Data Protection

Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer?  A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet

Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim

Many businesses use customer support software that may include call recording features to help ensure a better customer service experience.  A California federal court dismissed a wiretapping lawsuit filed against a software company offering this software tool (TalkDesk), holding that TalkDesk’s alleged recording of customers’ conversations with clothing retailers “is

Continue Reading Recording of Customer Service Call “Not Private or Personal Enough” to Confer Article III Standing

Executive Summary

  • Artificial intelligence (AI), social media, and instant messaging regulation will be a hot topic in Brazil in 2025, with substantial activity in Congress and the Supreme Court.
  • Cloud, cybersecurity, data centers, and data privacy are topics that could also see legislative or regulatory action throughout the year at different policymaking stages.
  • Technology companies will also be affected by horizontal and sector-specific tax policy-related measures, and Brazil’s digital policy might be impacted by U.S.-Brazil relations under the new Trump administration.

Analysis

2025 is shaping up to be a key year for digital policymaking in Brazil.  It is the last year for President Luiz Inácio Lula da Silva’s administration to pursue substantial policy change before the 2026 general elections.  It is also the first year for the new congressional leadership, in particular the new Speaker of the House and President of the Senate, to put their stamp on key legislation before their own reelection campaigns next year.

Existing Legal Framework: LGT, MCI and LGPD

Brazil’s current approach to digital policy is based on three key federal statutes.  The first one is the General Telecommunications Act of 1997 (“LGT”).  LGT established the rules for the country’s transition from a state-owned monopoly to a competitive, private sector-led telecommunications market.  It is the bedrock of Brazil’s digital economy infrastructure regulation as, among other aspects, it sets rules for radio spectrum and orbit uses.

The second key statute is the Civil Rights Framework for the Internet Act of 2014 (“MCI”).  MCI sets the principles, rights and obligations for internet use, including the net neutrality principle and a safe harbor clause protecting internet service providers from liability for user-generated content absent a court order to remove the content.  The statute also established the first layer of data privacy provisions as well as rules for the federal, state, and local governments internet-related policies and actions.

The third key federal statute is the General Personal Data Protection Act of 2018 (“LGPD”).  LGPD sets rules for the treatment of personal data by individuals, companies, state-owned and state-supported enterprises, and governments.  It slightly amends MCI and adds a more robust layer of data privacy protection.

Each statute has its own regulator, respectively the National Telecommunications Agency (“ANATEL”), Brazil’s Internet Management Committee (“CGI.br”), and the National Data Protection Authority (“ANPD”).

Hot Topics in 2025: AI, Social Media, and Instant Messaging

Two agenda items will likely dominate the policy debate in Brazil in 2025.  The first one is the creation of a new legal framework for AI.  After years of intense debate, the Senate approved its AI bill in December 2024.  The bill sets rights and obligations for developers, deployers, and distributors of AI systems, and takes a human rights, risk management, and transparency approach to regulating AI-related activity.  It also contains contentious provisions establishing AI-related copyright obligations.  In 2025, the House will likely debate and try to approve the bill, which is also a priority for the Lula administration.Continue Reading Brazil’s Digital Policy in 2025: AI, Cloud, Cyber, Data Centers, and Social Media

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus

Continue Reading ICO announces its online tracking strategy for 2025

A California federal judge has largely granted summary judgment in a data privacy lawsuit against Yodlee, Inc., finding that two of the five plaintiffs lacked Article III standing for all remaining claims and that the three other plaintiffs lacked Article III standing for—and failed to create genuine disputes of fact

Continue Reading California Federal Court Grants Summary Judgment on Most Claims in Data Privacy Case

On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).

In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.

Key takeaways

  1. In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
  2. The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
  3. The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.

Summary of the Position Paper

The EDPB first outlines certain overlaps between data protection and competition law (e.g., data serving as a parameter of competition). The EDPB argues that as both legal regimes seek to protect individuals and their choices, albeit in different ways, “strengthening the link” between data protection and competition law can “contribute to the protection of individuals and the well-being of consumers”.

The EDPB takes the view that closer cooperation between DPAs and CAs would therefore benefit individuals (and businesses) by improving the consistency and effectiveness of regulatory actions. Moreover, the EDPB emphasises that, based on the EU principle of “sincere cooperation” between regulatory authorities and pursuant to the European Court of Justice’s ruling in Meta v Bundeskartellamt (2023), cooperation between DPAs and CAs would be “in some cases, mandatory and not optional”.Continue Reading EDPB highlights the importance of cooperation between data protection and competition authorities

A Pennsylvania court recently dismissed a wiretapping complaint filed against a trio of defendants for lack of Article III standing, lack of personal jurisdiction, and failure to state a claim in Ingrao v. Addshoppers, Inc., 2024 WL 4892514 (E.D. Pa. Nov. 25, 2024).

The two plaintiffs in this case

Continue Reading Pennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing Program

Introduction

On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued the Final Rule implementing President Biden’s February 28, 2024 Executive Order on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”). The Final Rule solidifies a new national security regulatory regime focused on protecting bulk U.S. sensitive personal data and government-related data from countries of concern, including the People’s Republic of China (“PRC” or “China”), and represents the latest step in the U.S. government’s whole-of-government effort to “de-risk” with respect to China. The Final Rule marks the first time that U.S. persons will be categorically prohibited from engaging in certain transactions that may result in foreign access to bulk U.S. sensitive personal data and government-related data. It also provides that certain other transactions will be “restricted,” meaning they are prohibited unless the U.S. business first implements a range of security requirements, which in some cases will be onerous or costly. The Final Rule accordingly could have wide-ranging implications for U.S. companies across various industries. The Final Rule takes effect 90 days after publication in the Federal Register, which is set for January 8, 2025, although certain compliance requirements will not take effect until 270 days following publication.

In parallel with the release of the Final Rule, on January 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the U.S. Department of Homeland Security (“DHS”), released the final security requirements (the “Security Requirements”). The Security Requirements set forth the measures that U.S. persons must satisfy in order to engage in restricted transactions, and are incorporated by reference into the Final Rule.

Importantly, as we discussed in our analysis of the Advance Notice of Proposed Rulemaking (“ANPRM”) and our analysis of the Notice of Proposed Rulemaking (“NPRM”), the Final Rule is a national security regulation designed to address identified risks to U.S. national security—not a privacy regulation designed to protect privacy or other individual interests. Consequently, while the Final Rule regulates transactions involving personal data, many of the concepts and definitions diverge materially from those in existing privacy regimes. The Final Rule stems from the U.S. government’s increasing unwillingness to tolerate foreign adversary access to U.S. personal data. As DOJ explained in the preamble to the Final Rule, “[t]his rule will prevent . . . foreign adversaries from legally obtaining [bulk U.S. sensitive personal data or government-related data] through commercial transactions with U.S. persons, thereby stemming data flows and directly addressing the national security risks identified in the [EO].” DOJ cited examples such as (1) the ability of journalists to track the movements of U.S. President Joe Biden, U.S. Vice President Kamala Harris, and now President-Elect Donald Trump through their bodyguards’ use of a fitness app; and (2) the ability to track U.S. government personnel movement through the purchase of location information and digital advertising data—that demonstrate the U.S. national security risks associated with foreign adversary access to commercially available data. Finally, DOJ made a particular point of explaining that certain data that is anonymized or depersonalized presents U.S. national security risks, especially with respect to the ability of adversaries to use “bulk human genomic data[] to enhance military capabilities that include facilitating the development of bioweapons.”Continue Reading Department of Justice Issues Final Rule to Implement Bulk U.S. Sensitive Personal Data and Government-Related Data Executive Order

On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach

Continue Reading New York Adopts Amendment to the State Data Breach Notification Law

On November 6, 2024, the UK Information Commissioner’s Office (ICO) released its AI Tools in recruitment audit outcomes report (“Report”). This Report documents the ICO’s findings from a series of consensual audit engagements conducted with AI tool developers and providers. The goal of this process was to assess compliance with data protection law, identify any risks or room for improvement, and provide recommendations for AI providers and recruiters. The audits ran across sourcing, screening, and selection processes in recruitment, but did not include AI tools used to process biometric data, or generative AI. This work follows the publication of the Responsible AI in Recruitment guide by the Department for Science, Innovation, and Technology (DSIT) in March 2024.

Background

The ICO conducted a series of voluntary audits from August 2023 to May 2024. During the audits, the ICO made 296 recommendations, all of which were accepted or partially accepted by the organisations involved. These recommendations address areas such as:

  • Fair processing of personal data,
  • Data minimisation and lawful retention of data, and
  • Transparency in explaining AI logic.

Areas for Improvement

Based on its findings during the audits, the ICO identified several areas for improvement for both AI recruiters and AI providers. The key areas for improvement across both were:Continue Reading ICO Audit on AI Recruitment Tools