Privacy & Information Security Law Blog

On January 16, 2025, the non-profit organization None Of Your Business filed six complaints against organizations with five European data protection authorities for the unlawful transfer of personal data to China.

On January 17, 2025, the Supreme Court of the United States unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which restricts companies from making foreign adversary controlled applications available (i.e., on an app store) and from providing hosting services with respect to such apps.

On January 17, 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”) becomes applicable in the EU.

On January 7, 2025, the Biden White House announced that a new “Cyber Trust Mark” will begin appearing on products in the U.S. in 2025. The Cyber Trust Mark will denote products that are “cyber secure.”

On January 16, 2025, the FTC announced the issuance of updates to the FTC’s Children’s Online Privacy Protection Rule (the “Rule”), which implements the federal Children's Online Privacy Protection Act of 1998 (“COPPA”).

On January 8, 2025, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published finalized Security Requirements for Restricted Transactions as designated by the Department of Justice in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The Requirements and DOJ rule will go into effect on April 8, 2025.

On January 8, 2025, the General Court of the Court of Justice of the European Union issued its judgment in the case of Bindl v Commission (Case T-354/22), ruling that the European Commission must pay damages to a German citizen whose personal data was transferred to the U.S. without adequate safeguards.

During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into resolution agreements and corrective action plans with Elgon Information Systems, Virtual Private Network Solutions, LLC and USR Holdings, LLC for violations of the Health Insurance Portability and Accountability Act of 1996 Security Rule.

The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.