Healthcare and Privacy News

on September 5, 2025 at 9:05 am

IAPP Managing Director, Europe, Isabelle Roccia, CIPP/E, highlights two noteworthy cases that drew privacy eyes to Luxembourg courts this week. In one case confirming the validity of the EU-U.S. Data Privacy Framework, the European General Court provided “instant relief to thousands of privacy practitioners in the EU and U.S.,” Roccia said. While the judgment “provides welcome legal certainty about the nature of the DPF,” it “does not fully close the door to future challenges,” she noted.Full story

on September 5, 2025 at 8:23 am

Jurisdictions worldwide are designing and implementing AI governance laws tailored to their perspectives on risks and opportunities tied to AI-powered technologies. In one of an 11-part series cosponsored by the IAPP and HCLTech, former IAPP Westin Fellow C. Kibby, AI Governance Research Fellow Richard Sentinella and HCLTech General Manager, Legal, Antony Hilton outline the laws, policies and broader contextual history behind U.S. approach to AI governance.Full story

on September 4, 2025 at 1:55 pm

The Court of Justice of the European Union issued a decision clarifying the definition of personal data when it is pseudonymized. The ruling was delivered in response to an appeal of a European General Court decision that annulled a 2020 European Data Protection Supervisor action on the transfer of pseudonymized data to a third party. IAPP Staff Writer Alex LaCasse reports on the CJEU’s decision. Full story

on September 4, 2025 at 11:35 am

Cyberthreat group Salt Typhoon’s extensive yearslong cyberattack on organizations has potentially breached the personal data of millions of people, including most U.S. citizens, raising concerns about the long lasting impacts, The New York Times reports. Former CIA Digital Innovation Deputy Director Jennifer Ewbank said Salt Typhoon’s attack could mean more “patient, state-backed campaigns burrowed deep into the infrastructure of more than 80 countries, characterized by a high level of technical sophistication, patience and persistence.”Full story

on September 4, 2025 at 9:42 am

The U.S. Federal Trade Commission announced Disney agreed to pay a USD10 million settlement to resolve claims the company violated the Children’s Online Privacy Protection Act by allowing nonconsensual collection of children’s personal data when they viewed “kid-directed” videos on YouTube. Under the proposed settlement order, Disney will be required to change how it labels children-specific content. A Disney spokesperson told the IAPP the settlement “does not involve Disney owned and operated digital platforms but rather is limited to the distribution of some of our content on YouTube’s platform.”Full story

on September 4, 2025 at 9:28 am

France’s data protection authority, the Commission nationale de l’informatique et des libertés, announced fines of 325 million and 150 million euros to Google and Shein, respectively, over alleged noncompliance with third-party cookie rules. The CNIL claimed in each instance that the companies placed cookies without user consent, a point of emphasis in the regulator’s compliance strategy it outlined in 2020.Full story

on September 4, 2025 at 9:26 am

A federal jury found Google’s alleged nonconsensual user tracking over an eight-year span broke privacy laws and the company must pay USD425 million in damages, Reuters reports. The trial at the U.S. District Court for the Northern District of California considered class-action claims regarding allegations Google continued to track and collect data from users’ mobile devices after they opted out. Google issued a statement indicating it will appeal the decision. Editor’s note: The IAPP Research and Insights Team published a series exploring U.S. privacy litigation trends.Full story

on September 4, 2025 at 9:25 am

The U.S. Federal Trade Commission and the state of Utah ordered adult content provider Aylo and its affiliated websites to pay USD5 million and establish a program to prevent the spread of child sexual abuse material and other nonconsensual material. As part of the proposed order, Aylo and its affiliates must adopt age and consent verification mechanisms while implementing “a comprehensive privacy and information security program.” Meanwhile, the FTC announced a proposed order against Chinese toymaker Apitor Technology that included a suspended fine and corrective measures to settle Children’s Online Privacy Protection Act claims.Full story

on September 4, 2025 at 9:24 am

The European Commission opened a public comment period on transparency requirements for AI systems covered under Article 50 of the EU AI Act. Responses will be taken into account toward the drafting of transparency guidelines or a code of practice. Stakeholder comments are due 2 Oct. Article 50 requirements are applicable 2 Aug. 2026.Full story

on September 4, 2025 at 9:21 am

The U.K. Department for Science, Innovation and Technology released a road map detailing its vision for the third-party AI assurance market and how it will support the industry. The document outlines how professionalizing the market, supporting upskilling and ensuring access to best practice guidelines can move the country toward this goal.Full story

on September 4, 2025 at 9:20 am

A joint letter from German state data protection authorities criticized a legislative proposal by the German Federal Ministry for Digital Affairs and State Modernization to move oversight in Germany of high-impact AI under the EU AI Act from them to the Federal Network Agency.Full story

on September 4, 2025 at 9:16 am

The Danish Presidency of the Council of the European Union briefed European Parliament on priorities for the remainder of its leadership term. The council will focus on continuing to build children’s data protection efforts while looking to “cut red tape” to spur innovation, though Denmark Digital Affairs Minister Caroline Stage Olsen also suggested potentially giving smaller organizations more time to comply with the EU AI Act. Full story

on September 4, 2025 at 9:11 am

Norway’s data protection authority, the Datatilsynet, offered its take on the European General Court’s decision to uphold the validity of the EU-U.S. Data Privacy Framework. Datatilsynet Legal Director Erlend Methi welcomed the decision as “good news” for Norwegian businesses, but cautioned “this verdict is unlikely to be the final verdict for several reasons” and companies must “consider preparedness and have a strategy for alternative solutions.” Spain’s data protection authority, the Agencia Española de Protección de Datos, indicated the decision “provides stability and strengthens legal certainty.”Full story

on September 4, 2025 at 9:09 am

Meta and OpenAI will launch additional safeguards for its AI chatbots that aim to better protect children’s mental health and inform underage users’ parents of potentially harmful discussions within the platform, The Hill reports. Meta spokesperson Stephanie Otway said the company will continue to “adapt our approach to help ensure teens have safe, age-appropriate experiences with AI.” Meanwhile, the Guardian reports the safeguards will also allow parents to link themselves to their child’s account to see what conversations they are having and choose how the model reacts to certain topics. Full story

on September 4, 2025 at 9:03 am

The New York Times reports a data breach of the U.S. federal court system earlier this summer was preventable following warnings from the Department of Justice years prior. The DOJ brought forward recommendations for improved cybersecurity measures after the federal courts were breached in 2020. The Administrative Office of the U.S. Courts noted it “has been working steadily to modernize this large and complex case management system” and will continue to make efforts to protect sensitive information.Full story