Month: March 2025

Executive Orders (EO) have become a frequent policy-making tool during President Trump’s terms in office, influencing everything from investment in technology to privacy concerns. On March 12th, PRG Student Fellows—Marco Germanò, Krimul Malhotra, Rebecca Kahn, Carolina Barcelos, Yujia Wu, Naveen Rajan, Lesley Yang, Hugh Ó Laoide Kelly, and Yuting Yu—presented their insights on the tech- and privacy-related implications of several Trump administration EOs issued in 2025. Their analysis focused on:

• Artificial Intelligence: EO 14179 Removing Barriers to American Leadership in Artificial Intelligence
• Content Moderation & Social Media: EO 14149 Restoring Freedom of Speech and Ending Federal Censorship
• Digital Financial Technology: EO 14178 Strengthening American Leadership in Digital Financial Technology
• Deregulation Policies: EO 14192 Unleashing Prosperity Through Deregulation; EO 14219 Ensuring Lawful Governance and Implementing the President’s “Department of Government Efficiency” Deregulatory Initiative; EO 14215 Ensuring Accountability for All Agencies.
• Technology Investment: EO 14177 President’s Council of Advisors on Science and Technology

Attendees heard how each order could affect innovation, civil liberties, and regulatory practices. The ensuing discussion also addressed the broader legal and policy dimensions of these directives, including how EOs interact with the process for rescinding and creating agency rules. Please see the attached presentation and links to the relevant EOs.

News

Google has agreed to acquire cloud security platform Wiz for $32 billion in the largest acquisition of 2025 so far, integrating it into Google Cloud as part of a strategy to become the dominant security player in cloud computing. Following the acquisition, Wiz will continue to support multiple cloud platforms including competitors AWS, Azure, and Oracle Cloud, while gaining access to Google’s AI expertise and resources.

Virginia is poised to become the second U.S. state to regulate high-risk AI applications with a bill requiring companies to implement safeguards against algorithmic discrimination in critical areas like employment, lending, healthcare, and housing. This state-level action comes amid the federal government’s recent withdrawal from stringent AI regulation under the Trump administration, signaling an emerging regulatory patchwork similar to what has developed in data privacy laws across states.

President Trump has fired the two Democratic members of the Federal Trade Commission, Rebecca Kelly Slaughter and Alvaro Bedoya, in a controversial move challenging the agency’s traditional independence, with both commissioners planning to challenge their dismissals in court. This action follows a similar attempt to remove a National Labor Relations Board member and aligns with the administration’s recent executive order asserting greater White House control over independent regulatory agencies.

Apple has removed its Advanced Data Protection encryption feature for 35 million UK iPhone users rather than comply with government demands for a security backdoor, and has appealed the order to the UK Investigatory Powers Tribunal. Privacy experts warn this precedent could embolden other nations, including the U.S., to make similar demands, creating what Johns Hopkins professor Javad Abed calls a “policy earthquake” for global data security.

Marko Elez, a staffer for Elon Musk’s Department of Government Efficiency (DOGE) who was previously fired and then rehired after being linked to controversial social media content, violated Treasury Department policies by emailing a spreadsheet with personal financial information to GSA officials without proper encryption or approval. The incident, revealed in a court filing by a Treasury security officer amid a lawsuit from 19 state attorneys general seeking to block DOGE’s access to sensitive taxpayer information, has reinforced concerns about what the states called the “rushed and chaotic nature” of the DOGE team’s access to government systems.

Hungary’s parliament has passed a law banning Pride events and allowing authorities to use facial recognition to identify attendees, the latest in Prime Minister Viktor Orbán’s ongoing restrictions on LGBTQ rights. The legislation amends Hungary’s assembly law to prohibit events that violate the country’s controversial “child protection” legislation, which bans the “depiction or promotion” of homosexuality to minors, with opposition lawmakers igniting colorful smoke bombs in parliament during the 136-27 vote.

Facial recognition company Clearview AI attempted to purchase 690 million arrest records and 390 million mugshots containing sensitive personal data including social security numbers, addresses, and email addresses from an intelligence firm in 2019, according to newly obtained documents. The deal ultimately fell apart and went to arbitration, with the arbiter ruling in Clearview’s favor in 2024, even as the company continues to face legal challenges worldwide over its collection of billions of facial images from social media without consent.

The EDPB provided recommendations to member states for implementing the PNR (passenger name record) Directive, focusing on limitations to passenger data processing, including restricting data collection for terrorist offenses and serious crimes with an objective link to air travel, limiting intra-EU flight surveillance, requiring independent prior review of data access, and enforcing limited data retention periods.

Democrats are pushing for an update the 1974 Privacy Act in response to the actions taken by Elon Musk’s DOGE. Proposed updates to the Act, which pertains only to government use of personal electronic records, include narrowing the “need to know” exception and strengthening data minimization provisions and the private right of action for individuals whose data is affected.

(Compiled by Student Fellow Lior Polani)

News

California’s Privacy Protection Agency has commenced its first public enforcement action since obtaining such powers in 2023, fining Honda $632,500 for allegedly violating its customers’ privacy rights. The state alleged that Honda required over 100 customers to provide overly-revealing personal information, made it difficult for consumers to opt out of cookies, and failed to produce contracts describing how it shares personal information it collects with advertisers. As part of the settlement, Honda agreed to implement a more simple privacy process for consumers. 

Elon Musk’s DOGE has begun employing an AI-assisted chatbot named GSAi at the General Services Administration (GSA) in order to continue its efforts to automate tasks previously performed by GSA employees. GSAi currently covers general tasks, similarly to everyday chatbots like Anthropic’s Claude, and the GSA eventually aims to employ the chatbot to analyze contract and procurement data.  

A district court in New York ruled that a class action against Springer Nature, the publisher of Scientific American, survived a motion to dismiss. The publisher is accused of violating the Video Privacy Protection Act by sharing, without consent, the confidential personal information of its users with Meta through a tracking pixel. 

(Compiled by Student Fellow Shreyas Iyer)

News

Celebrite is offering AI to law enforcement officials to audit seized devices, including summarizing chat or audio messages. Civil liberty advocates have concerns about the Fourth Amendment, AI’s tendency to hallucinate, and the lack of transparency in AI determinations.

In the continuing saga between Apple and the British Government over privacy, Apple has appealed to the Investigatory Powers Tribunal regarding the Home Office’s order to share encrypted data.

Cornell and Microsoft have worked together to create a “private” version of Co-Pilot to respond to concerns that user data could be used to train future AI models.

After the passage and entry into force of the European Parliament’s AI act, there are still questions on how it will interact with the GDPR.

The European Court of Justice (ECJ) issued a ruling explaining the standards of “meaningful information about the logic involved” under GDPR Art. 15 as well as what should be done if the logic involved necessarily involves trade secrets or 3rd party data protected by the GDPR. Under this ruling, “meaningful information about the logic involved” entails, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile. When the company claims that the information to be provided contains trade secrets or 3rd party data, the “controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of that regulation.”

Events

The NYU Journal of IP and Entertainment Law Symposium is happening at NYU next week on Monday, 3/10. It is about regulating and owning music in the age of AI. You can RSVP here.

(Compiled by Student Fellow Tobit Glenhaber)