The first wave of the EU AI Act’s requirements came into force on 2 February 2025, namely: Prohibited AI: the ban on the use and distribution of prohibited AI systems, and AI Literacy: the requirement to ensure staff using and operating AI possess sufficient AI literacy. All businesses caught by the EU AI Act’s jurisdictional scope – which is potentially…

Introduction On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and affecting more than 344 million customers…

On December 19, 2024, the U.S. Department of Treasury (“Treasury”) released a report on The Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector (the “Report”). The Report summarizes key themes from comments from a variety of industry stakeholders (“respondents”) in response to Treasury’s June 2024 Request for Information (“RFI”), and recommends several next steps for financial…

Our top-eleven European data protection developments for the end of 2024 are: EU Cyber Resilience Act: The Council of the European Union approved the Cyber Resilience Act, introducing cybersecurity requirements for digital products sold in the EU. Businesses may wish to start applying the requirements to products and processes ahead of the Act becoming fully enforceable on 11 December 2027.…

DOJ Issues Landmark Rules on Sensitive Data On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued the “Final Rule on Preventing Access to Sensitive Data,” creating a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security.[1] The rule focuses on protecting critical datasets,…