On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are
Inside Privacy
Updates on developments in data privacy and cybersecurity
CJEU Advocate General Supports Pragmatic Definition of Personal Data
On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P). In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).
In essence, the case turns on the question of whether coded (pseudonymized) personal data shared…
CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket
On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.
The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and…
European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers
On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile…
Three Recent Developments in the EU Cyber Landscape
In the final quarter of 2024, there have been significant developments in the EU cybersecurity legal landscape. Most prominently, the EU institutions adopted the Cyber Resilience Act and mid-October marked the deadline for Member States to transpose the NIS2 Directive into national law. Most Member States failed to meet the NIS2 transposition deadline, which resulted…
FTC Staff Paper Finds Most “Smart” Products Manufacturers Fail to Disclose How Long They Will Provide Software Updates
In late November, the Federal Trade Commission (“FTC”) released a staff perspective paper (“the Paper”) detailing the results of an FTC study that surveyed 184 “smart” devices, ranging from smartphones to hearing aids to door locks, to determine whether manufacturers disclose how long they provide software updates for their products and related apps. Without such…
NYDFS Issues Industry Guidance on Risks Arising from Artificial Intelligence
On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks arising from the use of artificial intelligence (“AI”) and providing strategies to address these risks. While the Guidance “does not impose any new requirements,” it clarifies how Covered Entities should address AI-related risks…
Five key takeaways from recent EU developments on the GDPR’s “legitimate interests” legal basis
In the past few weeks, there have been significant developments relating to the “legitimate interests” legal basis under Article 6(1)(f) of the GDPR:
- On 4 October 2024, the Court of Justice of the EU (“CJEU”) handed down its judgment in a case relating to the Royal Dutch Lawn Tennis Association (Case C-621/22, KNLTB),
…
California Enacts Health AI Bill and Protections for Neural Data
On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”). This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA) to cover “neural data.” We…
HHS OCR Settles Ransomware Cybersecurity Investigation for $250,000
On September 26, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) announced that it had settled its cybersecurity investigation with Cascade Eye and Skin Centers, P.C. (“Cascade”), a privately-owned health care provider in Washington. For background, HHS OCR is responsible for administering and enforcing the Health Insurance Portability…