Blog

Brazil has passed a new child protection law – the ECA Digital. The law requires online services likely to be used by children to build in protections for privacy, safety, and children’s best interests by default, including banning profiling and behavioral advertising targeting kids. It takes effect in March 2026 and includes penalties for non-compliance, such as fines (up to 50 million reais or 10% of revenue in Brazil), suspension or bans, and is being enforced by Brazil’s data protection authority.

Tech Policy published a piece arguing that recent Supreme Court rulings erode longstanding protections by allowing states to impose age-verification mandates online, thereby undermining users’ First Amendment rights and privacy. The piece claims that requiring individuals to submit personal identifiers to access content risks surveillance, data exposure, and chilling effects on online speech for both minors and adults.

The United Kingdom rolled out their proposal for a digital ID. The plans faced criticism from across the political spectrum. The proposal has been pushed by the Tony Blair Institute, who is funded almost exclusively by Oracle. 

Recently, the U.S. Supreme Court granted a stay allowing President Trump’s removal of FTC Commissioner Rebecca Kelly Slaughter and agreed to review the FTC’s structure under the separation-of-powers doctrine. Slaughter, dismissed in March 2025 along with Commissioner Alvaro Bedoya, had been reinstated by the D.C. Circuit based on Humphrey’s Executor v. United States (1935), which upheld “for-cause” protections for FTC commissioners.

The Supreme Court’s stay blocks her return while it considers whether those protections are constitutional and whether Humphrey’s Executor should be overruled.The outcome could significantly alter the FTC’s independence and its role in privacy and consumer protection enforcement. A ruling narrowing removal protections would weaken the agency’s autonomy, while affirming them would preserve its authority. For privacy law, the decision introduces major uncertainty for ongoing and future FTC enforcement actions

(Compiled by Anthony Perrins)

Sen. Cruz introduced a new bill that would provide for a “regulatory sandbox” for AI companies.

A new product, “friend,” raises some privacy concerns.

In a follow-up to the DOGE data access litigation from the spring, it appears that there was a data breach with the DOGE access to social security information.

An ex-meta employee has filed a whistleblower lawsuit against Meta over “systematic cybercecurity failures.” The suit alleges that the whistleblower alerted Meta to security failures, but was rebuffed and retaliated against.

A California law attempting to limit minors’ exposure to “addicting algorithms” was upheld against a First Amendment challenge in the Ninth Circuit. (opinion here)

Anthropic has settled its class action complaint brought against it by a group of authors for $1.5 billion.

Warner Bros has jumped on the bandwagon of suing Midjourney AI for alleged copyright infringement.

The MTA is updating its advertising guidelines.

A growing amount of states are attempting to protect neural data as PII

Apologies for the delayed post this week; was still trying to figure out wordpress

News

Attorney General William Tong of Connecticut recently recommended a strengthening of privacy protections in the state, including additional defenses for data of minors and a data minimization requirement.

Google Analytics has added features to enhance marketing capabilities in light of consumer data privacy settings, specifically around the aggregation of location data, data labeling, and assessment of data quality.

A recent lawsuit against Accor Management alleges the company’s website transferred tracking pixels to Facebook in a manner unauthorized by website visitors.

Just Security has been tracking lawsuits filed against the Trump administration, including alleged violations of the Privacy Act for mishandling of government employee data and matters related to birthright citizenship.

(Compiled by Student Fellow Cooper Aspegren)

News

In a letter dated 31 March 2025, the Federal Trade Commission (FTC) expressed its concerns and interests to the Office of the US Trustee relating to the bankruptcy proceedings involving 23andMe Holding Company. 23andMe came into prominence over the past few years due to its genetic testing services that allowed it to accumulate millions of sensitive personal information of its consumers, including genetic information, health information, ancestry and genealogy information, payment information, among others. The FTC claims that any bankruptcy-related sale or transfer involving 23andMe users’ personal information should be subject to the representations made by the company, including commitments to data privacy and protection, and data security. Further, the purchaser of the data assets should expressly agree to adhere to and be bound by such commitments.

Kenya recently launched its national AI strategy roadmap for 2025-2030 that focuses on several core pillars: AI digital infrastructure, data and AI governance, AI research, innovation and commercialization. Aimed at making Kenya a regional leader in AI research and development, the strategy reflects Kenya’s mission of being “architects of [their] digital destiny” instead of being a mere spectator. In the strategy, Kenya also plans on building infrastructures, such as data centers and semiconductor manufacturing facilities, to support the five-year plan.

As a result of OpenAI’s release of a new image generator, powered by GPT-40, social media platforms have been inundated with images that uses a filter reminiscent of the works of Studio Ghibli, a Japanese animation company co-founded by animator and filmmaker Hayao Miyazaki. Studio Ghibli and Miyazaki have won many accolades for their animated works. The trend is especially controversial given Miyazaki’s apparent abhorrence over generative AI and his passionate belief in the power of art created by humans. In a video uploaded years ago and have been recirculated in response to the social media trend, Miyazaki felt that machine-generated art “is an insult to life itself.”

Immigration and free speech advocates have raised concerns over the proposal by US immigration officials to collect social media handles from people applying for citizenship, green cards and other benefits. The advocates claim that the proposal seeks to cover people already in the US legally and have already been vetted extensively. The immigration officials, on the other hand, argue that the purpose of the proposal is to “strengthen fraud detection, prevent identity theft, and support the enforcement of rigorous screening and vetting measures.” However, the proposal comes on the heels of recent events where the administration is detaining people and revoking student visas for joining and participating in campus protests.

NYU is facing at least 10 class action lawsuits after it has been the subject of a data breach wherein a hacker leaked files claimed to show personal information of past university applicants. The complaints claim that NYU failed to comply with the national standards for cybersecurity which resulted in the mishandling of personal information of the students, which could potentially expose the applicants to risk of identity theft, among others.   

(Compiled by Student Fellow Reeneth B. Santos)

Executive Orders (EO) have become a frequent policy-making tool during President Trump’s terms in office, influencing everything from investment in technology to privacy concerns. On March 12th, PRG Student Fellows—Marco Germanò, Krimul Malhotra, Rebecca Kahn, Carolina Barcelos, Yujia Wu, Naveen Rajan, Lesley Yang, Hugh Ó Laoide Kelly, and Yuting Yu—presented their insights on the tech- and privacy-related implications of several Trump administration EOs issued in 2025. Their analysis focused on:

• Artificial Intelligence: EO 14179 Removing Barriers to American Leadership in Artificial Intelligence
• Content Moderation & Social Media: EO 14149 Restoring Freedom of Speech and Ending Federal Censorship
• Digital Financial Technology: EO 14178 Strengthening American Leadership in Digital Financial Technology
• Deregulation Policies: EO 14192 Unleashing Prosperity Through Deregulation; EO 14219 Ensuring Lawful Governance and Implementing the President’s “Department of Government Efficiency” Deregulatory Initiative; EO 14215 Ensuring Accountability for All Agencies.
• Technology Investment: EO 14177 President’s Council of Advisors on Science and Technology

Attendees heard how each order could affect innovation, civil liberties, and regulatory practices. The ensuing discussion also addressed the broader legal and policy dimensions of these directives, including how EOs interact with the process for rescinding and creating agency rules. Please see the attached presentation and links to the relevant EOs.

News

Google has agreed to acquire cloud security platform Wiz for $32 billion in the largest acquisition of 2025 so far, integrating it into Google Cloud as part of a strategy to become the dominant security player in cloud computing. Following the acquisition, Wiz will continue to support multiple cloud platforms including competitors AWS, Azure, and Oracle Cloud, while gaining access to Google’s AI expertise and resources.

Virginia is poised to become the second U.S. state to regulate high-risk AI applications with a bill requiring companies to implement safeguards against algorithmic discrimination in critical areas like employment, lending, healthcare, and housing. This state-level action comes amid the federal government’s recent withdrawal from stringent AI regulation under the Trump administration, signaling an emerging regulatory patchwork similar to what has developed in data privacy laws across states.

President Trump has fired the two Democratic members of the Federal Trade Commission, Rebecca Kelly Slaughter and Alvaro Bedoya, in a controversial move challenging the agency’s traditional independence, with both commissioners planning to challenge their dismissals in court. This action follows a similar attempt to remove a National Labor Relations Board member and aligns with the administration’s recent executive order asserting greater White House control over independent regulatory agencies.

Apple has removed its Advanced Data Protection encryption feature for 35 million UK iPhone users rather than comply with government demands for a security backdoor, and has appealed the order to the UK Investigatory Powers Tribunal. Privacy experts warn this precedent could embolden other nations, including the U.S., to make similar demands, creating what Johns Hopkins professor Javad Abed calls a “policy earthquake” for global data security.

Marko Elez, a staffer for Elon Musk’s Department of Government Efficiency (DOGE) who was previously fired and then rehired after being linked to controversial social media content, violated Treasury Department policies by emailing a spreadsheet with personal financial information to GSA officials without proper encryption or approval. The incident, revealed in a court filing by a Treasury security officer amid a lawsuit from 19 state attorneys general seeking to block DOGE’s access to sensitive taxpayer information, has reinforced concerns about what the states called the “rushed and chaotic nature” of the DOGE team’s access to government systems.

Hungary’s parliament has passed a law banning Pride events and allowing authorities to use facial recognition to identify attendees, the latest in Prime Minister Viktor Orbán’s ongoing restrictions on LGBTQ rights. The legislation amends Hungary’s assembly law to prohibit events that violate the country’s controversial “child protection” legislation, which bans the “depiction or promotion” of homosexuality to minors, with opposition lawmakers igniting colorful smoke bombs in parliament during the 136-27 vote.

Facial recognition company Clearview AI attempted to purchase 690 million arrest records and 390 million mugshots containing sensitive personal data including social security numbers, addresses, and email addresses from an intelligence firm in 2019, according to newly obtained documents. The deal ultimately fell apart and went to arbitration, with the arbiter ruling in Clearview’s favor in 2024, even as the company continues to face legal challenges worldwide over its collection of billions of facial images from social media without consent.

The EDPB provided recommendations to member states for implementing the PNR (passenger name record) Directive, focusing on limitations to passenger data processing, including restricting data collection for terrorist offenses and serious crimes with an objective link to air travel, limiting intra-EU flight surveillance, requiring independent prior review of data access, and enforcing limited data retention periods.

Democrats are pushing for an update the 1974 Privacy Act in response to the actions taken by Elon Musk’s DOGE. Proposed updates to the Act, which pertains only to government use of personal electronic records, include narrowing the “need to know” exception and strengthening data minimization provisions and the private right of action for individuals whose data is affected.

(Compiled by Student Fellow Lior Polani)

News

California’s Privacy Protection Agency has commenced its first public enforcement action since obtaining such powers in 2023, fining Honda $632,500 for allegedly violating its customers’ privacy rights. The state alleged that Honda required over 100 customers to provide overly-revealing personal information, made it difficult for consumers to opt out of cookies, and failed to produce contracts describing how it shares personal information it collects with advertisers. As part of the settlement, Honda agreed to implement a more simple privacy process for consumers. 

Elon Musk’s DOGE has begun employing an AI-assisted chatbot named GSAi at the General Services Administration (GSA) in order to continue its efforts to automate tasks previously performed by GSA employees. GSAi currently covers general tasks, similarly to everyday chatbots like Anthropic’s Claude, and the GSA eventually aims to employ the chatbot to analyze contract and procurement data.  

A district court in New York ruled that a class action against Springer Nature, the publisher of Scientific American, survived a motion to dismiss. The publisher is accused of violating the Video Privacy Protection Act by sharing, without consent, the confidential personal information of its users with Meta through a tracking pixel. 

(Compiled by Student Fellow Shreyas Iyer)

News

Celebrite is offering AI to law enforcement officials to audit seized devices, including summarizing chat or audio messages. Civil liberty advocates have concerns about the Fourth Amendment, AI’s tendency to hallucinate, and the lack of transparency in AI determinations.

In the continuing saga between Apple and the British Government over privacy, Apple has appealed to the Investigatory Powers Tribunal regarding the Home Office’s order to share encrypted data.

Cornell and Microsoft have worked together to create a “private” version of Co-Pilot to respond to concerns that user data could be used to train future AI models.

After the passage and entry into force of the European Parliament’s AI act, there are still questions on how it will interact with the GDPR.

The European Court of Justice (ECJ) issued a ruling explaining the standards of “meaningful information about the logic involved” under GDPR Art. 15 as well as what should be done if the logic involved necessarily involves trade secrets or 3rd party data protected by the GDPR. Under this ruling, “meaningful information about the logic involved” entails, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile. When the company claims that the information to be provided contains trade secrets or 3rd party data, the “controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of that regulation.”

Events

The NYU Journal of IP and Entertainment Law Symposium is happening at NYU next week on Monday, 3/10. It is about regulating and owning music in the age of AI. You can RSVP here.

(Compiled by Student Fellow Tobit Glenhaber)

News

UK users are losing a key Apple security feature, raising questions about the future of privacy – UK users no longer have access to optional end-to-end encryption through Advanced Data Protection. This change leaves 14 kinds of users’ personal data (i.e. photos, messages) unencrypted. This may have been the result of Apple’s unwillingness to comply with a governmental request for a backdoor. 

DOGE Betrays Foundational Commitments of the Privacy Act of 1974 – The Privacy Act of 1974 seems to be the last line of defense between US citizen data and DOGE data collection. Danielle Citron discusses the limitations of the Act and how it might be used to protect data today. 

Physicists Question Microsoft’s Quantum Claim – Microsoft claimed to have invented a fourth type of matter by creating a “Majorana particle” which they claim is a major breakthrough in quantum computing. Some scientists say that the paper Microsoft published touting this invention does not provide conclusive evidence.

No room for privacy: How Airbnb fails to protect guests from hidden cameras – Airbnb’s internal policies fail to protect guests from hidden cameras by refusing to report complaints to the police and approaching potential privacy violators internally. While Airbnb has taken measures to ban cameras in Airbnb listings, it’s unclear how the company will enforce this ban. Airbnb also pushes most users to turn to arbitration in an effort to resolve these disputes. 

States win preliminary injunction against DOGE access to Treasury payment systems – 19 states brought suit to block DOGE access to Treasury data. A New York federal judge has recently issued an injunction to block DOGE access and will review that injunction based on information on the training, vetting and security clearance of DOGE employees. 

Federal Court Orders Department of Education and Office of Personnel Management to Stop Sharing Private Data with DOGE Affiliates – The US District Court for the District of Maryland issued a temporary restraining order prohibiting the Department of Education and Office of Personnel Management from disclosing sensitive information to DOGE. The Court found that the Privacy Act of 1974 would likely protect plaintiff’s privacy rights. The Court also found that injunctive relief was the only practical remedy; money damages post privacy invasion would prove meaningless. 

Job Opportunities

https://hls.harvard.edu/academics/fellowships-and-prizes/fellowships/postdoctoral-fellowship-in-private-law/

(Compiled by Student Fellow Alice Militaru)

Events

Join The Engelberg Center on Innovation Law & Policy, Library Futures, Theater of the Apes, and the Information Law Institute for a Public Domain Day presentation of Necromancers of the Public Domain. Wednesday, February 12 at 6:30 – 9:30pm EST

Join law school faculty, staff, and students in discussing AI & law news at LunchGPT Live, held online. Friday, February 14 at 4:00-5:00pm EST

News

Elon Musk’s Department of Government Efficiency (DOGE) is currently taking action against the Consumer Financial Protection Bureau (CFPB) at around the same time that X, formerly Twitter, announced that it had struck a deal with Visa to offer a mobile payments service, which would have been overseen by the CFPB. Under acting director Russ Vought, most of the CFPB’s work has been ordered to be stopped, and Vought has made statements that he will not seek any more funding for the bureau.

The American Federation of Teachers is leading a coalition of labor unions in filing a federal suit against the Trump administration and DOGE, alleging that the latter’s access to systems with personal data violates privacy laws. The suit warns that DOGE has access to an Education Department system with information on over 40 million Americans that includes Social Security numbers, driver’s license numbers, and home addresses.

Vice President JD Vance has indicated a departure from the Biden administration’s stance on AI at the 3rd AI Action Summit in Paris. After making a speech in which he expressed that European regulations of technology would be a burden for US companies, the US and the UK refused to sign on to the summit’s declaration for inclusive and sustainable AI practices.

Following Italy’s blocking of DeepSeek over lack of information on its use of personal data, the European Data Protection Board broadened the scope of its AI taskforce, which had previously only focused on ChatGPT. Enforcers in France, the Netherlands, Belgium, Luxembourg, and other countries are also questioning DeepSeek on its data collection practices.

(Compiled by Student Fellow Jerome David)