Healthcare and Privacy News

The EU Cybersecurity Act is up for periodic review and the European Commission is approaching it as a simplification exercise, but not only, writes IAPP Managing Director, Europe, Isabelle Roccia, CIPP/E. The review coincides with a simplification in digital policy, Roccia said, and the Commission is seeking stakeholders’ views. “A consistent drumbeat indicates the European Commission will look to simplify notification and documentation requirements across digital policy instruments, including the EU General Data Protection Regulation and NIS2 Directive, most likely.”Full story

The U.S. District Court for the Eastern District of Virginia ruled Google acted as a monopoly with its advertising technology practices, The New York Times reports. Judge Leonie Brinkema claimed Google’s “exclusionary conduct substantially harmed Google’s publisher customers, the competitive process, and, ultimately, consumers of information on the open web.”Full story

The global economy is continuing to trend toward increasing data adequacy decisions that enable data free flow across jurisdictions. IAPP Research Director Joe Jones and IAPP Westin Research Fellow Kayla Bushey, CIPP/US, discuss how the increase in the number of countries that have adopted overlapping criteria to evaluate adequacy decisions is a major step toward interoperability of varying data protection regimes. Additionally, the IAPP updated its Global Adequacy Capabilities infographic to reflect the latest countries to add legislative provisions allowing for the issuing of adequacy decisions.Full story

Eight U.S. state regulators formed the bipartisan Consortium of Privacy Regulators, comprising state attorneys general and the California Privacy Protection Agency. The agencies entered into a memorandum of understanding focusing on consumer protection across jurisdictions, discussing privacy law developments, and sharing priorities and common goals. Joining the CPPA in the consortium are state attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.Full story

Companies developing or implementing immersive technologies “need to … pursue compliance, particularly with those laws concerning privacy, cybersecurity and artificial intelligence” through a “compliance-by-design” approach, Mercedes-Benz Managing Counsel Michael Cole, AIGP, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP, PLS, and Eversheds Sutherland Partner Michael Bahar write. They outline potential privacy practices and internal policy considerations for companies to address jurisdictional requirements around emerging technologies.Full story

Hamburg’s Commissioner for Data Protection and Freedom of Information provided information on how Meta product users can opt out of having their data used to train AI models. The agency noted those who do not want to do so should make their objections now, as it will take time for it to register with the company.Full story

CEN-CENELEC, consisting of the 34 national standardization organizations for European countries, announced it is behind schedule developing the technical standards companies would adhere to for demonstrating compliance with the AI Act, Euronews reports. CEN-CENELEC indicated work developing the AI Act standards will now extend into 2026, after they were supposed to be completed by August.Full story

The European Commission opened a public consultation for possible revisions of the 2019 Cybersecurity Act. The review will first focus on the mandate of the EU’s cyber agency, the ENISA, as well as the European Cybersecurity Certification Framework and ICT supply chain security issues. The Commission intends to use the consultation as an opportunity to streamline cybersecurity rules to promote innovation. The consultation closes 20 June.Full story

Apple released software updates to fix zero-day security vulnerabilities hackers allegedly used to target consumers using Apple’s iOS software, TechCrunch reports. One of the vulnerabilities was found by Google’s Threat Analysis Group, which “may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency.”Full story

Thirteen EU member states allegedly did not meet the cybersecurity obligations necessary to comply with the NIS2 Directive, while only seven countries are considered to have reached full compliance, Euractiv reports. Member of the European Parliament Bart Groothuis claimed EU countries’ alleged lack of compliance with the directive is “incomprehensible and irresponsible.”Full story

The U.S. District Court for the Southern District of Ohio blocked Ohio’s age verification law, siding with technology association NetChoice’s argument that the law’s requirements violate the First Amendment. The decision marks the second time a NetChoice challenge fully blocked a state-level age verification law. Meanwhile, the Arkansas State Legislature passed House Bill 1717, a children’s privacy bill modeled after U.S. Congress’ proposed Children and Teens’ Online Privacy Protection Act, and sent it for governor approval.Full story

France’s data protection authority, the Commission nationale de l’informatique et des libertés, will hold an event 20 May to examine the economic effects of the EU General Data Protection Regulation. The gathering will include broad perspective from economists and European regulators on the regulation’s impact on economic well-being and compliance costs.Full story

South Korea’s Personal Information Protection Commission signed a business agreement with six local governments and the regional pseudonymized information utilization support agency to create a stronger process to deidentify personal information at the support center. The commission will oversee the center and coordinate action between different localities.Full story

An unauthorized third party targeting vehicle rental service company Hertz allegedly breached consumers’ personally identifiable information, including drivers’ license numbers, Bloomberg reports. Hertz said the breach occurred after a malicious actor gained access to its software vendor Cleo Communications.Full story

The market for agentic AI solutions is growing as more industries look to streamline customer-based services through the power of AI. While these solutions raise significant benefits and promise, IAPP Staff Writer Caitlin Andrews reports their autonomy and decision-making capabilities also amplify AI’s risks.Full story