Cybersecurity

French law requires that where hosting services providers host certain types of health data, they must first obtain certification as “hébergeurs de données de santé” (“HDS”) which translates as “health data hosting service providers”. The relevant HDS certification framework was updated in 2024. This framework notably incorporates the amendments introduced by the law of 21 May 2024 aimed at securing and regulating the digital space, as well the decree of 24 March 2026, which imposes data sovereignty-related obligations that will take effect in September 2026.

Continue Reading V2.0 Certification of French Health Data Hosting Service Providers (HDS) now Fully Effective

PrivacyWorld’s Alan Friel and Kyle Fath broke down what companies need to consider in 2026 to meet new and ongoing data laws and regulations in a Stafford / Barbri presentation on January 7, 2026. The PowerPoint is available here and includes appendices that break down details of, and compare and contrast, consumer privacy laws. Coverage

With the official enactment of the NIS-2 Implementation Act, Germany has taken a major step toward modernizing its cybersecurity framework. Starting from 6 December 2025, stricter requirements will apply to both federal administration and thousands of private companies. This law revises the BSI Act (BSIG) and introduces comprehensive obligations for IT security and risk management. The NIS2 Directive  is the EU’s updated cybersecurity framework. It requires organizations to implement risk management measures, ensure incident reporting within an initial 24-hour timeline, strengthens supply chain security while introducing management accountability, including personal liability for non-compliance.

Continue Reading Germany Implements NIS2: Registration portal will open on January 6, 2026

With the entry into force of the AI Act (Regulation 2024/1689) in August 2024, a pioneering framework of AI was established.

On February 2, 2025, the first provisions of the AI Act became applicable, including the AI system definition, AI literacy and a limited number of prohibited AI practices. In line with article 96 of the AI Act, the European Commission released detailed guidelines on the application of the definition of an AI system on February 6, 2025.

Continue Reading Understanding the Scope of “Artificial Intelligence (AI) System” Definition: Key Insights From The European Commission’s Guidelines

The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024.  With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025.  The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations.  This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.

Continue Reading Revised Draft California Privacy Regulations Lessen Impact on Business

On April 14, 2025, the European Data Protection Board (EDPB) released guidelines detailing how to process personal data using blockchain technologies in compliance with the General Data Protection Regulation (GDPR) (Guidelines 02/2025 on processing of personal data through blockchain technologies). These guidelines highlight certain privacy challenges and provide practical recommendations.

Continue Reading From Blocks to Rights: Privacy and Blockchain in the Eyes of the EU data Protection Authorities

(Updated May 12, 2025)

Since January, the federal government has moved away from comprehensive legislation on artificial intelligence (AI) and adopted a more muted approach to federal privacy legislation (as compared to 2024’s tabled federal legislation). Meanwhile, state legislatures forge ahead – albeit more cautiously than in preceding years.

As we previously reported, the Colorado AI Act (COAIA) will go into effect on February 1, 2026. In signing the COAIA into law last year, Colorado Governor Jared Polis (D) issued a letter urging Congress to develop a “cohesive” national approach to AI regulation preempting the growing patchwork of state laws. Absent a federal AI law, Governor Polis encouraged the Colorado General Assembly to amend the COAIA to address his concerns that the COAIA’s complex regulatory regime may drive technology innovators away from Colorado. Eight months later, the Trump Administration announced its deregulatory approach to AI regulation making federal AI legislation unlikely. At that time, the Trump Administration seemed to consider existing laws – such as Title VI and Title VII of the Civil Rights Act and the Americans with Disabilities Act which prohibit unlawful discrimination – as sufficient to protect against AI harms. Three months later, a March 28 Memorandum issued by the federal Office of Management and Budget directs federal agencies to implement risk management programs designed for “managing risks from the use of AI, especially for safety-impacting and rights impacting AI.”

Continue Reading States Shifting Focus on AI and Automated Decision-Making

SPB’s Tokyo/Shanghai Partner Scott Warren, along with New York Partner Julia Jacobson, will be speaking on and moderating panels at the Society for the Policing of Cyberspace (POLCYB) Global Cybercrime Management Executive Roundtable in Vancouver, Canada on May 30 as well as the LegalPlus 8th Annual Shanghai International Arbitration & Corporate Fraud Summit.

Continue Reading Join Us This Summer in Vancouver and Shanghai for Insights on Cybercrime and Cross Border Data Transfers

The Ministry of Electronics and Information Technology (MeitY) has recently released the much-awaited draft of the Digital Personal Data Protection Rules, 2025 (Rules) for public consultation. These proposed Rules provide important insights into the upcoming implementation of India’s new data protection law, which has been under development for some time.

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant shift in India’s data privacy landscape, laying the foundation for a comprehensive framework governing the collection, use and management of personal data.

Continue Reading The Impact of India’s New Digital Personal Data Protection Rules

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

State Privacy Enforcement Updates: CPPA Extracts Civil Penalties in Landmark Case; State Regulators Form Consortium for Privacy Enforcement Collaboration |