Privacy & Information Security Law Blog

On June 4, 2025, the European Data Protection Board published the final version of Guidelines 02/2024 on Article 48 of the GDPR regarding data transfers to third country authorities. In addition, during its June plenary meeting, the EDPB presented two new Support Pool of Experts projects to provide training materials on AI and data protection.

On May 27, 2025, and June 3, 2025, Oregon Governor Tina Kotek signed into law H.B. 3875 and H.B. 2008, each of which amends the Oregon Consumer Privacy Act.

On May 27, 2025, Texas Governor Greg Abbott signed the Texas App Store Accountability Act into law, which will require app stores to verify the age of users and comply with certain requirements and restrictions with respect to minor users under the age of 18. The Act takes effect on January 1, 2026.

On April 11, 2025, the North Dakota governor signed H.B. 1127, which establishes new data security measures and breach notification obligations for financial corporations.

On May 19, 2025, President Trump signed into law the Take It Down Act, which bans the nonconsensual online publication of sexually explicit images and videos that are both authentic and computer-generated, and includes notice and takedown obligations for covered online platforms.

On May 7, 2025, the European Commission published a Q&A addressing AI literacy obligations under the EU AI Act. The Q&A provides further detail on Article 4 of the EU AI Act, clarifying the measures that entities in scope are required to employ to ensure AI literacy.

On May 21, 2025, the U.S. District Court for the District of Columbia ruled that two Democrat members of the United States Privacy and Civil Liberties Oversight Board were unlawfully terminated by President Trump.

The U.S. Department of Defense is moving towards implementing the Cybersecurity Maturity Model Certification program. When finally launched, the CMMC program will require many companies in the DOD supply chain with Controlled Unclassified Information to obtain a third-party certification confirming that they are compliant with applicable cybersecurity controls.

On May 21, 2025, the European Commission published a proposal for a new regulation simplifying certain regulatory requirements for small mid-caps, which will be companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in balance sheet.

On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules.