The Commission has issued a call for evidence in relation to its 2026 evaluation and review of the Audiovisual Media Services Directive (“AVMSD”). 

The AVMSD came into force in 2010 and establishes the EU’s regulatory framework for audiovisual media services.  It governs the EU level coordination of national legislation on all audiovisual media, including traditional TV broadcasts and on-demand services.

The first review of the AVMSD was carried out in 2018 and resulted in the introduction of new provisions governing video sharing platforms.

Under Article 33 of AVMSD, the Commission is required to assess the impact and added value of the AVMSD and present an ex-post evaluation report, accompanied where appropriate by proposals for reviewing the Directive, by 19 December 2026.  This second review of the AVMSD is also part of the Commission’s commitments in the recently announced European Democracy Shield, which aims to foster the EU media sector to achieve stronger and more resilient democracies. Continue Reading The European Commission calls for evidence ahead of its 2026 evaluation and review of the Audiovisual Media Services Directive

Earlier this month, the Federal Communication Commission (“FCC”) released a Second Further Notice of Proposed Rulemaking (“FNPRM”) proposing to eliminate or modify various broadband label rules for Internet Service Providers (“ISPs”).  The FCC’s primary rationale for these proposed changes is that the rules are cumbersome for ISPs to implement and

Continue Reading FCC Seeks Comment on Proposed Changes to Broadband Label Transparency Rules

Last week, the Third Circuit affirmed dismissal of a putative class action asserting that defendant Quest Diagnostics violated the California Invasion of Privacy Act (“CIPA”) and the Confidentiality of Medical Information Act (“CMIA”) by employing a website pixel to track and collect data about their website activity for advertising purposes.

Continue Reading Third Circuit Affirms Dismissal of CIPA and CMIA Claims

On November 19, 2025, the Equal Employment Opportunity Commission (“EEOC”) released a technical assistance document, “Discrimination Against American Workers Is Against The Law,” and updated its landing page on national origin discrimination.  This development reflects EEOC Chair Lucas’s focus on national origin discrimination and Anti-American bias and follows comments she made in January 2025 and February 2025 stating that “protecting American workers from anti-American national origin discrimination” is among the agency’s main priorities for compliance, investigations, and litigation. Continue Reading EEOC Releases New Technical Assistance: “Discrimination Against American Workers Is Against The Law”

On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”Continue Reading SEC Voluntarily Dismisses SolarWinds Litigation

On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.

The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.

A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.Continue Reading European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package

Continue Reading Practical Advice for Nonprofits and Donors After the Presidential Memorandum on “Countering Domestic Terrorism and Organized Political Violence” and Reported IRS Enforcement Changes

According to reports published on November 19, the White House has prepared a draft Executive Order to preempt state AI regulations in lieu of a uniform national legislative framework, marking a significant escalation in federal efforts to assert control over AI regulation.  The draft Executive Order, titled “Eliminating State

Continue Reading White House Drafts Executive Order to Preempt State AI Laws

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to certain health information collected by entities not currently regulated by HIPAA. HIPRA also proposes modifications and calls for guidance related to certain existing provisions of HIPAA as well as Part 2 (related to substance use disorder medical history).Continue Reading U.S. Senate Introduces the Health Information Privacy Reform Act