm’s Global Data Review-ranked data disputes practice.  She has deep expertise representing clients in bet-the-company data privacy, cybersecurity and data breach disputes in federal and state courts nationwide.  Kristin has obtained dismissals of multibillion-dollar privacy litigations where plaintiffs alleged that her client’s business practices violated federal and state privacy laws.  She has litigated cases brought under the Electronic Communications Privacy Act (ECPA), the Video Privacy Protection Act (VPPA), the Driver Privacy Protection Act (DPPA), the Fair Credit Reporting Act (FCRA), the Computer Fraud and Abuse Act (CFAA) and the California Consumer Privacy Act (CCPA), as well as class actions asserting deceptive trade practice claims based on privacy practices.  Kristin has also advised clients concerning claims brought under the Illinois Biometric Privacy Act (BIPA).  Kristin is CIPP/US certified and Editor in Chief of Consumer Privacy World.

Kyle Fath is a partner in the firm’s globally preeminent Data Privacy, Cybersecurity & Digital Assets Practice.  Companies across a broad spectrum of industries turn to Kyle for his in-depth and unique blend of experience in privacy compliance, technology transactions, and IP matters.  A considerable portion of Kyle’s practice focuses on product counseling, in which he advises clients on the privacy, advertising, intellectual property, regulatory, and third-party risks associated with the development, operation, licensing, and other exploitation of technology, platforms, data, and other digital assets.  As a go-to resource on emerging and complicated technologies, Kyle is an authority on the digital advertising ecosystem and the regulatory and industry challenges faced by advertisers, publishers, and AdTech companies.  He also advises companies in the web3 and blockchain space, including having counseled dozens of brands, entertainment studios, gaming and e-sports companies, and prominent celebrities on various aspects of non-fungible token (NFT) drops.

Congratulations Kristin and Kyle!

In 2025, India’s approach on AI has shifted significantly from, “Will AI change the way business is done?” to “What is the best way to adopt it to enable business expansion?” Guided by the principles of People, Planet, and Progress, “Safe and trusted AI for all” has become the motto governing India’s approach to AI. The evolving digital infrastructure, specific sector-driven regulation, techno-legal philosophy, strength of the powerful Global South, and a strong inclusion narrative are cornerstones to India’s AI journey.

Continue Reading India Issues 2025 AI Governance Guidelines: How It Compares to Other Global AI Acts

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

The UK’s data protection regime is undergoing its most significant transformation since the adoption of the UK GDPR. With the successful passage through both the House of Lords and the House of Commons on 11 June 2025, the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent on 19 June 2025. Positioned as introducing incremental change rather than major reform, the DUAA is intended to address the UK government’s aim to recalibrate the balance between privacy, innovation, and regulatory pragmatism with the ultimate goal of promoting economic growth.

Continue Reading The Data (Use and Access) Act 2025: A New Chapter in the UK’s Data Protection Framework

In our earlier blog on recent changes affecting the Competition and Markets Authority (CMA), we anticipated more changes to come. The month of March has lived up to our expectations. On 12 March, the CMA launched a “call for evidence” for the review of its approach to merger remedies as well as a “Mergers Charter” for businesses, stating that:

“Both the merger remedies review and the Mergers Charter are part of the CMA’s programme of work to implement the ‘4Ps’ – pace, predictability, proportionality and process – across all its work, helping to drive growth and enhance business and investor confidence.”[1]

Continue Reading Ch-ch-ch-ch-changes… Part 2

By repeating “ch-ch-ch-ch-changes” in his famous song, David Bowie was reportedly trying to mirror the stuttered steps of growth. January 2025 was a month full of changes for the UK Competition and Markets Authority (CMA). As with any changes, it is difficult to predict their effect precisely, only time will tell. Although we do not have a crystal ball, however, our longstanding and in-depth experience in UK competition law gives us unique insights on what to expect and most importantly how to adapt. In this update, we will cover some of these key changes including:   

  • The entry into force of the Digital Markets, Competition and Consumers Act (DMCCA) and related updated guidance.
  • An anticipated reform of the UK concurrency regime to extend to consumer protection.
  • The exercise by the CMA of its new DMCCA powers to designate companies with Strategic Market Status (SMS).
  • Last but not least, perhaps the changes that grabbed the headlines the most: the CMA has a new interim Chairperson and the UK government’s “steer” to the CMA’s CEO.
Continue Reading Ch-ch-ch-ch-changes… for the UK Competition and Markets Authority

On January 23, 2025, President Trump issued a new Executive Order (EO) titled “Removing Barriers to American Leadership in Artificial Intelligence” (Trump EO). This EO replaces President Biden’s Executive Order 14110 of October 30, 2023, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (Biden EO), which was rescinded on January 20, 2025, by Executive Order 14148.

The Trump EO signals a significant shift away from the Biden administration’s emphasis on oversight, risk mitigation and equity toward a framework centered on deregulation and the promotion of AI innovation as a means of maintaining US global dominance.

Continue Reading Key Insights on President Trump’s New AI Executive Order and Policy & Regulatory Implications

The Data (Use and Access) Bill (“DUA Bill”)[1] had its second reading on 19th November 2024 after being introduced in the House of Lords on 23 October and the Bill is anticipated to enter the Lords’ Committee stage in December. According to the Department for Science, Innovation and Technology, the DUA Bill will harness the power of data to boost the UK economy by an estimated £10 billion, free up thousands of police and NHS staff time and secure the effective use of data for the public interest.[2] The DUA Bill proposes to amend both the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), despite little weight being placed on this in the Government’s initial press release.

Continue Reading Unpacking the Proposed Data (Use and Access) Bill

On July 15, 2024, the Personal Data Protection Commission of Singapore (PDPC) released its Proposed Guide on Synthetic Data Generation (Guide). The Guide is a key resource within the Privacy Enhancing Technology (PET) Sandbox which aims to assist organisations in understanding the techniques and potential applications of Synthetic Data (SD) generation, particularly in the context of artificial intelligence (AI). As highlighted by Minister for Digital Development and Information Josephine Teo during her opening address at Singapore’s Personal Data Protection Week 2024, generating SD is a rapidly evolving PET that enables realistic AI model training without compromising sensitive data.

Understanding SD and Its Benefits

SD is commonly referred to as artificially generated data created using purpose-built mathematical models (including AI and machine learning (ML) models) or algorithms. SD is generated by training a model or algorithm on a source dataset to mimic the characteristics and structure of the source data. Its advantages include:

  • Enhancing AI/ML development – SD can drive AI and ML growth by enabling model training without exposing actual personal data.
  • Addressing data challenges – SD can overcome dataset related challenges in AI model training (e.g. insufficient or biased datasets) by augmenting and diversifying training datasets.
  • Facilitating collaboration and software development – SD can be used for data analytics, collaboration and software development, reducing the risk of data breaches during the development process.

The Role of PETs

The Guide defines PETs as tools and techniques that allow the processing, analysis and extraction of insights from data without revealing the underlying personal or commercially sensitive information.

PETs are generally categorised into three main types:

  1. Data obfuscation
  2. Encrypted data processing
  3. Federated analytics

SD generation is a form of data obfuscation and has applications in privacy-preserving AI/ML, data sharing and software testing.

Use Cases and Good Practices for SD Generation

The Guide outlines several use cases for SD along with recommended best practices:

  1. Generating training dataset for AI/ML models, including data augmentation and increasing data diversity
    • Good practices – Adding noise in appropriate scenarios to, or reduce the granularity of, the SD points.
  2. Data analysis and collaboration, including data sharing and analysis and previewing data for collaborative purposes
    • Good practices – Incorporating data protection measures through the SD generation process such as (i) removing outliers from source data, pseudonymising source data and employing data minimisation and generalise granular data during the data preparation phase, (ii) adding noise before or after SD generation during the SD generation phase and (iii) incorporating technical, contractual and governance measures to mitigate any residual re-identification risks during post SD generation phase.
  3. Software testing, including system development to avoid data breaches
    • Good practices – Generating SD that follows the semantics (e.g. format, min/max values and categories) of source data instead of statistical characteristics and properties.

Key Steps in SD generation

While SD is generally fictitious data that may not be considered personal data on its own, it still carries re-identification risks. As such, the Guide provides a five-step approach to for organisations to reduce re-identification risks of SD.

Step 1: Know your data

Organisations should have a clear understanding of the purpose and use cases for the SD and the source data it mimics. Organisations should note that:

  • General trends/insights of source data will be replicated in the SD. Thus, the SD will not offer any protection to sensitive trends/insights.
  • Organisations may have to prioritise data protection over data utility where the SD is to be released publicly.
  • Where relevant, proper contractual obligations should be put in place on recipients of the SD to prevent re-identification attacks on the data.

Organisations should also establish objectives prior to SD generation to determine the acceptable risk threshold of the generated SD and the expected utility of the data. This may allow organisations to ascertain the appropriate benchmarks for assessing any trade-offs between data protection risks and data utility to meet their business objectives.

Step 2: Prepare Your Data

Organisations should consider the key insights and necessary data attributes for the SD to meet its business objectives.

  • In terms of key insights, organisations need to understand and identify the trends, key statistical properties and attribute-relationships in the source data that need to be preserved for analysis. Outliers may be removed if such trends/insights are not necessary.
  • Based on the key insights needed, organisations should apply data minimisation to extract only relevant attributes from source, remove or pseudonymise direct identifiers and add noise or generalise the data as needed to reduce re-identification risks. They should also standardise documentation in a data dictionary to validate the integrity of generated SD and address inconsistencies.

Step 3: Generate SD

Organisations need to consider which method to generate SD is most appropriate based on their used cases, data objectives and types of data. Some examples include sequential tree-based synthesisers, copulas and deep generative models.

After generation of the SD, it is good practice for organisations to perform the following checks on the quality of the generated SD:

  • Data integrity – This ensures the accuracy, completeness, consistency and validity of the SD as compared to the source data. 
  • Data fidelity – This examines if the SD closely follows the characteristics and statistical attributes of the source data.
  • Data utility – This refers to how well the SD can replace or add to source data for the specific data objective of the organisation.

Step 4: Assess Re-identification Risks

After the SD is generated and utility measurement is assessed to be acceptable, organisations should evaluate re-identification risks based on their internal criteria. This is an attack-based evaluation on how successful an adversary carrying out re-identification attacks can determine if an individual belongs to the source dataset and/or derive details of an individual from the source dataset.

The Guide offers various approaches to determine and quantify re-identification risks and provides examples of existing industry guidelines and recommendations for de-identified/anonymised data. It is noted that there is no universally accepted numerical threshold value for risk levels.

Step 5: Manage Residual Risks

Organisations should identify all potential residual risks and implement appropriate mitigation controls (technical, governance and contractual) to minimise these risks. These risks and controls should be documented and approved by the management and key stakeholders as part of the organisation’s enterprise risk framework. Such risks may include:

  • New insights derived from SD
  • Potential impact on groups of individuals due to membership disclosure
  • Parties receiving SD
  • Changing environment
  • Model leakage

The Guide offers examples of best practices and security controls for managing these residual risks associated with using SD. These measures include technical, governance and contractual mitigation controls, with specific examples such as access controls, asset management, risk management, legal controls and database security.

Additionally, organisations should plan for incidents involving SD breaches. For example:

  • Where there is a loss of fully SD that is not intended for public release, organisations should investigate the incident to understand the root cause and improve internal safeguards against such occurrences in future. Organisations should also monitor for evidence of actual re-identification and assess if it would be a notifiable data breach to PDPC.
  • Where there is a loss of a SD generator model, parameters and/or SD, organisations should investigate to understand the root cause of the incident and improve its internal safeguards. It should also monitor for a possible successful model inversion attack which may result in the reconstruction and disclosure of the source data and, if applicable, assess if such breach is notifiable.

Concluding Remarks

The Guide offers valuable insights into leveraging SD while balancing data utility and data protection risks in SD generation. It is intended as a living document and will be updated to ensure its recommendations remain relevant. Organisations are encouraged to stay informed of these updates and actively engage with the principles outlined in the Guide to ensure their practices align with both current and future standards of data protection.

Privacy World will continue to monitor Asian data privacy legislative developments and keep you in the loop on new developments related to data privacy, cybersecurity and AI.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

In this blog post, we breakdown the new Vietnamese cybersecurity regulations which apply to both Vietnamese and foreign organisations. Alongside the ongoing consultation for the Ministry of Public Security’s proposed data law, Vietnam is taking steps to move towards a data protection compliance regime in line with other countries and regions, such as the EU – something of particular relevance in a country with one of highest internet user growth rate (nearly 80 million internet users).

What Is the CAS Decree?

The Cybersecurity Administrative Sanctions Decree (CAS Decree) is a decree unveiled by the Vietnamese Ministry of Security to the Ministry of Justice in mid-May 2024.

The first draft was published for consultation in September 2021 and has undergone multiple revisions following public consultations.

Continue Reading Summarising the New Vietnamese Cybersecurity Regulations