Privacy & Information Security Law Blog

On May 7, 2025, the European Commission published a Q&A addressing AI literacy obligations under the EU AI Act. The Q&A provides further detail on Article 4 of the EU AI Act, clarifying the measures that entities in scope are required to employ to ensure AI literacy.

On May 21, 2025, the U.S. District Court for the District of Columbia ruled that two Democrat members of the United States Privacy and Civil Liberties Oversight Board were unlawfully terminated by President Trump.

The U.S. Department of Defense is moving towards implementing the Cybersecurity Maturity Model Certification program. When finally launched, the CMMC program will require many companies in the DOD supply chain with Controlled Unclassified Information to obtain a third-party certification confirming that they are compliant with applicable cybersecurity controls.

On May 21, 2025, the European Commission published a proposal for a new regulation simplifying certain regulatory requirements for small mid-caps, which will be companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in balance sheet.

On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules.

On May 8, 2025, the European Data Protection Board and the European Data Protection Supervisor adopted a joint letter addressed to the European Commission regarding the upcoming proposal to simplify record-keeping obligations under the EU General Data Protection Regulation.

As the UK Data (Use and Access) Bill reaches its final stages, the House of Commons and the House of Lords are still debating several key issues. This blog provides a summary of the outstanding issues.

On May 9, 2025, the California Privacy Protection Agency opened a formal public comment period for modifications to the text of proposed California Consumer Privacy Act regulations addressing cybersecurity audits, risk assessments, automated decisionmaking technology, insurance companies, and updates to existing CCPA regulations. The comment period will remain open until June 2, 2025.

On May 7, 2025, the Colorado legislature passed a bill that would amend the Colorado Privacy Act’s provisions regarding the processing of precise geolocation data if signed into law by Colorado Governor Jared Polis.

On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion agreement in principle to settle cases it filed against Google in 2022 alleging that Google unlawfully collected, stored and used certain personal data of Texans without consent, including location information, biometric identifiers and web browsing activity.