General

The Ministry of Electronics and Information Technology (MeitY) has recently released the much-awaited draft of the Digital Personal Data Protection Rules, 2025 (Rules) for public consultation. These proposed Rules provide important insights into the upcoming implementation of India’s new data protection law, which has been under development for some time.

The enactment of the Digital

Companies in all industries take note: regulators are scrutinizing how companies offer and manage privacy rights requests and looking into the nature of vendor processing in connection with application of those requests. This includes applying the proper verification standards and how cookies are managed. Last month, the California Privacy Protection Agency (“CPPA” or “Agency”) provided

As we have covered, the public comment period closed on February 19th for the California Privacy Protection Agency (CPPA) draft regulations on automated decision-making technology, risk assessments and cybersecurity audits under the California Consumer Privacy Act (the “Draft Regulations”).  One comment that has surfaced (the CPPA has yet to publish the comments), in particular, stands out — a letter penned by 14 Assembly Members and four Senators. These legislators essentially charged the CPPA for being over its skis, calling out “the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI.” Continue Reading CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

Join Team SPB’s Alan Friel, Julia Jacobson and Kyle Dull for three informative webinars addressing key topics including AI-driven decision-making technologies, the development of terms of service and privacy policies, and best practices for the responsible use of AI and associated risk management.

A limited number of complimentary passes are available to clients for each webinar. For more details on free passes, please reach out to Julia Jacobson.


Continue Reading Join Team SPB this Spring for Three Engaging Webinars

Since the Trump 2.0 administration commenced, the U.S. federal government has experienced some major policy shifts. Several Biden-Harris administration era regulations are now eliminated or on a 60-day hold while under review. States and other organizations have filed lawsuits to stay implementation of certain Trump 2.0 initiatives (i.e., the funding freezes, deferred resignation offer, and birthright citizenship, among others).Continue Reading A New Era: Trump 2.0 Highlights for Privacy and AI

On January 29, 2025, the Copyright Office (the “Office”) released its second report in a three-part series on artificial intelligence and copyright. Part 1 was released in July 2024 and addressed digital replicas. Part 2 focuses on the copyrightability of AI-generated work – that is, providing greater detail into what level of human interaction is required for a work containing AI-generated works to rise to the level of copyrightability. The report includes eight conclusions to guide copyright applicants and concludes that existing law is sufficient to address copyrighting AI-generated works.Continue Reading Copyright Office: Copyrighting AI-Generated Works Requires “Sufficient Human Control Over the Expressive Elements” – Prompts Are Not Enough

On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.Continue Reading Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

SPB’s Julia Jacobson and Kyle Dull are offering insights at three webinars next week. Details are below or please reach out for more information.

The Evolving Role of the Privacy Officer: Challenges and Preparation (PrivacyConnect Live Webinar)

Tuesday, November 12 at 11 a.m. ET

Join Julia Jacobson a discussion with three experienced privacy officers who

Originally posted on Squire Patton Boggs’ The Trade Practitioner blog 


On October 15, 2024, the U.S. Department of Defense (DoD) released its final rule to establish the Cybersecurity Maturity Model Certification (CMMC) Program (Final CMMC Program Rule). The CMMC Program allows the DoD to verify that defense prime contractors and subcontractors (defense contractors) have implemented security safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are maintaining required safeguards during the contract period of performance. The CMMC requirements apply to defense contractors that process, store or transmit FCI or CUI in the performance of a DoD contract or subcontract.

In a parallel effort, the DoD also has proposed an acquisition rule – 48 C.F.R Part 204 CMMC Acquisition Rule or (DFARS rule) – that will amend the Defense Federal Acquisition Regulation Supplement (DFARS) and contractually implement the CMMC Program (32 C.F.R. part 170) through DoD solicitations and contracts. In September we described the proposed DFARS rule, for which the comment period closed on October 15, 2024. The DoD estimates it will publish the final DFARS rule by mid-2025. The effective date of the final DFARS rule (which is 60 days after it is published in the Federal Register) is a key date since that effective date will initiate the CMMC Program’s phased rollout discussed below.Continue Reading Navigating DoD’s CMMC Program Final Rule