Vermont recently enacted two privacy bills to regulate health-related information. These include H.639, a genetic privacy bill regulating direct-to-consumer genetic testing companies, and the Vermont Data Privacy and Online Surveillance Act (S.71), a comprehensive privacy law that extends heightened protections to “consumer health data.” You can read our full analysis of S.71 here.
Continue Reading Vermont Enacts Privacy Legislation to Regulate Health-Related InformationPost-Quantum Cryptography: A Practical Guide
By Paul Maynard & Tamzin Bond on
A key benefit of quantum computing is that it may, in the future, enable a very substantial increase in computing power. This could create significant benefits, in the life sciences and financial services sectors (see our prior posts on the potential implications for these sectors here and here). However, it also creates potential risks. In particular, it could lead to the breaking of many of the encryption methods currently used by governments and businesses alike. As commercially-viable quantum computers become an increasing reality, organisations must prioritise “quantum readiness” and specifically migration to post-quantum cryptography (“PQC”).
In this post, we set out a brief overview of the main steps that regulators and industry bodies (including the U.S. National Institute of Standards and Technology (“NIST”), the UK National Cyber Security Centre (“NCSC”), and the EU Agency for Cybersecurity (“ENISA”)) have indicated businesses should take to move towards PQC and protect their data and systems from the risks posed by quantum computing.
Continue Reading Post-Quantum Cryptography: A Practical GuideSingapore Updates Model AI Governance Framework for Agentic AI
By Jadzia Pierce & Sam Jungyun Choi on
Since our prior post on Singapore’s Model AI Governance Framework for Agentic AI, Singapore’s Infocomm Media Development Authority (“IMDA”) has published an updated version (Version 1.5) (the “Updated Framework”), incorporating feedback from over 60 organizations.
The Updated Framework, published on May 20, 2026, retains the same four-pillar structure—(1) assess and bound the risks upfront, (2) make humans meaningfully accountable, (3) implement technical controls and processes, and (4) enable end-user responsibility—but expands the guidance in several notable respects. These include a new discussion of multi-agent systemic risks, more granular guidance on technical controls, and real-world case studies illustrating how the Framework can be applied across sectors. We summarize some of the key updates below.
Continue Reading Singapore Updates Model AI Governance Framework for Agentic AICNIL Updates Two Standards For Health Research (MR-001 and MR-003)
By Kristof Van Quathem & Alix Bertrand on
Posted in Data Protection, Privacy
On May 26, 2026, the French data protection authority (“CNIL”) published updated versions of its Reference Methodology 001 (“MR-001”, available here in French) and Reference Methodology 003 (“MR-003”, available here in French), two key frameworks governing the processing of personal data in the context of health research.
Continue Reading CNIL Updates Two Standards For Health Research (MR-001 and MR-003)Covington Launches Election Year Toolkit
As the election season intensifies, companies face a rapidly evolving landscape of regulatory, compliance, and reputational considerations. With heightened scrutiny on political engagement, lobbying, campaign finance, and communications, organizations must be prepared to navigate complex and fast-moving legal requirements.
Drawing on our deep experience in election and political law, public…
Continue Reading Covington Launches Election Year ToolkitEuropean Commission Seeks Public Input on CSDDD Guidelines: What to Watch
On June 12, 2026, the European Commission (“Commission”) launched its public consultation on guidelines (“Guidelines”) that will significantly shape the implementation of the EU’s Corporate Sustainability Due Diligence Directive (“CSDDD;” more details about the CSDDD available here). The consultation, presented in the form of a detailed questionnaire, is open…
Continue Reading European Commission Seeks Public Input on CSDDD Guidelines: What to WatchAmadeus IT Group Receives GDPR Fine
By Joshua Gray, Nigel Howard & Will Capstick on
On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.
Continue Reading Amadeus IT Group Receives GDPR FineOnline Safety in the UK: Social Media Ban for Under 16s and Other Recent Developments
By Jadzia Pierce, Jane Pinho & Madelaine Harrington on
The UK Government today announced that it intends to ban social media platforms from offering services to children under 16, alongside wider restrictions on certain online functionalities that the Government has identified as harmful to children.
The announcement follows the conclusion of the Department for Science, Innovation and Technology’s (“DSIT”) consultation, “Growing up in the online world,” which received more than 116,000 responses (we originally wrote about that consultation here). The Government intends to bring the first regulations to Parliament before the end of the year using powers created by the Children’s Wellbeing and Schools Act 2026 (“CWSA”), with protections expected to come into force in Spring 2027. Today’s announcement is the latest in a series of significant developments reshaping the UK’s online safety framework. We summarize some of these latest developments below.
Continue Reading Online Safety in the UK: Social Media Ban for Under 16s and Other Recent DevelopmentsWashington Anti-Spam Law Decision Addresses Article III Standing in CEMA Cases
By Jehan Patterson & Irene Kim on
A federal court recently addressed whether plaintiffs alleging misleading commercial email practices in violation of Washington’s Commercial Electronic Mail Act (“CEMA”) have Article III standing to pursue claims. The ruling suggests that alleged violations of CEMA, standing alone, could constitute a concrete injury for Article III standing, where the asserted harm aligns with the statute’s purpose.
Continue Reading Washington Anti-Spam Law Decision Addresses Article III Standing in CEMA CasesThe EU Cloud and AI Development Act in Depth
Posted in Artificial Intelligence (AI), Technology
On 3 June 2026, the European Commission (“Commission“) published its proposal for a Regulation establishing a framework of measures for strengthening Europe’s cloud and AI ecosystem—the Cloud and AI Development Act (“CADA Proposal“). The CADA Proposal sits at the heart of the Commission’s broader Tech Sovereignty Package (which we describe at a high level here), and aims to address what the Commission perceives as two critical vulnerabilities in the EU’s digital landscape: a structural deficit in data centre capacity and a dependence on a limited number of non-EU cloud computing service providers.
Continue Reading The EU Cloud and AI Development Act in Depth