Privacy & Data Security

In June 2025, the Court of Justice of the European Union (CJEU) delivered important rulings clarifying the application of the EU Unfair Contract Terms Directive (UCTD), which protects consumers from unfair standard contract terms that have not been individually negotiated. The UCTD ensures such terms are transparent, clear, and balanced; unfair terms are not binding

On June 26, 2025, the Council and the European Parliament reached a provisional agreement on modernizing the EU’s framework for alternative dispute resolution (ADR) in consumer matters.

The current ADR framework—established in Directive 2013/11/EU (ADR Directive)—has not been amended since its adoption in 2013. As noted in our previous blog, the European Commission recognized

On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness.  Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position

On June 19, 2025, the U.S. District Court for the Northern District of Texas vacated the majority of the Biden Administration rule (the “2024 Rule”) modifying the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health.  As

The U.S. Federal Energy Regulatory Commission (“FERC”) recently issued Order No. 907 (the “Order”), approving a new Critical Infrastructure Protection (“CIP”) Reliability Standard, CIP-015-1.  The new standard will require covered entities that maintain certain bulk electric systems (“BES”) to implement Internal Network Security Monitoring (“INSM”) for network traffic within their “electronic security perimeter,” i.e.,

Following the approach taken by the Kentucky and Connecticut legislatures this spring, Oregon has amended its comprehensive privacy statute to implement changes to the law.  Specifically, the amendment extends the statutory cure period to July 1, 2026, but this extension is limited to certain controllers.  Beginning on January 1, 2026, the statute’s cure provision will

On June 30, 2025, the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) warned U.S. critical infrastructure organizations and other companies that the threat of cyber attacks from Iran-affiliated cyber actors is heightened in the wake of the

This blog was prepared in collaboration with, and was originally published by, the UK BioIndustry Association, here. We are grateful to the UK BioIndustry Association for collaborating on this blog, and for the opportunity to post it here.

What are the UK’s plans to reform data protection law?

After an extended period of legislative