Category: Uncategorized

News

Attorney General William Tong of Connecticut recently recommended a strengthening of privacy protections in the state, including additional defenses for data of minors and a data minimization requirement.

Google Analytics has added features to enhance marketing capabilities in light of consumer data privacy settings, specifically around the aggregation of location data, data labeling, and assessment of data quality.

A recent lawsuit against Accor Management alleges the company’s website transferred tracking pixels to Facebook in a manner unauthorized by website visitors.

Just Security has been tracking lawsuits filed against the Trump administration, including alleged violations of the Privacy Act for mishandling of government employee data and matters related to birthright citizenship.

(Compiled by Student Fellow Cooper Aspegren)

News

In a letter dated 31 March 2025, the Federal Trade Commission (FTC) expressed its concerns and interests to the Office of the US Trustee relating to the bankruptcy proceedings involving 23andMe Holding Company. 23andMe came into prominence over the past few years due to its genetic testing services that allowed it to accumulate millions of sensitive personal information of its consumers, including genetic information, health information, ancestry and genealogy information, payment information, among others. The FTC claims that any bankruptcy-related sale or transfer involving 23andMe users’ personal information should be subject to the representations made by the company, including commitments to data privacy and protection, and data security. Further, the purchaser of the data assets should expressly agree to adhere to and be bound by such commitments.

Kenya recently launched its national AI strategy roadmap for 2025-2030 that focuses on several core pillars: AI digital infrastructure, data and AI governance, AI research, innovation and commercialization. Aimed at making Kenya a regional leader in AI research and development, the strategy reflects Kenya’s mission of being “architects of [their] digital destiny” instead of being a mere spectator. In the strategy, Kenya also plans on building infrastructures, such as data centers and semiconductor manufacturing facilities, to support the five-year plan.

As a result of OpenAI’s release of a new image generator, powered by GPT-40, social media platforms have been inundated with images that uses a filter reminiscent of the works of Studio Ghibli, a Japanese animation company co-founded by animator and filmmaker Hayao Miyazaki. Studio Ghibli and Miyazaki have won many accolades for their animated works. The trend is especially controversial given Miyazaki’s apparent abhorrence over generative AI and his passionate belief in the power of art created by humans. In a video uploaded years ago and have been recirculated in response to the social media trend, Miyazaki felt that machine-generated art “is an insult to life itself.”

Immigration and free speech advocates have raised concerns over the proposal by US immigration officials to collect social media handles from people applying for citizenship, green cards and other benefits. The advocates claim that the proposal seeks to cover people already in the US legally and have already been vetted extensively. The immigration officials, on the other hand, argue that the purpose of the proposal is to “strengthen fraud detection, prevent identity theft, and support the enforcement of rigorous screening and vetting measures.” However, the proposal comes on the heels of recent events where the administration is detaining people and revoking student visas for joining and participating in campus protests.

NYU is facing at least 10 class action lawsuits after it has been the subject of a data breach wherein a hacker leaked files claimed to show personal information of past university applicants. The complaints claim that NYU failed to comply with the national standards for cybersecurity which resulted in the mishandling of personal information of the students, which could potentially expose the applicants to risk of identity theft, among others.   

(Compiled by Student Fellow Reeneth B. Santos)

Executive Orders (EO) have become a frequent policy-making tool during President Trump’s terms in office, influencing everything from investment in technology to privacy concerns. On March 12th, PRG Student Fellows—Marco Germanò, Krimul Malhotra, Rebecca Kahn, Carolina Barcelos, Yujia Wu, Naveen Rajan, Lesley Yang, Hugh Ó Laoide Kelly, and Yuting Yu—presented their insights on the tech- and privacy-related implications of several Trump administration EOs issued in 2025. Their analysis focused on:

• Artificial Intelligence: EO 14179 Removing Barriers to American Leadership in Artificial Intelligence
• Content Moderation & Social Media: EO 14149 Restoring Freedom of Speech and Ending Federal Censorship
• Digital Financial Technology: EO 14178 Strengthening American Leadership in Digital Financial Technology
• Deregulation Policies: EO 14192 Unleashing Prosperity Through Deregulation; EO 14219 Ensuring Lawful Governance and Implementing the President’s “Department of Government Efficiency” Deregulatory Initiative; EO 14215 Ensuring Accountability for All Agencies.
• Technology Investment: EO 14177 President’s Council of Advisors on Science and Technology

Attendees heard how each order could affect innovation, civil liberties, and regulatory practices. The ensuing discussion also addressed the broader legal and policy dimensions of these directives, including how EOs interact with the process for rescinding and creating agency rules. Please see the attached presentation and links to the relevant EOs.

News

Google has agreed to acquire cloud security platform Wiz for $32 billion in the largest acquisition of 2025 so far, integrating it into Google Cloud as part of a strategy to become the dominant security player in cloud computing. Following the acquisition, Wiz will continue to support multiple cloud platforms including competitors AWS, Azure, and Oracle Cloud, while gaining access to Google’s AI expertise and resources.

Virginia is poised to become the second U.S. state to regulate high-risk AI applications with a bill requiring companies to implement safeguards against algorithmic discrimination in critical areas like employment, lending, healthcare, and housing. This state-level action comes amid the federal government’s recent withdrawal from stringent AI regulation under the Trump administration, signaling an emerging regulatory patchwork similar to what has developed in data privacy laws across states.

President Trump has fired the two Democratic members of the Federal Trade Commission, Rebecca Kelly Slaughter and Alvaro Bedoya, in a controversial move challenging the agency’s traditional independence, with both commissioners planning to challenge their dismissals in court. This action follows a similar attempt to remove a National Labor Relations Board member and aligns with the administration’s recent executive order asserting greater White House control over independent regulatory agencies.

Apple has removed its Advanced Data Protection encryption feature for 35 million UK iPhone users rather than comply with government demands for a security backdoor, and has appealed the order to the UK Investigatory Powers Tribunal. Privacy experts warn this precedent could embolden other nations, including the U.S., to make similar demands, creating what Johns Hopkins professor Javad Abed calls a “policy earthquake” for global data security.

Marko Elez, a staffer for Elon Musk’s Department of Government Efficiency (DOGE) who was previously fired and then rehired after being linked to controversial social media content, violated Treasury Department policies by emailing a spreadsheet with personal financial information to GSA officials without proper encryption or approval. The incident, revealed in a court filing by a Treasury security officer amid a lawsuit from 19 state attorneys general seeking to block DOGE’s access to sensitive taxpayer information, has reinforced concerns about what the states called the “rushed and chaotic nature” of the DOGE team’s access to government systems.

Hungary’s parliament has passed a law banning Pride events and allowing authorities to use facial recognition to identify attendees, the latest in Prime Minister Viktor Orbán’s ongoing restrictions on LGBTQ rights. The legislation amends Hungary’s assembly law to prohibit events that violate the country’s controversial “child protection” legislation, which bans the “depiction or promotion” of homosexuality to minors, with opposition lawmakers igniting colorful smoke bombs in parliament during the 136-27 vote.

Facial recognition company Clearview AI attempted to purchase 690 million arrest records and 390 million mugshots containing sensitive personal data including social security numbers, addresses, and email addresses from an intelligence firm in 2019, according to newly obtained documents. The deal ultimately fell apart and went to arbitration, with the arbiter ruling in Clearview’s favor in 2024, even as the company continues to face legal challenges worldwide over its collection of billions of facial images from social media without consent.

The EDPB provided recommendations to member states for implementing the PNR (passenger name record) Directive, focusing on limitations to passenger data processing, including restricting data collection for terrorist offenses and serious crimes with an objective link to air travel, limiting intra-EU flight surveillance, requiring independent prior review of data access, and enforcing limited data retention periods.

Democrats are pushing for an update the 1974 Privacy Act in response to the actions taken by Elon Musk’s DOGE. Proposed updates to the Act, which pertains only to government use of personal electronic records, include narrowing the “need to know” exception and strengthening data minimization provisions and the private right of action for individuals whose data is affected.

(Compiled by Student Fellow Lior Polani)

News

California’s Privacy Protection Agency has commenced its first public enforcement action since obtaining such powers in 2023, fining Honda $632,500 for allegedly violating its customers’ privacy rights. The state alleged that Honda required over 100 customers to provide overly-revealing personal information, made it difficult for consumers to opt out of cookies, and failed to produce contracts describing how it shares personal information it collects with advertisers. As part of the settlement, Honda agreed to implement a more simple privacy process for consumers. 

Elon Musk’s DOGE has begun employing an AI-assisted chatbot named GSAi at the General Services Administration (GSA) in order to continue its efforts to automate tasks previously performed by GSA employees. GSAi currently covers general tasks, similarly to everyday chatbots like Anthropic’s Claude, and the GSA eventually aims to employ the chatbot to analyze contract and procurement data.  

A district court in New York ruled that a class action against Springer Nature, the publisher of Scientific American, survived a motion to dismiss. The publisher is accused of violating the Video Privacy Protection Act by sharing, without consent, the confidential personal information of its users with Meta through a tracking pixel. 

(Compiled by Student Fellow Shreyas Iyer)

News

Celebrite is offering AI to law enforcement officials to audit seized devices, including summarizing chat or audio messages. Civil liberty advocates have concerns about the Fourth Amendment, AI’s tendency to hallucinate, and the lack of transparency in AI determinations.

In the continuing saga between Apple and the British Government over privacy, Apple has appealed to the Investigatory Powers Tribunal regarding the Home Office’s order to share encrypted data.

Cornell and Microsoft have worked together to create a “private” version of Co-Pilot to respond to concerns that user data could be used to train future AI models.

After the passage and entry into force of the European Parliament’s AI act, there are still questions on how it will interact with the GDPR.

The European Court of Justice (ECJ) issued a ruling explaining the standards of “meaningful information about the logic involved” under GDPR Art. 15 as well as what should be done if the logic involved necessarily involves trade secrets or 3rd party data protected by the GDPR. Under this ruling, “meaningful information about the logic involved” entails, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile. When the company claims that the information to be provided contains trade secrets or 3rd party data, the “controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of that regulation.”

Events

The NYU Journal of IP and Entertainment Law Symposium is happening at NYU next week on Monday, 3/10. It is about regulating and owning music in the age of AI. You can RSVP here.

(Compiled by Student Fellow Tobit Glenhaber)

News

UK users are losing a key Apple security feature, raising questions about the future of privacy – UK users no longer have access to optional end-to-end encryption through Advanced Data Protection. This change leaves 14 kinds of users’ personal data (i.e. photos, messages) unencrypted. This may have been the result of Apple’s unwillingness to comply with a governmental request for a backdoor. 

DOGE Betrays Foundational Commitments of the Privacy Act of 1974 – The Privacy Act of 1974 seems to be the last line of defense between US citizen data and DOGE data collection. Danielle Citron discusses the limitations of the Act and how it might be used to protect data today. 

Physicists Question Microsoft’s Quantum Claim – Microsoft claimed to have invented a fourth type of matter by creating a “Majorana particle” which they claim is a major breakthrough in quantum computing. Some scientists say that the paper Microsoft published touting this invention does not provide conclusive evidence.

No room for privacy: How Airbnb fails to protect guests from hidden cameras – Airbnb’s internal policies fail to protect guests from hidden cameras by refusing to report complaints to the police and approaching potential privacy violators internally. While Airbnb has taken measures to ban cameras in Airbnb listings, it’s unclear how the company will enforce this ban. Airbnb also pushes most users to turn to arbitration in an effort to resolve these disputes. 

States win preliminary injunction against DOGE access to Treasury payment systems – 19 states brought suit to block DOGE access to Treasury data. A New York federal judge has recently issued an injunction to block DOGE access and will review that injunction based on information on the training, vetting and security clearance of DOGE employees. 

Federal Court Orders Department of Education and Office of Personnel Management to Stop Sharing Private Data with DOGE Affiliates – The US District Court for the District of Maryland issued a temporary restraining order prohibiting the Department of Education and Office of Personnel Management from disclosing sensitive information to DOGE. The Court found that the Privacy Act of 1974 would likely protect plaintiff’s privacy rights. The Court also found that injunctive relief was the only practical remedy; money damages post privacy invasion would prove meaningless. 

Job Opportunities

https://hls.harvard.edu/academics/fellowships-and-prizes/fellowships/postdoctoral-fellowship-in-private-law/

(Compiled by Student Fellow Alice Militaru)

Events

Join The Engelberg Center on Innovation Law & Policy, Library Futures, Theater of the Apes, and the Information Law Institute for a Public Domain Day presentation of Necromancers of the Public Domain. Wednesday, February 12 at 6:30 – 9:30pm EST

Join law school faculty, staff, and students in discussing AI & law news at LunchGPT Live, held online. Friday, February 14 at 4:00-5:00pm EST

News

Elon Musk’s Department of Government Efficiency (DOGE) is currently taking action against the Consumer Financial Protection Bureau (CFPB) at around the same time that X, formerly Twitter, announced that it had struck a deal with Visa to offer a mobile payments service, which would have been overseen by the CFPB. Under acting director Russ Vought, most of the CFPB’s work has been ordered to be stopped, and Vought has made statements that he will not seek any more funding for the bureau.

The American Federation of Teachers is leading a coalition of labor unions in filing a federal suit against the Trump administration and DOGE, alleging that the latter’s access to systems with personal data violates privacy laws. The suit warns that DOGE has access to an Education Department system with information on over 40 million Americans that includes Social Security numbers, driver’s license numbers, and home addresses.

Vice President JD Vance has indicated a departure from the Biden administration’s stance on AI at the 3rd AI Action Summit in Paris. After making a speech in which he expressed that European regulations of technology would be a burden for US companies, the US and the UK refused to sign on to the summit’s declaration for inclusive and sustainable AI practices.

Following Italy’s blocking of DeepSeek over lack of information on its use of personal data, the European Data Protection Board broadened the scope of its AI taskforce, which had previously only focused on ChatGPT. Enforcers in France, the Netherlands, Belgium, Luxembourg, and other countries are also questioning DeepSeek on its data collection practices.

(Compiled by Student Fellow Jerome David)

Events

Join The Engelberg Center on Innovation Law & Policy, Library Futures, Theater of the Apes, and the Information Law Institute for a Public Domain Day presentation of Necromancers of the Public Domain. Wednesday, February 12 · 6:30 – 9:30pm EST

News

Social media trade association NetChoice filed a lawsuit to block a Maryland state law that imposes privacy protections on children using social media and other online platforms.

The European Court of Justice found against the Irish Data Protection Commissioner, in a case about whether the European Data Protection Board can direct national data supervisors to follow a certain course of action.

Italy became the first country to outright ban DeepSeek’s AI model and chatbot, after an investigation into their data collection practices.

Lawmakers in Washington introduced a bill to protect citizen’s personal data from misuse.

FBI agents participated in investigations related to President Donald Trump have sued over Justice Department efforts to develop a list of employees involved in those inquiries that they fear could be a precursor to mass firings. They have raised the complaint that the creation of the list would violate their rights under the 1974 Privacy Act.

(Compiled by Student Fellow Anthony Perrins)

Events

Join The Engelberg Center on Innovation Law & Policy, Library Futures, Theater of the Apes, and the Information Law Institute  Public Domain Day presentation of Necromancers of the Public Domain. Wednesday, February 12 · 6:30 – 9:30pm EST

This week, we highlight Data Privacy Day, an annual awareness event observed on January 28th. Established in 2007 by the Council of Europe, it serves as a vital reminder of the importance of safeguarding personal information in our increasingly digital world. The day aims to raise awareness and promote best practices in data protection across various sectors, encouraging individuals, businesses, and governments to reflect on the progress made in data privacy and to commit to strengthening measures that ensure the security of personal data.

News

On January 23, 2025, President Trump signed an executive order titled “Removing Barriers to American Leadership in Artificial Intelligence.” This directive revokes certain existing AI policies and directives that it describes as “barriers to American AI innovation”, in order to “clear a path for the United States to act decisively to retain global leadership in artificial intelligence”. The order mandates the development of an action plan within 180 days to achieve this policy, involving key advisors and department heads.

President Trump dismissed the three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency responsible for ensuring that government counterterrorism measures respect privacy and civil liberties. This action leaves the board with only one active member.

Daniel’s Law, enacted in New Jersey after the tragic 2020 attack on U.S. District Judge’s family resulting in her son’s murder, aims to protect judges, prosecutors, and law enforcement officers by allowing them to request the removal of personal information like home addresses from public databases. Since its enactment, the law has sparked a wave of lawsuits led by Atlas Data Privacy Corporation, which has filed more than 140 lawsuits against data brokers on behalf of approximately 19,000 “covered persons” under the law. These companies challenged the law’s constitutionality, but in the end of November 2024, a federal judge upheld Daniel’s Law, rejecting the defendants’ constitutional challenges.

Last week, the U.S. Copyright Office published the latest part of its report on legal and policy issues related to AI, following its August 2023 Notice of Inquiry. This installment focuses on the copyrightability of works created using generative AI. The first part, released in 2024, addressed digital replicas, while future sections will cover AI model training on copyrighted works, licensing, and liability issues.

The Chinese AI app DeepSeek, with over 2 million downloads since January 2025, has raised significant privacy concerns due to its storage of user data on Chinese servers, making it subject to Chinese cybersecurity laws. The app has also been accused of censoring sensitive topics, sparking fears of propaganda and misinformation. Italy’s data protection authority, Garante, has launched an inquiry into DeepSeek, requesting detailed information on its data collection practices, data storage locations, and the legal basis for processing personal data. The regulator has given DeepSeek 20 days to respond to these inquiries. Additionally, Texas has become the first U.S. state to ban DeepSeek on government-issued devices, citing concerns that Americans’ data could be accessed by foreign entities.

On January 17, 2025, the European Data Protection Board (EDPB) adopted new guidelines on pseudonymisation during its plenary meeting. These guidelines clarify the definition and applicability of pseudonymisation under the General Data Protection Regulation (GDPR), emphasizing that pseudonymised data – data that can be attributed to an individual using additional information – remains personal data and is subject to GDPR provisions. The EDPB highlights that pseudonymisation can mitigate risks and facilitate the use of legitimate interests as a legal basis for data processing, provided all GDPR requirements are met. The guidelines are open for public consultation until February 28, 2025, allowing stakeholders to provide feedback.

Romania – Romanian prosecutors are investigating allegations of election fraud linked to social media campaigns. The investigation centers on accusations of online manipulation, including a TikTok campaign reportedly funded by pro-Russian interests, aimed at rebranding Georgescu as a pro-Western candidate.

India – On January 23, 2025, the National Company Law Appellate Tribunal (NCLAT) suspended the Competition Commission of India’s (CCI) order that restricted WhatsApp from sharing user data with Meta companies for advertising purposes over the next five years.

Israel – Moshe Nussbaum, an reporter who was diagnosed with ALS, a disease that impaired his ability to speak, appeared on television using an AI avatar based on his own voice and mimicked gestures. The AI technology was trained on recordings from his extensive career in journalism, allowing it to recreate his distinctive vocal tone and synchronize his lip movements with the generated speech. This innovative approach enabled Nussbaum to continue delivering news reports and commentary, despite the physical limitations caused by his condition.

(Compiled by Student Fellow Nofar Kadosh)