Data Protection

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).Continue Reading EDPB to Focus on Transparency in 2026 Enforcement

Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.Continue Reading China Amends Cybersecurity Law and Incident Reporting Regime to Address AI and Infrastructure Risks

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research

In late September, plaintiffs announced details regarding Google LLC’s (“Google”) and women’s health app developer, Flo Health Inc.’s (“Flo”) proposed settlements to resolve a class action lawsuit stemming from the Flo app’s allegedly unlawful sharing of health data with Google and others through online tracking technologies.

As part of the proposed settlements, Google agreed to pay $48 million and Flo agreed to pay $8 million, for a combined $56 million to resolve plaintiffs’ claims against these two entities.Continue Reading Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million

On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.Continue Reading Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus

The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation

In a new post on the Covington Inside Privacy blog, our colleagues provide an overview of the Federal Trade Commission’s (“FTC”) $45 million settlement with online lead generator MediaAlpha, Inc. and its subsidiary QuoteLab, LLC (collectively, “MediaAlpha”), resolving allegations that the companies, among other things, tricked consumers into sharing sensitive

Continue Reading FTC Takes Aim at Online Lead Generator

On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20.  In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.

We provide below an overview of the Court’s key findings.Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties

After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act.  The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability.  Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.”  Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”

On July 30, 2025, the Italian Data Protection Authority (“Garante”) released a statement addressing the risks of using AI to interpret medical data.  In this statement, the Garante recognizes the growing trend of individuals uploading medical analyses, X-rays, and other reports onto generative artificial intelligence platforms to obtain interpretations and diagnoses.  It warns users of these AI services to carefully evaluate the implications of sharing health-related data with AI providers and relying on automatically generated responses.Continue Reading Italian Garante Adopts Statement on Health Data and AI