Recently, we hosted an intimate dinner in Los Angeles with a group of general counsels and senior executive leaders to discuss the evolving challenges posed by artificial intelligence (AI), data privacy and cybersecurity, particularly as they relate to HR and production environments. The roundtable discussion was dynamic and insightful, reflecting the real-world risks and strategic considerations that organizations are currently navigating.

On June 2, 2026, President Trump signed an executive order, ‘Promoting Advanced Artificial Intelligence Innovation and Security – The White House‘, providing federal government hardening of cybersecurity defenses against AI and prioritizing enforcing existing cybercrimes laws, as well as directing a multiagency effort to develop a voluntary program for covered frontier models to be assessed prerelease for cyber risk to critical infrastructure. This light touch security-focused approach is consistent with the federal government’s ongoing prioritization of innovation over regulation, but with a new focus on critical security risk.

Our team has captured key themes and concerns raised by legal thought leaders during our discussions and offers practical perspectives on how companies can prepare for and respond to this rapidly developing landscape in What GCs Should Consider for US AI Deployment in 2026.

Squire Patton Boggs will continue to monitor and report on federal and state regulatory efforts.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

The UK’s data protection framework continues to evolve following the enactment of the Data (Use and Access) Act 2025 (DUAA). One of the more operationally significant developments for organisations is the introduction of a new statutory right for individuals to complain to controllers regarding infringements of the UK General Data Protection Regulation (GDPR), as well as a framework governing how controllers must handle those complaints.

The relevant provisions will apply from 19 June 2026, pursuant to the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026. On or before that date, organisations subject to the UK GDPR will need to update their privacy notices, and introduce formal data protection complaint handling processes that meet specific legal requirements.

Continue Reading The Data (Use and Access) Act 2025 and the new right for individuals to complain to controllers: What organisations need to do before 19 June 2026

SPB’s Alan Friel has previously explained here and here how consumer privacy law and online teen safety laws can go too far and be constitutionally suspect.  This issue has heated up in the courts as states rush to regulate. 

In a recent Network Advertising Initiative panel Alan moderates a speaker from Netchoice, an industry advocacy group leading the litigation challenges to overreaching online regulation, and a leading academic Professor, Eric Goldman.  A recording of the spirted discussion is available here.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

French law requires that where hosting services providers host certain types of health data, they must first obtain certification as “hébergeurs de données de santé” (“HDS”) which translates as “health data hosting service providers”. The relevant HDS certification framework was updated in 2024. This framework notably incorporates the amendments introduced by the law of 21 May 2024 aimed at securing and regulating the digital space, as well the decree of 24 March 2026, which imposes data sovereignty-related obligations that will take effect in September 2026.

Continue Reading V2.0 Certification of French Health Data Hosting Service Providers (HDS) now Fully Effective

Join the Los Angeles County Bar Association’s (“LACBA”) Privacy & Cybersecurity Section on May 21, 2026 (6:30–8:00 PM) at the Jonathan Club in Downtown Los Angeles for “Protecting Consumers & Promoting Innovation in a Data-Driven Economy.” The program features FTC Bureau of Consumer Protection Director, Chris Mufarrige, who will discuss evolving consumer protection enforcement priorities and how regulators are addressing AI-related risks while supporting innovation.

Earn 1 hour of MCLE credit and connect with leaders shaping the future of privacy and cybersecurity. Register now to be part of the conversation: Register Here

Squire Patton Boggs proudly supports LACBA and LACBA’s Privacy and Cybersecurity Section. Alan Friel, Global Head of the firm’s Data Privacy, Cybersecurity & Digital Assets Practice, has served on the Section’s Executive Committee since its founding, and Gicel Tomimbang, Associate, currently serves as Section Chair.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

How to use Cookie Banners and CMPs to Minimize Rather than Create US Privacy Risks: Free CLE Passes Available

Heading to Chicago next week for iTech’s 2026 World Technology Law Conference?

The Colorado AI Act Hits a Wall: Litigation, Legislative Uncertainty, and an Enforcement Standstill

European Court rules on when first access requests may be excessive

Upcoming Speaking Engagements: Insights on Data Privacy, AI, and Cybersecurity

Here We Go Again  ̶  House Republicans Introduce Federal Consumer Privacy Bill

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

One of our own is helping shape the conversation. Alan Friel, Partner, and contributing author to our blog, will serve as a featured speaker in an upcoming live CLE webinar tackling one of the most rapidly developing areas of digital privacy regulatory enforcement and litigation.

In the first hour of the webinar, “Cookie Banner Wiretapping Litigation and Consent Management Platform Failures: CIPA, FSCA, and ECPA Claims Against Malfunctioning and Misleading CMPs in 2026,” will cover the core legal and technical issues driving an explosion in online tracking technology privacy litigation, and discuss the overlap with, but differences from, state consumer privacy law compliance and enforcement. Topics will include an explanation of how web, mobile and other online tracking technologies work, the applicable legal regimes and theories that need to be considered, ways that use of cookie banners and CMPs can either create or reduce risk, privacy policy and notice and terms of use (including arbitration and class‑waiver) drafting strategies, and the growing significance of Global Privacy Control (GPC) signals, as well how these differ from industry self-regulatory signals and opt-outs and browser “Do Not Track” signals, and the issues with, and limitations of, each.  It will wrap up with practical take aways and an overview of legislative efforts to watch that could change the landscape.  The second hour will be a deep dive into the litigation, including learnings from key court decisions.

See further details for this insightful presentation below as well as how to register:

Program Details:

  • Date: May 20, 2026
  • Time: 1:00 p.m. ET
  • Format: Live webinar CLE

Register here:

To receive a FREE pass for this session, please use “CookieBanner26” as the coupon code for the Register for Live option.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

The 2026 World Technology Law Conference organized by the International Technology Law Association (ITechLaw), starts next week. Squire Patton Boggs is a proud sponsor of this year’s conference and two PrivacyWorld.blog authors are speaking.

On May 14th at 4:30pm, Julia Jacobson, Partner (New York) is part of a panel: “Real-Time Insights: The Biggest Late-Breaking Developments in Global Tech Law in Q2 2026”.  Moderated by the distinguished Eugene Weitz, the session has global focus, with co-panelists from Canada, India and Bulgaria.  Learn more (including how submit topic suggestions) here.

On May 15th, Alan Friel, Partner (Los Angeles) is a panelist for “Pixels on Trial: Defending Privacy Claims Over Tracking, Chatbots, and Session Replay.”  This session, which starts at 1:30 pm, will focus on the wave of litigation challenging the lawfulness of online analytics and tracking technologies under various federal and state laws and how litigants are prosecuting and defending these lawsuits.

We hope to see you there. 

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

The Colorado AI Act (SB24-205) is effectively frozen just weeks before its June 30, 2026 effective date, following a stay in enforcement of the law by a Magistrate Judge in the District of Colorado on April 27, 2026.

Background

By way of background, on April 9, xAI filed suit in federal court seeking to enjoin the law on First Amendment, Dormant Commerce Clause, due process, and equal protection grounds, arguing that the Act’s algorithmic discrimination provisions would compel developers to reengineer model outputs to conform to state-preferred viewpoints. Two weeks later, the Trump DOJ intervened—the first time the federal government has moved to invalidate a state AI law under the President’s December 2025 executive order. xAI and the Colorado Attorney General subsequently filed a Joint Motion to Vacate Scheduling Conference and Suspend Case Deadlines and Stipulation to Temporarily Stay Enforcement (the “Motion”). The magistrate assigned to the case granted the Motion, which has the effect of preventing enforcement of the law by the Colorado Attorney General. The order also requires xAI to submit a motion for preliminary injunction and, if necessary, file an amended complaint, within 28 days after final adoption of rulemaking implementing the AI Act or any legislation that may replace or amend the AI Act.

Legislative Replacement Efforts

Due in part to pressure from the Trump Administration, there is a legislative replacement effort underway. Governor Polis’s AI Policy Work Group released a proposed framework on March 17 that would substantially narrow the Act’s scope to be closer to the CCPA’s automated decision-making technology regulations, add a 90-day cure period, and push the effective date to January 1, 2027. The effort is coming down to the wire. The legislature adjourns May 13, and no bill has been formally introduced. While Colorado can pass a bill in as few as three days, it is unclear whether the political dynamics that have stymied reform through two prior legislative cycles and a special session make nothing certain.

AG Weiser’s Non-Enforcement Commitment

Also relevant is AG Philip Weiser’s voluntary commitment not to enforce the AI Act. In the joint court filing, Weiser’s office stated it will neither promulgate implementing rules nor enforce the Act until after the legislative session concludes and any resulting rulemaking is complete. Given that rulemaking hasn’t even begun, this pushes any realistic enforcement timeline well past June 30 regardless of the litigation outcome—meaningful breathing room for companies that have been building compliance programs around the Act’s impact assessment and disclosure requirements.

Stay tuned to Privacy World for more on this and other developments.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

Can a data controller reject a data subject’s first data access request on the basis that it is “excessive”? Until recently, many organisations were cautious and adopted an agnostic view about the intentions behind first access requests. However, the EU Court of Justice (“CJEU”) has clarified in a recent decision that although excessive requests are exceptional, a first request can be excessive where it is made with an abusive intention.

Under Article 15 of the GDPR, individuals have the right to be provided with copies of their personal data and information about conditions under which the data is processed. Disputes arising from the exercise of right are not unusual. For example, Ireland’s Data Protection Commission consistently reports that access requests generate the majority of complaints and queries that it receives.

The case background

No right under the GDPR is absolute and Article 12(5)(b) of the GDPR allows a controller to refuse to act on a request where that request is “manifestly unfounded” or “excessive”. However, those terms are not defined in the GDPR and this has led some controllers to be uncertain whether initial or infrequent requests that are brought for other motives can be properly characterised as excessive.

In a welcome decision for controllers, the CJEU ruled in March 2026 in Brillen Rottler (Case C-526/24) that a first request can be “excessive” where a controller can demonstrate that the request was made with an abusive intention. The court’s decision also set down the conditions for damages that may arise under Article 82 where a request is refused or responded to with insufficient information.

The referral to the CJEU concerned a refusal by an optician company in Germany to respond to an access request made by an individual who had subscribed to the optician’s newsletter via a registration form on the optician’s website. Within a fortnight of subscribing, the individual made an access request which the optician company refused because it considered it to be an abusive one.  The individual maintained his request and added a compensation claim for €1,000. The company supported its claim that the request was abusive by relying on publicly available reports that the individual concerned had a practice of subscribing to newsletters of various companies before making an access request to those companies and thereafter a compensation claim. The referring court in Germany that heard the claim asked the CJEU whether the first request made to a controller can be an excessive request from a data subject and whether a controller can refuse a request where a data subject intends to use the request to pave the way for a claim for damages against the controller.

Circumstances where an access request is excessive

The court’s ruling has resulted in a number of significant findings that should allow controllers to more confidently maintain that a request is excessive where it is made for abusive purposes.  The CJEU has ruled that an individual’s intention rather than simply the number of requests is important to determining whether a request is excessive. On this point, the CJEU ruled that the question whether a request is excessive should be assessed qualitatively and quantitively but an individual’s intent is the more decisive factor.

Although the CJEU has clarified that intention may be decisive, the court also stated that a request will be considered excessive only in exceptional circumstances.  While data protection authorities have applied a similarly high threshold to reliance on Article 12(5), prior to the CJEU’s decision, it was still unclear to many controllers whether they could take account of motive in determining whether to respond to a request. For example, in Ireland, the Irish DPC has said that there are very few prerequisites regarding access requests and the limitation on the right to access under Article 12(5) is a very high threshold to meet. The DPC’s guidance has also tended to focus on the size and volume of requests in assessing excessiveness. The Brillen Rottler decision is more expressly in line with ICO guidance in the UK which has considered intent and states that  a request may be manifestly unfounded if the request is malicious in intent  or used to harass an organisation, with no real purpose other than to cause disruption.

As a result of the Brillen Rottler decision, the interplay between abusive intent and the limitation on the right of access is now much clearer. The CJEU decision provides some assistance to controllers in determining whether intent is abusive. Such intent may be found where the requesting individual makes a request for a purpose unrelated to their right to know about the processing of their personal data and to verify the lawfulness of that processing. Circumstances that controllers may take account of include the fact that the data subject provided personal data without being obliged to do so, the aim of providing the data, the time that elapsed between the provision of the data and the request for access, and the conduct of the data subject.

Clarification on compensation claims

The referring court also raised a number of queries about the right to compensation. The CJEU confirmed that an individual may seek compensation under Article 82 of the GDPR even if there is no data processing. The CJEU was asked to consider whether infringement of the right to access on its own constitutes the right to a compensation claim for non-material damage or whether that right to compensation required further damage to the requestor. The CJEU determined that infringement alone does not confer a right to compensation; there must be some causal link between the infringement and damage an individual suffers. The court ruled that the link can be broken where the conduct of the individual bringing a compensation claim contributed to the conditions for the claim and proves to be the determining cause of the damage. Such conduct can be providing personal data to a controller to artificially create the conditions for a compensation claim. 

What practical implications should controllers consider

The decision in Brillen Rottler may impact a growing trend in employment disputes across Europe where access requests are often part of a claimant’s strategy to prepare for an employment related claim. Leaving to one side, the impact of the CJEU’s ruling for particular classes of claimants and defendants, reviewing a more general application of the decision shows that it  is an important clarification on the circumstances where an access request may be refused. It is also suggestive of a pragmatic approach by the CJEU in recognising that an access request may be considered excessive where it is made solely with a view to seeking compensation for non-material damage. The decision is also in line with GDPR amendments proposed in the European Commission’s draft Digital Omnibus Regulation which include a right for controllers to refuse to respond to an access request where that right is being abused by an individual for a purpose other than protecting their personal data.

Controllers now have clarity that a requestor’s intention is relevant and that the court’s finding may encourage some controllers to routinely refuse to comply with an access request. However, any change in practice should be the subject of a proper review because the standard for refusal remains high. Disproportionate refusals of access requests will likely leave controllers exposed to compensation claims. To deal effectively with changes to the management of access requests, controllers should:

  • Continue to treat refusals of access requests as exceptional rather than routine and avoid broad reliance on public information about a requestor as the sole ground for refusal.
  • Engage in staff training to perform contextual assessments to properly manage refusal decisions.
  • Update assessment processes to identify access requests that may be indicative of abusive intentions rather than for the protection of personal data.
  • Document the evidence and decision-making procedures they rely on before refusing a request.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.