Data Protection

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.

Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research

In late September, plaintiffs announced details regarding Google LLC’s (“Google”) and women’s health app developer, Flo Health Inc.’s (“Flo”) proposed settlements to resolve a class action lawsuit stemming from the Flo app’s allegedly unlawful sharing of health data with Google and others through online tracking technologies.

As part of the proposed settlements, Google agreed to pay $48 million and Flo agreed to pay $8 million, for a combined $56 million to resolve plaintiffs’ claims against these two entities.

Continue Reading Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million

On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.

Continue Reading Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus

The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.

Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation

In a new post on the Covington Inside Privacy blog, our colleagues provide an overview of the Federal Trade Commission’s (“FTC”) $45 million settlement with online lead generator MediaAlpha, Inc. and its subsidiary QuoteLab, LLC (collectively, “MediaAlpha”), resolving allegations that the companies, among other things, tricked consumers into sharing sensitive

Continue Reading FTC Takes Aim at Online Lead Generator

On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20.  In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.

We provide below an overview of the Court’s key findings.

Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties

After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act.  The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability.  Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.”  Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).

Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”

On July 30, 2025, the Italian Data Protection Authority (“Garante”) released a statement addressing the risks of using AI to interpret medical data.  In this statement, the Garante recognizes the growing trend of individuals uploading medical analyses, X-rays, and other reports onto generative artificial intelligence platforms to obtain interpretations and diagnoses.  It warns users of these AI services to carefully evaluate the implications of sharing health-related data with AI providers and relying on automatically generated responses.

Continue Reading Italian Garante Adopts Statement on Health Data and AI

On 14 July 2025, the European Commission published its final guidelines on the protection of minors under the Digital Services Act (“DSA”) (the “Guidelines”). The Guidelines are intended to provide guidance to providers of online platforms that are “accessible to minors” on meeting their obligations to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service” (DSA, Art. 28(1)).

The European Commission published a draft version of the guidelines for consultation on 13 May 2025 (“Draft Guidelines”) (see our blog post here). The final Guidelines include some amendments to the Draft Guidelines on the basis of the feedback received during consultation, clarifying and building out further the recommended measures.

Although the Guidelines are non-binding, the Commission has made clear that it intends to use the Guidelines as a “significant and meaningful” benchmark when assessing in-scope providers’ compliance with Article 28(1) DSA.

Continue Reading European Commission Makes New Announcements on the Protection of Minors Under the Digital Services Act

On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness.  Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position to shape EU policymaking for the next six months.  Amending the GDPR forms part of the Danish presidency program.  During this period, the European Commission is also expected to publish a fitness check on EU digital legislation, along with a digital omnibus package (see our previous blog here).

Continue Reading Denmark Proposes GDPR and ePrivacy Directive Revision