Privacy & Information Security Law Blog

Last week President Biden issued Executive Order 14144, titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” which aims to strengthen software supply chain security, impose more stringent cybersecurity requirements on federal contractors, combat cybercrime, and encourage the development of identity verification technologies.

On January 3, 2025, the Cyberspace Administration of China issued the draft Measures for Personal Information Protection Certification for Cross-Border Transfers of Personal Information (“Draft Measures”) for public consultation.  The Draft Measures will make available a certification which can be used as a mechanism for lawfully transferring personal information outside of China.

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

On January 13, 2025, California Attorney General Rob Bonta issued two legal advisories on the use of AI, including in the healthcare context. The first legal advisory (“AI Advisory”) advises consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws with respect to the use of AI, while the second (“Healthcare AI Advisory”) provides guidance specific to healthcare entities about their obligations under California law regarding the use of AI.

On January 9, 2025, the Court of Justice of the European Union issued its judgment in the case Österreichische Datenschutzbehörde.

On January 16, 2025, the non-profit organization None Of Your Business filed six complaints against organizations with five European data protection authorities for the unlawful transfer of personal data to China.

On January 17, 2025, the Supreme Court of the United States unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which restricts companies from making foreign adversary controlled applications available (i.e., on an app store) and from providing hosting services with respect to such apps.

On January 17, 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”) becomes applicable in the EU.

On January 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights  announced a settlement with a Florida health system, Memorial Healthcare System, for a violation of the HIPAA Privacy Rule.

On January 7, 2025, the Biden White House announced that a new “Cyber Trust Mark” will begin appearing on products in the U.S. in 2025. The Cyber Trust Mark will denote products that are “cyber secure.”