Data Matters In Cybersecurity

On January 20, 2025, the European Data Protection Board (EDPB) adopted a report on the implementation of the right of access by controllers under the GDPR (the Report). The right of access was the subject of the EDPB’s third coordinated enforcement action (CEF) in 2024 which involved 1,185 controllers of varying size, industry, and sectors. The Report provides useful recommendations for controllers on how to comply with access requests, including guidance on how long access request documentation should be retained, the importance of maintaining internal documentation, and how to avoid a ‘one size fits all’ approach. The Report emphasizes that access requests should be handled on a case-by-case basis, considering the broad scope of the right and the limited exemptions. The post EDPB Adopts Report on GDPR Right of Access Following 2024 Coordinated Enforcement Action appeared first on Data Matters Privacy Blog.

Despite recent focus on artificial intelligence (AI) by U.S. financial regulators, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Financial Industry Regulatory Authority (FINRA) have not yet issued new regulations specifically addressing the use of AI. Nonetheless, during the Biden administration, guidance from these agencies emphasized the necessity of responsible use of AI within existing regulatory frameworks, urging market participants to exercise additional diligence to navigate compliance risks associated with AI usage. The post Artificial Intelligence: U.S. Securities and Commodities Guidelines for Responsible Use appeared first on Data Matters Privacy Blog.

On January 29, 2025, the U.S. Copyright Office issued the second part of its Report on Copyright and Artificial Intelligence, following a Notice of Inquiry (NOI) the Office issued in 2023. The first part of the Office’s Report, released in July 2024, addressed digital replicas. This second part addresses copyrightability, an issue that attracted considerable interest from authors, artists, and the media and technology industries — approximately half of the more than 10,000 comments that the Office received in response to the NOI addressed copyrightability questions. The post U.S. Copyright Office Issues Report on Artificial Intelligence and Copyrightability appeared first on Data Matters Privacy Blog.

On January 15, 2025 the EU Commission published an action plan with an aim to support cybersecurity in hospitals and healthcare providers in the EU (the Action Plan). The Action Plan is another response by the EU to the increasing cybersecurity threats facing all industries, including the health sector. The Commission notes that this risk has increased due to, amongst other factors, the increased digitisation of healthcare, which has allowed attack surfaces to grow. It also comes following a number of high-profile incidents which have impacted healthcare providers in the EU. The Action Plan is intended to build on the new EU cybersecurity legislation, such as the NIS Directive 2 (NISD2) and the Cyber Resilience Act, and feed into the full deployment of the European Health Data Space Regulation which was adopted on January 21, 2025. See our blog post here. The post EU Commission Launches Cybersecurity Action Plan for Hospitals and Healthcare Providers appeared first on Data Matters Privacy Blog.

Last week, the Financial Industry Regulatory Authority (FINRA) published its 2025 Annual Regulatory Oversight Report. The 80-page report hits on a number of familiar themes and subjects and includes two new areas of focus: 1) risks arising from the use of third-party vendors, including cybersecurity and data privacy risks, and 2) extended-hours trading services, which have become increasingly common across the industry. FINRA offers new observations regarding registered index-linked annuities (RILAs) in the context of Reg BI obligations. The report also reflects FINRA’s increased scrutiny of risks associated with emerging technologies, with a particular focus on generative artificial intelligence (AI) tools. Additionally, although much of the report repeats items included in prior years, it provides useful, comprehensive checklists reflecting FINRA’s views on the various topics and risk areas covered. Efforts to operationalize some of the items raised can present unique challenges, and we encourage you to reach out to a Sidley contact to talk further about particular concerns raised in the report. The post With New Technologies Come New Risks: FINRA Issues 2025 Regulatory Oversight Report appeared first on Data Matters Privacy Blog.

On January 17, 2025, the Centers for Medicare & Medicaid Services (CMS) issued a proposed guidance document on study protocols that use real-world data (RWD). The proposed guidance focuses on studies with RWD sources in the context of Medicare National Coverage Determinations (NCDs) using CMS’s Coverage with Evidence Development (CED) paradigm. It presents a proposed standardized template for manufacturers or other sponsors to use when developing CED study protocols using RWD. The proposed guidance could also have broader implications with respect to RWD studies and coverage considerations. Comments on the proposed guidance are due by March 18, 2025. The post CMS Seeks Comments on Proposed Guidance Addressing Study Protocols That Use Real-World Data appeared first on Data Matters Privacy Blog.

Last year saw many developments across the worldwide data privacy and cybersecurity landscape, including in the EU/UK, and this momentum shows no sign of slowing in 2025. The EU General Data Protection Regulation (GDPR) enters its seventh year in May 2025. New cybersecurity and operational resilience legislation and related guidance are coming into force to regulate new and challenging technologies, several of which will affect financial services firms. The post Data Privacy and Cybersecurity Outlook for 2025: What Financial Services Firms Need To Know appeared first on Data Matters Privacy Blog.

On January 21, 2025, the European Health Data Space Regulation (EHDS) was formally adopted by the Council of the European Union. This marks the near-final step in the adoption process, and will enter into force in the coming weeks. Importantly for life sciences companies (pharma, biotech, and medtech), the EHDS’ so-called secondary use provisions will become applicable in 2029, leaving companies four years to consider, adapt to, and implement these wide-ranging requirements. The post European Health Data Space Regulation Adopted: What’s Next for Life Sciences Companies? appeared first on Data Matters Privacy Blog.

On January 16, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a Final Rule formalizing prohibitions on certain connected vehicles (CVs) transactions involving hardware and software linked to the People’s Republic of China (China) and Russia.1 The Final Rule is scheduled to take effect on March 17, 2025.  However, given that the Final Rule is one of several new regulatory frameworks on trade issued in the final days of the Biden administration, it remains to be seen what will happen with these regulations after January 20. The post U.S. Department of Commerce Finalizes Connected Vehicles Supply Chain Restrictions appeared first on Data Matters Privacy Blog.

On January 15, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) published in the Federal Register updated export controls on advanced computing items (including advanced integrated circuits (ICs) and related equipment, software, and technology) and, for the first time, controls on artificial intelligence (AI) model weights under the Export Administration Regulations (EAR). These new regulations were published as an interim final rule and took effect on January 13, 2025, although compliance is not required until May 15, 2025. BIS also published in the Federal Register a smaller companion rule on January 16, 2025, that expands licensing requirements on foundries and packaging companies seeking to export advanced computing equipment and requires compliance by January 31, 2025. The post New U.S. Export Controls on Advanced Computing Items and Artificial Intelligence Model Weights: Seven Key Takeaways appeared first on Data Matters Privacy Blog.