October 2025

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at

On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital,

Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.

The Commerce Department today published a Request for Information (RFI) inviting the public to submit comments on U.S. artificial intelligence exports.  The RFI asks stakeholders to weigh in on aspects of the Department’s new “American AI Exports Program,” an initiative intended to “promot[e] the export of full-stack American AI technology packages.”

The RFI follows from

On October 22, 2025, the U.S. government imposed property-blocking sanctions on Russia’s two largest oil companies, Open Joint Stock Company Rosneft Oil Company (“Rosneft”) and Lukoil OAO (“Lukoil”), by designating these entities, as well as 34 Russia-based Rosneft and Lukoil subsidiaries, to the List of Specially Designated Nationals and Blocked Persons (“SDN List”) maintained by

While the Environmental Protection Agency (“EPA”) is proposing to amend the federal Greenhouse Gas Reporting Program (“GHGRP”) to remove reporting requirements for nearly all sources, it remains important for companies to track developments and manage their compliance obligations with existing and emerging state GHG reporting programs.  Several states, such as California, already have some form

On 8 October 2025, the European Commission published its Apply AI Strategy (the “Strategy”), a comprehensive policy framework aimed at accelerating the adoption and integration of artificial intelligence (“AI”) across strategic industrial sectors and the public sector in the EU.

The Strategy is structured around three pillars: (1) introducing sectoral flagships to boost AI use

By December 9, 2026, all EU Member States must update their product liability laws to align with the (new) Product Liability Directive (EU) 2024/2853 (“PLD”). The PLD imposes liability on manufacturers of products (and other relevant parties) for harm caused by defective products, regardless of fault. The PLD modernizes the current EU product liability framework