Foley Automotive Update- June 11, 2025
Trump Administration Trade and Tariff Policies
Foley & Lardner provided an update on the current Trump tariff proposals, as well as the implications of recent court decisions striking down tariffs issued under the International Emergency Economic Powers Act (IEEPA).
President Trump on June 11 stated a trade agreement with China is “done, subject to final approval with President Xi and me.” The deal is said to include a framework for China to supply “any necessary magnets and rare earths.” [This breaking news story has frequent updates.]
MEMA and a number of major automakers urged immediate action to address the risk of parts shortages and production disruptions resulting from policies in China that have restricted or delayed export licenses for certain rare earths, minerals and magnets.
The European Association of Automotive Suppliers (CLEPA) on June 4 stated that “approximately one-quarter” of the rare earths export license applications submitted to Chinese authorities since April have been approved. Chinese exports of rare earths rose 23% in May from the previous month, according to customs data published June 9.
President Trump signed an executive order to double Section 232 steel and aluminum tariffs to 50%, effective June 4. The governments of Canada, Mexico and Brazil are reported to be seeking exemptions to the steel import tariffs. Aluminum prices are projected to increase more than 20% to reach over $3,000 a ton by the end of 2026 due to the expectation of supply constraints and the effects of higher U.S. demand from Trump administration trade policies.
The Office of the U.S. Trade Representative extended Section 301 tariff exclusions for certain products from China to August 31, 2025, from a previous expiration of May 31, 2025. The duties were originally implemented in 2018 and target products that include certain batteries, critical minerals, and semiconductors. The exemptions could be further extended or modified, per the notice.
Automotive Key Developments
S&P Global Mobility and Automotive News provided overviews of the potential effects of higher steel and aluminum tariffs on automakers and suppliers. S&P noted the effects of various tariffs could cause U.S. new light-vehicle inventory to fall to 2 million units industrywide by this December, from current levels of roughly 2.7 million units.
During a presentation at AutoTech 2025, S&P Global Mobility estimated automakers and suppliers are losing up to eighteen months of product planning due to the volatility of tariff policies.
Predictions in Bank of America’s annual “Car Wars” report include ongoing multi-billion-dollar write-downs for EVs, an emphasis on “core” products to generate cash, and the potential for “mass consolidation” of the automotive industry in China resulting from extreme price wars and excess capacity. Automakers are expected to launch 159 models over the next four years, from typical levels of over 200, and the report noted the “next four+ years will be the most uncertain and volatile time in product strategy ever.”
The Federal Communications Commission extended the public comment period by 18 days to June 27, 2025 on a proposal that could expand the list of vehicle connectivity technologies banned from Russian and Chinese manufacturers.
The White House budget office instructed the Department of Transportation to disregard a Government Accountability Office decision that the DOT violated the Impoundment Control Act (ICA) by suspending the National Electric Vehicle Infrastructure (NEVI) Formula Program created by the 2021 Bipartisan Infrastructure Law. The ICA limits a president’s ability to hold back funds appropriated by Congress.
Last week, sixteen states and the District of Columbia urged a Washington federal judge to grant their request for a preliminary injunction to stop the federal government from withholding NEVI funds.
The DOT’s National Highway Traffic Safety Administration on June 6 published a final rule, Resetting the Corporate Average Fuel Economy Program, describing the agency’s legal foundation for its authority to revise CAFE and medium- and heavy-duty vehicle (MDHD) standards. An upcoming separate rule will revise the standards. This follows a proposal in the Senate’s pending tax and budget bill to eliminate fines for failures to meet CAFE rules.
U.S. new light-vehicle sales in May increased 1.4% year-over-year to a SAAR of 15.6 million units.
OEMs/Suppliers
As part of a $4 billion plan to increase U.S. manufacturing over the next two years, GM will expand finished vehicle production at Orion Assembly in Michigan, Fairfax Assembly in Kansas, and Spring Hill Manufacturing in Tennessee. This investment will support the ability to assemble up to two million vehicles annually in the U.S.
Automakers shipped 72% fewer vehicles to the U.S. in May 2025 compared to the same period last year, according to maritime import data from Descartes Datamyne.
Canadian exports of motor vehicles and parts fell 17% in April, according to data from Statistics Canada published on June 5.
Aftermarket auto parts dealer Detroit Axle stated it could go out of business “within weeks” due to a Trump administration policy that ended the “de minimis” tariff exemption for small-value packages from China.
A number of global suppliers are exploring opportunities to support Chinese automakers’ overseas expansions.
The Chinese government is reported to have told the nation’s automakers to “self-regulate,” amid rising concerns the ongoing price wars among domestic EV makers could result in diminished profitability and significant industry consolidation.
Market Trends and Regulatory
Kelley Blue Book estimated the average new-vehicle transaction price (ATP) in May 2025 was $48,799, largely flat with the April ATP but up 1% YOY. The average manufacturer’s suggested retail price (MSRP) in May rose 2% YOY to $50,968.
The auto industry is the most likely sector to experience financial distress this year, according to two-thirds of respondents in AlixPartners’ 20th Annual Turnaround and Transformation Survey.
The National Association of Manufacturers Q2 2025 Manufacturers’ Outlook Survey found 55.4% of respondents reported a positive outlook for their companies, representing a nearly 15 percentage point drop from Q1 and the lowest level since Q2 of 2020.
Eighty-three percent of CEOs across all industries expect a recession in the next 12 to 18 months, according to the Conference Board‘s CEO confidence index.
The fire on the car carrier Morning Midas started on a deck containing electric vehicles. However, the cause of the incident has not been confirmed. This marked the third serious fire in 2025 and the thirteenth in the past decade on “large ro-ro type ships.”
Autonomous Technologies and Vehicle Software
Tesla could debut robotaxi rides in limited parts of Austin, Texas in the coming weeks.
Alphabet unit Waymo has achieved 10 million paid driverless rides on a cumulative basis, and it books an average of over 250,000 weekly rides. The autonomous driving company offers paid rides in parts of San Francisco, Los Angeles, and Phoenix, and the company recently expanded to Austin and Atlanta in partnership with Uber.
Uber Technologies, Inc. and self-driving startup Wayve plan to launch public-road trials of Level 4 (L4) autonomous vehicles in London in spring 2026.
Autonomous truck-driving software company Plus Automation plans to go public in the U.S. through a $1.2 billion merger with special-purpose acquisition company Churchill Capital Corp. The combined entity will operate as PlusAI.
China is developing national safety requirements for driver-assistance systems.
Electric Vehicles and Low-Emissions Technology
Ford stated its plan to produce EV batteries at a new plant in Marshall, Michigan would be at risk if Congress eliminates federal tax credits for clean energy.
Automotive Energy Supply Corp. (AESC) halted construction of an EV batteryplant in South Carolina due to “policy and market uncertainty”
The majority of workers at a Stellantis – Samsung SDI battery joint venture plant in Indiana signed cards to join the UAW.
Lucid Group signed its third agreement for U.S.-processed graphite, in an effort to strengthen its domestic supply chain for EV batteries.
The advertised ranges of many EVs can vary significantly from the number of miles covered during Consumer Reports’ tests of 30 EVs driven at a constant highway speed of 70 mph. Over half of the tested vehicles missed targets in the advertised range, by anywhere from one mile to up to 50 miles. However, some models exceeded range by two miles to 67 miles. Unlike gas-powered cars, EVs are typically less efficient on highways than in cities.
A recent AAA survey of 1,128 consumers found only 16% of respondents were “very likely” or “likely” to purchase a fully electric vehicle as their next car, representing the lowest level since 2019.
Fourth Circuit Reverses Class Certification of Data Breach Claims
The recent Fourth Circuit decision denying class certification in the long drawn-out Marriott data breach litigation underscores the enforceability of class action waiver provisions in customer contracts.
Background
In 2018, Marriott announced that hackers had accessed the guest reservation database of its Starwood hotel chain. The breach affected 133.7 million guest records, including members of the Starwood Preferred Guest Program (SPG Program). Putative class actions were filed around the country by plaintiffs who asserted myriad contract, tort, and statutory claims against Marriott for failing to adequately safeguard their personal information. These cases were consolidated into a multi-district litigation (MDL1) proceeding in Maryland federal court.
Procedural History
One of the key issues on appeal was whether the district court properly certified various classes in the litigation. Marriott opposed class certification by relying in part on a class action waiver provision in the SPG Contracts requiring that disputes “arising out of or related to” the SPG Program or Contract “be handled individually without any class action.”
Denial of Class CertificationThe district court initially declined to consider the class action waiver provision in the SPG Contracts on the basis that this issue should be addressed at the merits stage of the litigation. The district court further indicated, in a footnote, that Marriott might have waived this defense by merely raising it as a boilerplate, affirmative defense as opposed to a separate motion. The district court proceeded to certify multiple state-specific damages classes against Marriott on the plaintiffs’ contract and consumer protection claims.
Initial Appeal and Remand (Marriott I)In an initial appeal in the Marriott MDL proceeding, the Fourth Circuit held that the district court erred by failing to consider the impact of the class action waiver provision in the SPG Contracts prior to certifying class action claims against Marriott.2,3 The Fourth Circuit also questioned the district court’s suggestion that Marriott had waived this defense. Accordingly, the Fourth Circuit remanded the case to the district court to reconsider its ruling on class certification.
On remand, the district court concluded that Marriot had waived the class action waiver defense in the SPG Contracts by agreeing to the pre-trial consolidation of the data breach cases in an MDL proceeding in Maryland. The district court also opined that Marriott acted in a manner inconsistent with the SPG Contract terms, which included New York choice of law and venue provisions. Separately, the district court suggested that class action waiver provisions conflict with Federal Rule of Civil Procedure 23 (Rule 23) governing class actions. As such, the district court recertified the class claims against Marriott, which Marriott appealed.
Second Appeal Denying Class Certification (Marriott II)On June 3, 2025, the Fourth Circuit issued a published decision reversing the district court’s ruling and decertifying the claims against Marriott. In so ruling, the Fourth Circuit made the following key findings.
First, the Fourth Circuit rejected the district court’s decision that Marriott had “waived” its defense based on the class action waiver provisions in the SPG Contracts. As a procedural matter, the Fourt Circuit observed that Marriott properly invoked its class waiver defense in its motion to dismiss and in its answer, and in opposing class certification.
Second, the Fourth Circuit disagreed with the district court’s ruling that Marriott had somehow waived the defense simply by agreeing to participate in an MDL proceeding. The Fourth Circuit noted that “[p]arties in an MDL do not act in a representative capacity, and pretrial MDL consolidation does not strip cases of their ‘individual’ nature.”4The Fourth Circuit also observed that it was not aware of any other court holding that a defendant participating in an MDL proceeding automatically waived its right to rely on a contractual class action waiver defense.5
Third, the Fourth Circuit rejected the district court’s position that by agreeing to an MDL proceeding in Maryland, Marriott acted inconsistently with the New York choice of law and venue provisions in the SPG Contracts. The Fourth Circuit pointed out that venue questions are typically resolved after the conclusion of pretrial MDL proceedings. Moreover, Marriott and the other parties “jointly and expressly reserved all choice-of-law arguments.”6
Fourth, the Fourth Circuit disagreed with the district court’s suggestion that the class action waiver provision in the SPG Contracts was invalid and unenforceable because it conflicted with Rule 23’s class action provision. “The Supreme Court made clear in 2013 that parties may indeed waive class-action litigation by contract.”7 Accordingly, “[c]ourts now routinely enforce contractual class-action waivers.”8
Finally, the Fourth Circuit opined that the broad language of the class action waiver provision in the SPG Contracts was not limited to plaintiffs’ contract claims – but also applied to plaintiffs’ consumer protection and negligence claims. The waiver language applied to “[a]ny disputes arising out of or related to the SPG Program.”
The Fourth Circuit noted that the SPG Program was at the crux of all of plaintiffs’ claims:
That is the program under which the plaintiffs’ provided the information at the heart of all of their claims; the personal data that Marriott … allegedly failed to properly safeguard comes from the plaintiffs’ SPG Program accounts. It is also the program under which the plaintiffs – to obtain the benefits of program membership – made the hotel reservations for which the allege they overpaid. We think that is enough to bring their claims under the broad umbrella of the class waiver’s ‘arising under or related to’ clause.
In summary, the Fourth Circuit held that the waiver of class litigation provision in the SPG Contracts was valid and enforceable, it broadly applied to all of plaintiffs’ claims, and Marriott did not waive this defense.
Conclusion
As more companies become victims of sophisticated cyber-attacks, it is common for them to be extorted twice – first by the cybercriminals and second by the plaintiffs’ class action bar, which routinely files data breach class actions with the expectation of receiving sizeable fee awards. The Fourth Circuit’s recent decision in Marriott II underscores the enforceability of class action waiver provisions in contracts as a strong defense to discourage plaintiffs from filing putative class actions on the heels of a data breach. _________________________________________________________________________________________
1 Maldini, et al. v. Marriott International, Inc., Docket No. 24-1064 in the U.S. Court of Appeals for the Fourth Circuit (Marriott II) (decided June 3, 2025).
2 See In re Marriott Int’l., Inc. Customer Data Sec. Breach Lit., 78 F.4th 677 (4th Cir. 2023) (Marriott I).
3 See Marriott II, p. 15 (internal citations omitted).
4 Id. at pp. 15-16.
5 Id. at p. 17.
6 Id. at pp.18-19
7 Id. at p. 19
8 Id. at p. 23.
PART 3: Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
As FTC Chair Andrew Ferguson establishes his enforcement priorities, his positions on data categorization and surveillance pricing reveal a consistent philosophy that balances privacy protection with innovation. This is the third post in our series on what to expect from the FTC under Ferguson as chair.
Our previous posts examined Ferguson’s broad regulatory philosophy of “staying in our lane” and his priority enforcement areas in children’s privacy and location data. This post explores Ferguson’s approach to emerging privacy issues that don’t fit neatly into established legal frameworks.
Skepticism of “Sensitive Categories” Designation
Ferguson has expressed significant skepticism about the FTC designating certain categories of data as inherently “sensitive” without clear statutory basis. In his September 2024 statement on the Social Media and Video Streaming Services Report, Ferguson criticized this approach:
“I am skeptical that this is the kind of injury the law should try to address… I doubt it could. Any such line would tend toward arbitrariness and is not a stable system on which to decide whether advertisements are illegal.”
Ferguson’s critique reflects his broader concern that creating subjective lists of “sensitive” data categories raises several problems:
Arbitrary line-drawing – Determining which categories qualify as “sensitive” is inherently subjective and potentially politicized.
Lack of statutory basis – Section 5 does not provide clear guidance on which categories of data should receive special protection.
Inconsistent application – When regulators decide which categories deserve protection, the resulting lists may reflect the decision-makers’ preferences rather than objective criteria.
Ferguson’s December 2024 concurrence in the Mobilewalla case provides the clearest view of his position on sensitive data categorization, where he wrote: “The FTC Act does not limit how someone who lawfully acquired those data might choose to analyze those data, or the conclusions that one might draw from them.” This reveals a fundamental distinction in his approach: While he believes the initial collection of sensitive data without consent may violate Section 5, he is skeptical that the FTC can regulate how lawfully obtained data is subsequently categorized or analyzed.
Ferguson’s analogy to private investigators is particularly telling: Just as investigators may legally observe someone entering a church and conclude they practice that religion, Ferguson believes that drawing conclusions from lawfully collected data is not, in itself, a Section 5 violation.
Surveillance Pricing: Fact-Finding Over Speculation
Ferguson has demonstrated a measured approach to emerging data practices like surveillance pricing — the use of consumer data to set personalized prices. In July 2024, he supported the FTC’s 6(b) study into these practices, explaining:
“One of the most important duties with which Congress has entrusted us is studying markets and industries and reporting to the public and Congress what we learn… These studies may inform future Commission enforcement actions, but they need not.”
His statement emphasized the importance of thorough fact-finding before developing policy positions, noting:
“Congress and the American people should be made aware of whether and how consumers’ private data may be used to affect their pocketbooks.”
However, in January 2025, Ferguson joined Commissioner Melissa Holyoak in dissenting from the release of preliminary “research summaries” on surveillance pricing. His dissent criticized the rushed release of early findings:
“Issuing these research summaries degrades the Commission’s Section 6(b) process. The Commission should not be releasing staff’s early impressions that ‘can be outdated with new information’ because the fact gathering process on the very issues being presented to the public is still underway.”
This suggests a commitment by Ferguson to thorough investigation of privacy issues before regulation, particularly with emerging practices that implicate consumer data.
Balancing Evidence and Action
Ferguson’s approach to both sensitive data categories and surveillance pricing illustrates his broader privacy philosophy:
Demand robust evidence – Before taking regulatory action on privacy practices, Ferguson wants complete factual records that demonstrate actual harm.
Favor established laws over novel theories – His skepticism of “sensitive categories” shows preference for established legal frameworks rather than expanding statutory interpretations.
Emphasize procedural integrity – His objection to preliminary research summaries reveals concern with fair, thorough processes before reaching conclusions about data practices.
Ferguson appears to maintain a genuine openness to evidence that might show consumer benefits from practices such as data categorization or personalized pricing. His insistence on completing thorough market studies reflects not just procedural formalism but a substantive commitment to evidence-based regulation that considers both potential harms and benefits.
What This Means for Businesses
Based on Ferguson’s positions, here are some considerations for businesses:
For Data Categorization:
Focus on consent mechanisms for data collection rather than worrying about how lawfully collected data is analyzed.
Document legitimate business purposes for data analysis.
Keep watch for potential future legislation that might specifically designate certain data categories for special protection.
Distinguish clearly between initial data collection practices (which face greater scrutiny) and subsequent analysis of lawfully collected data (which faces less scrutiny).
For Surveillance Pricing and Similar Practices:
Expect continued scrutiny of personalized pricing practices, but through careful study rather than immediate regulation.
Maintain transparency about how customer data influences pricing.
Document how pricing algorithms use personal data.
Consider implementing clear opt-out mechanisms for data-based pricing.
Document instances where personalized pricing benefits consumers through lower prices or increased access, as Ferguson’s evidence-based approach may be receptive to such benefits.
Evolution Rather Than Revolution
Ferguson’s approach suggests the FTC under his leadership will maintain strong privacy enforcement but with a focus on clear statutory violations rather than expanding interpretations of unfairness. For data categorization and surveillance pricing, this means:
Continued fact-finding – The commission will likely invest in thorough market studies before developing policy positions.
Focus on deception over unfairness – Companies making false or misleading claims about data practices will face scrutiny, while novel “unfairness” theories will receive more skepticism.
Emphasis on consent and transparency – Proper notice, consent, and transparency will remain central to the FTC’s privacy enforcement.
This approach represents evolution rather than revolution in the commission’s privacy work, with a measured path that balances consumer protection with business certainty and technological innovation.
Listen to this post
Behavioral Health Law Ledger | June 2025
The June 2025 issue of Greenberg Traurig’s quarterly Behavioral Health Law Ledger explores two behavioral health legal developments: the Trump administration’s pause on enforcement of a Final Rule intended to strengthen equitable coverage between mental and physical health benefits; and a partnership between the NIH and CMS aimed at researching and providing data on the root causes of autism.
Trump Administration Pauses Enforcement of Mental Health Parity Final Rule
As previously reported in the Ledger, in September 2024, the U.S. Departments of Labor, Treasury, and Health and Human Services (the Departments) sought to strengthen the requirements under the 2008 Mental Health Parity and Addiction Equity Act (MHPAEA), which mandates equitable coverage by health benefit plans between mental health benefits and physical health benefits. The Departments co-released the Final Rule on the Requirements Related to the Mental Health Parity and Addiction Equity Act (the Final Rule), which required health plans and health insurers to reevaluate the impact of nonquantitative treatment limitations (NQTLs) on access to mental health or substance use disorder (MH/SUD) benefits relative to comparable availabilities of medical and surgical benefits, effective Jan. 1, 2025. NQTLs are non-numerical limits of benefits and include mechanisms such as medical management techniques and prior authorization requirements. On an operational level, the Final Rule intended to close loopholes in MHPAEA that health insurers and health plans have used to deny patients’ covered MH/SUD treatments.
However, the Trump administration recently stated in a court filing that it does not intend to enforce a key regulation on mental health parity while it considers next steps, which could include modifying or rescinding the Final Rule in its entirety.
In January 2025, the ERISA Industry Committee (ERIC), an organization that represents large employers that provide benefits, including health plan benefits, filed a lawsuit in the U.S. District Court for the District of Columbia against the Departments challenging the Final Rule on several grounds, including that the Departments exceeded their authorities in enacting the Final Rule, and asserting that the Final Rule’s provisions are arbitrary and capricious and contrary to law.
Rather than defend the Department’s rulemaking authority, the Department of Justice (DOJ) filed a Motion for Abeyance, seeking to stay the litigation while the Departments “reconsider the [Final] Rule at issue in this litigation, including whether to issue a notice of proposed rulemaking rescinding or modifying the regulation.” The DOJ’s motion goes on to state that “the Departments do not intend to enforce parts of the [Final Rule],” thereby deeming abeyance of the litigation pending the Department’s reconsideration process appropriate. The court granted the DOJ’s motion and ordered the parties to the litigation to file a joint status report Aug. 7, 2025, and every 90 days thereafter to report on the Department’s reconsideration of the Final Rule at issue in the pending litigation. The Departments subsequently issued a non-enforcement policy statement May 15, 2025, further stating that “[t]he Departments will not enforce the 2024 Final Rule or otherwise pursue enforcement actions, based on a failure to comply that occurs prior to a final decision in the [ERIC] litigation, plus an additional 18 months.”
CMS Announces Data Bank Dedicated to Researching Autism
On May 7, 2025, the Centers for Medicare & Medicaid Services (CMS) announced a new partnership with the National Institutes of Health (NIH) to build a data bank aimed at researching the root causes of autism and providing public transparency.
Although much of the specifics are yet to be unveiled, this pilot research program will begin with CMS and NIH establishing a data use agreement under CMS’ Research Data Disclosure Program focused on Medicare and Medicaid beneficiaries with autism spectrum disorder (ASD) diagnoses. Researchers then intend to study ASD diagnosis trends over time, as well as studying health outcomes connected to specific medical and behavioral intervention strategies and techniques. The database will also be used to study access to care and care disparities demographically and geographically, as well as ASD’s “economic burden on families and health care systems.”
NIH Director Dr. Jay Bhattacharya said in the announcement of the initiative that “[l]inking CMS claims data with a secure real-world NIH data platform…will unlock landmark research into the complex factors that drive autism and chronic disease—ultimately delivering superior health outcomes to the Americans we serve.” CMS Administrator Dr. Mehmet Oz added, “This joint effort aligns with our shared goal of fostering innovation to improve American’s lives while safeguarding patient privacy.”
Different Country, Same Challenges: Lessons from a Breach That Could Have Been Prevented
A recent breach involving Indian fintech company Kirana Pro serves as a reminder to organizations worldwide: even the most sophisticated cybersecurity technology cannot make up for poor administrative data security hygiene.
According to a June 7 article in India Today, KiranaPro suffered a massive data wipe affecting critical business information and customer data. The company’s CEO believes the incident was likely the result of a disgruntled former employee, though he has not ruled out the possibility of an external hack, according to reporting. TechCrunch explained:
The company confirmed it did not remove the employee’s access to its data and GitHub account following his departure. “Employee offboarding was not being handled properly because there was no full-time HR,” KiranaPro’s chief technology officer, Saurav Kumar, confirmed to TechCrunch.
Unfortunately, this is not a uniquely Indian problem. Globally, organizations invest heavily in technical safeguards—firewalls, multi-factor authentication, encryption, endpoint detection, and more. These tools are essential, but not sufficient.
The Silent Risk of Inactive Accounts
One of the most common (and preventable) vectors for insider incidents or credential abuse is failure to promptly deactivate system access when an employee departs. Whether termination is amicable or not, if a former employee retains credentials to email, cloud storage, or enterprise software, the organization is vulnerable. These accounts may be exploited intentionally (as suspected in the KiranaPro case) or unintentionally if credentials are stolen or phished later.
Some organizations assume their IT department is handling these terminations automatically. Others rely on inconsistent handoffs between HR, legal, and IT teams. Either way, failure to follow a formal offboarding checklist—and verify deactivation—may be a systemic weakness, not a fluke.
It’s Not Just About Tech—It’s About Governance
This breach illustrates the point that information security is as much about governance and process as it is about technology. Managing who has access to what systems, when, and why is a core component of security frameworks such as NIST, ISO 27001, and the CIS Controls. In fact, user access management—including timely revocation of access upon employee separation—is a foundational expectation in every major cybersecurity risk assessment.
Organizations should implement the following best practices:
Establish a formal offboarding procedure. Involve HR, IT, and Legal to ensure immediate deactivation of all accounts upon separation.
Automate user provisioning and deprovisioning where possible, using identity and access management (IAM) tools.
Maintain a system of record for all access rights. Periodically audit active accounts and reconcile them against current employees and vendors.
Train supervisors and HR personnel to notify IT or security teams immediately upon termination or resignation. There also may be cases where monitoring an employee’s system activity in anticipation of termination may be prudent.
The Takeaway
Wherever your company does business and regardless of industry, the fundamentals are the same: a lapse in basic access control can cause as much damage as a ransomware attack. The KiranaPro incident is a timely cautionary tale. Organizations must view cybersecurity not only as a technical discipline but as an enterprise-wide responsibility.
House Unveils CLARITY Act
On May 29, 2025, a bipartisan group of members in the House of Representatives from the Financial Services and Agriculture Committees introduced the Digital Asset Market Clarity (CLARITY) Act. The bill seeks to establish a comprehensive regulatory framework for digital assets in the United States, with regulatory jurisdiction primarily split between the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC).
Central to the bill is the definition of “digital commodity,” which includes “a digital asset that is intrinsically linked to a blockchain system, and the value of which is derived from or is reasonably expected to be derived from the use of the blockchain system.” Under the bill, digital commodities would be excluded from the definition of a security under the federal securities laws, and the CFTC would be primarily responsible for spot markets in digital commodities as well as the registration and oversight of various categories of intermediaries transacting in digital commodities. Digital commodities sold pursuant to an investment contract would also not deemed investment contracts themselves under the Howey test. Additionally, the bill creates a detailed mechanism for the offering of an investment contract that includes a digital commodity, which would be overseen by the SEC.
The bill covers a number of other topics relating to digital commodities, including facilitating secondary trading of digital commodities on mature blockchains, operation of alternative trading systems involving digital commodities, transactions in certain payment stablecoins, and custody of digital commodities. Certain decentralized finance activities involving digital commodities (such as providing user interfaces for a blockchain network, publishing and updating software, and developing blockchain wallets) would be exempted from regulation. The bill further authorizes the SEC and CFTC to engage in rulemaking to implement certain provisions of the legislation, and instructs various federal agencies (including the CFTC and SEC) to produce various studies involving digital commodities.
A detailed section by section summary of the bill is here.
New Serious Invasion of Privacy Tort in Australia for Privacy Comes Into Effect
In late 2024, the Australian Government enacted a series of reforms to the Privacy Act 1988 (Cth). The new statutory tort for serious invasion of privacy was introduced and passed under the Privacy and Other Legislation Amendment Act 2024 (the Act). On June 10, 2025, the statutory tort for serious invasion of privacy took effect.
The Act, as introduced, outlined a range of measures to protect the privacy of individuals with respect to their personal information, including expanding the Information Commissioner’s powers, facilitating information sharing in emergency situations or following eligible data breaches, requiring the development of a Children’s Online Privacy Code, providing protections for overseas disclosures of personal information, introducing new civil penalties, and increasing transparency about automated decisions that use personal information.
Under the Act, individuals can now sue for intentional or reckless invasions of privacy that are “serious” and breach a reasonable expectation of privacy, where the public interest in the individual’s privacy outweighs any countervailing public interest. Individuals are not required to show damages. The Act includes a broad exemption for news publications, current affairs or documentaries, as well as commentary or opinion on those topics. Furthermore, the statutory tort does not apply where public interest in freedom of expression outweighs the interest in privacy.
The catalyst for the Act was in response to increasing public concern over the misuse of personal information in an increasingly digital era, and it is the most significant development in protecting the personal information of Australians.
Organizations will need to assess current and future data processing activities and assess litigation risk associated with business activities that may give rise to serious invasions of privacy.
Maine Gambling Control Unit Issues Warning on Illegal Online Gaming Including Certain Sweepstakes Models
Maine’s Gambling Control Unit (GCU) has issued a formal warning regarding the proliferation of illegal interactive gaming (“iGaming”) platforms operating within the state. The warning emphasized that while certain forms of online gambling—such as advance deposit wagering, fantasy contests, and sports betting—are legally permitted and regulated in Maine, online casino-style games remain strictly prohibited. This includes games like slots, blackjack, and roulette when played for real money. The warning goes on to state: “Of particular concern are so-called “sweepstakes” or “social casino” sites that may offer real-money payouts, dual-currency systems, or prizes such as gift cards. These platforms are not licensed or overseen by the GCU.”
The warning further notes that numerous unregulated entities continue to target Maine residents, offering illicit iGaming opportunities and that these operations, often based out of state or out of the country, include sites that may appear legitimate but lack any regulatory oversight in Maine. The GCU further warns that no online casino, iGaming, or sweepstakes site is licensed by the GCU. It encourages people to avoid these websites and cautions that patrons who choose to engage with these unlicensed platforms do so at their own risk.
This is the latest in a string of state actions focusing on social casino sweepstakes and related sites. We recently posted about recent actions taken against social casino sweepstakes by the NY AG.
Listen to this post
Trump’s New Cybersecurity Executive Order: What Contractors Need to Know
On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.
Overview
The Executive Order includes a new policy statement (replacing Section 1 in EO 14144) setting forth the Government’s current priorities, which include defending digital infrastructure, securing services and capabilities vital to the digital domain, and building capability to address key threats. China continues to be identified as the greatest cyber threat to the United States, with Russia, Iran, and North Korea also named.
New language incorporated into EO 14144 via amendments relates to software supply chain security, artificial intelligence, quantum computing, Internet-of-Things products, and updates to key federal guidance documents. With respect to EO 13694, the lone update is to specify that sanctions will apply to “any foreign person” rather than “any person.” Per the Fact Sheet accompanying the new Executive Order, this change “limits the application of cyber sanctions only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”
While the Executive Order strikes language in nearly every section of EO 14144, sections on improving cybersecurity of federal systems, securing federal communications, and National Security Systems are largely untouched. The Executive Order strikes completely the section in EO 14144 on “Solutions to Combat Cybercrime and Fraud” (former Section 5), which included considerations for Federal grant funding to assist States in developing and issuing mobile driver’s licenses, and developing digital identity verification.
Software Supply Chain Security
The Executive Order strikes certain provisions regarding the Biden Administration’s approach to secure software development requirements, including provisions directing updates to the Federal Acquisition Regulation (“FAR”) to require software providers to submit secure software attestations, artifacts, and other information to Cybersecurity and Infrastructure Security Agency (“CISA”). While these and several other changes seem to be aimed at limiting CISA’s role in this area (not surprising given recent events and debate about the proper role of CISA), it appears the current administration will continue to rely heavily on the National Institute of Standards and Technology (“NIST”) and its guidance with respect to secure software development.
Relating to third-party software supply chain security, the amendments call for several updates from NIST:
Establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance relating to NIST’s Publication 800-218, Secure Software Development Framework (SSDF) (by August 1, 2025).
Update NIST Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, with guidance on “how to securely and reliably deploy patches and updates” (by September 2, 2025).
Develop a preliminary update to NIST Publication 800-218, Secure Software Development Framework (SSDF), with practices, procedures, and examples on secure development and delivery of software (preliminary update by December 1, 2025; final update by March 31, 2026).
Those of you who have been following along know there still is an open FAR case on supply chain software security (Case No. 2023-002). This FAR Case stems from a different Biden Administration Executive Order (EO 14028, Improving the Nation’s Cybersecurity; not rescinded) and calls for FAR updates to require suppliers of software to agencies to comply, and provide attestations of compliance, with secure software development requirements. Presumably, these requirements will align with NIST Publication 800-218 (the Secure Software Development Framework), but attestations may no longer be collected and managed by CISA. Reminder there are 2 other cyber-related Open FAR cases from EO 14028, both in the post-comment stage: (1) Cyber Threat and Incident Reporting and Information Sharing (Case No. 2021-017); and (2) Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (Case No. 2021-019) (we wrote about these here).
Trending in Telehealth: May 2025
Trending in Telehealth highlights monthly state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists and technology companies that deliver and facilitate the delivery of virtual care.
Trending in May:
• Controlled substances• Mental and behavioral health• Payment parity
A CLOSER LOOK
Proposed Legislation & Rulemaking:
Alaska SB 83, which passed the Alaska Senate, would require health insurers to reimburse healthcare providers for healthcare services provided through telehealth on the same basis and at least at the same rate as for comparable healthcare services provided in-person.
California AB 260, which passed the California State Assembly, would establish protections around access to medication abortion. The bill would require the Department of Health Care Services to update Medi-Cal provider enrollment procedures to allow remote service providers who offer reproductive healthcare services exclusively through telehealth modalities to enroll as Medi-Cal providers using an “administrative location” as their service address. The bill would exempt these administrative locations from certain requirements applicable to in-person locations. It would also permit the use of a cellular telephone as the primary business phone for reproductive healthcare providers. Further, the bill would expand the Medi-Cal definition of asynchronous store and forward to include asynchronous electronic transmissions initiated directly by patients, including through mobile telephone applications, and would authorize Medi-Cal providers to establish a new patient relationship using asynchronous store and forward if the visit is related to reproductive healthcare services. The bill has been referred to the California Senate.
Colorado SB 48 passed both chambers of the Colorado General Assembly. If signed by the governor, the bill would require large group health benefit plans to offer policyholders the option to purchase coverage for US Food and Drug Administration (FDA)-approved anti-obesity medications, including at least one FDA-approved GLP-1 medication. The bill would also require such plans to provide coverage for intensive behavioral or lifestyle therapy and medical nutrition therapy, which may be provided by telehealth as a means of delivery.
Louisiana HB 137 passed both chambers of the Louisiana State Legislature. If signed by the governor, the bill would authorize psychologists and medical psychologists to evaluate a patient via telehealth to execute an emergency certificate. Under an emergency certificate, a person who has a mental illness or a person who is suffering from a substance-related or addictive disorder may be admitted and detained at a treatment facility for observation, diagnosis, and treatment for a period not to exceed 15 days.
New York A 949, which passed the New York State Assembly, would permit the use of telemedicine services for mental and behavioral health issues under the workers’ compensation system. The bill would require in-person visits within 12 months of the first telehealth visit and within six months of the first audio-only telehealth visit, unless the provider determined that an in-person visit was likely to cause disruption or create undue hardship on the patient or family. The bill has been referred to the New York Senate.
Oregon HB 3727, which passed the Oregon House of Representatives, would allow licensed Oregon physicians and physician associates to use telemedicine to treat patients with whom they have an established provider-patient relationship and who are temporarily outside the state if the situation is urgent or emergent, or in order to ensure continuity of care. The bill acknowledges that the treating provider will be subject to the laws regulating the practice of medicine in the jurisdiction where the patient is located at the time of treatment. The exception will satisfy Oregon law, but the practice may not necessarily be permitted in the state in which the patient is located at the time of treatment. The bill has been referred to the Oregon Senate.
South Carolina H 3223, which passed the South Carolina House of Representatives, would provide definitions and requirements concerning the use of telehealth for veterinary services. The bill provides that a veterinarian-client-patient relationship only may be established by an in-person physical exam. It also provides that a veterinarian-client-patient relationship may extend to other licensed veterinarians working out of the same physical practice location as the veterinarian who established the relationship if the other licensed veterinarians have access to and have reviewed the patient’s medical records and the condition is related to a prior medical condition. The bill has been referred to the South Carolina Senate.
Finalized Legislation & Rulemaking Activity:
Georgia HB 567 was signed into law and goes into effect January 1, 2026. The law specifies that a dentist must have a physical office in the state, maintain relationships with in-person referral dentists, and ensure that teledentistry services adhere to existing standards for patient care, including privacy and consent requirements.
Hawaii HB 951 was signed into law and went into effect May 16, 2025. The law allows a physician to prescribe a three-day supply of opiates via telehealth to a patient who has been seen in person by a healthcare provider within the same medical group.
Indiana SB 473 was signed into law and enables prescription of agonist opioids through telehealth services, without an in-person visit, for the treatment or management of opioid dependence. This provision becomes effective July 1, 2025.
Maine LD 239 was signed into law and will go into effect 90 days after the Maine State Legislature adjourns. The law permits retail pharmacies to operate licensed remote dispensing sites and directs the Maine Board of Pharmacy to adopt rules to establish the criteria that a remote dispensing site must meet to qualify for licensure. These rules must meet certain minimum statutory requirements. With regard to telehealth, the rules must authorize a licensed pharmacist to provide supervision, drug regimen review, and patient counseling through telehealth services.
Maryland HB 869 and SB 372 were signed into law and went into effect June 1, 2025. The companion laws amend the definition of “telehealth” to permanently include certain audio-only telephone conversations. They also alter the circumstances under which healthcare practitioners are authorized to prescribe certain controlled dangerous substances for the treatment of pain through telehealth.
Maryland HB 553 and SB 94 were signed into law and go into effect July 1, 2025. Beginning January 1, 2026, the Maryland Medical Assistance Program must provide coverage for self-measured blood pressure monitoring for certain eligible program recipients.
Michigan issued several rules establishing procedures for the practice of telehealth for the following licensed professionals: chiropractors (R. 338.12021 through R. 338.12042), podiatrists (R. 338.8101 through R. 338.8153), speech language pathologists (R. 338.601 through R. 338.645), and doctors of osteopathic medicine (R. 338.111 through 338.143). The rules went into effect in May 2025.
Nevada AB 183 was signed into law and goes into effect October 1, 2025. The law clarifies that the practice of optometry includes optometric telemedicine and that an assistant is authorized to perform the same activities under the direct supervision of a licensed optometrist in any setting where optometric telemedicine is practiced.
Vermont S 30 was signed into law and goes into effect September 1, 2025. Health insurance plans must provide coverage for healthcare services and dental services delivered through telemedicine to the same extent the plan would cover the services if they were provided through in-person consultation. Health insurance plans also must provide the same reimbursement rate for services billed using equivalent procedure codes and modifiers, subject to the terms of the health insurance plan and provider contract, regardless of whether the service was provided in person or through telemedicine.
Compact Activity:
The following states introduced bills to enact licensure compacts:
Dietitian Licensure Compact: Louisiana, Wisconsin.
Occupational Therapy Licensure Compact: Alaska, Michigan, Texas.
Physical Therapy Licensure Compact: Florida.
Physician Assistant Licensure Compact: Connecticut.
Social Work Licensure Compact: Delaware.
The following states issued laws enacting licensure compacts:
Audiology and Speech-Language Compact: Arizona.
Dietitian Licensure Compact: Iowa, Oklahoma.
Social Work Interstate Compact: South Carolina.
Social Work Licensure Compact: New Jersey, Oklahoma.
Why it matters:
States’ focus on payment parity facilitates greater telehealth access. Multiple states, including Alaska and Vermont, are advancing legislation to ensure telehealth services are reimbursed at parity with in-person care. This trend supports broader access to virtual care by incentivizing provider participation and reducing financial barriers for patients.
Telehealth Integration Across Diverse Health Domains. From mental healthcare services under workers’ compensation in New York to veterinary services in South Carolina and teledentistry in Georgia, states continue to embed telehealth into a wide range of health services. This diversification continues the shift toward normalizing virtual care across the entire healthcare ecosystem, including rural and emergency contexts.
States are increasingly allowing practitioners to provide telehealth services beyond state borders. By expanding interstate licensure agreements, access to skilled practitioners is improved, particularly in rural and underserved areas. These agreements also boost career prospects and streamline the licensing process across multiple states.
TEXTS AREN’T CALLS!: State Appellate Court Holds Text Messages Are Not Telephone Calls Were Purposes of Criminal Statute
Since 2009 Courts have been applying FCC rulings suggesting that text messages are calls subject to the TCPA even though text messages didn’t exist at the time the TCPA was passed and the statute does not mention text messages in its primary restrictions.
With the death of Chevron deference a renewed focus has been put on the issue. Courts have now been freed up to evaluate anew whether text messages really qualify as a “call” under the TCPA.
Well an appellate court in New Mexico just held last week that text messages are not calls, at least for the purpose of interpreting a criminal statute banning harassing telephone calls.
In State of New Mexico v. Valerio 2025 WL 1621551 (Appls N.M. June 6, 2025) the defendant had been convicted under a statute making it illegal to “telephone another” for harassment when he had sent a series of threatening text messages to an ex-girlfriend.
On appeal, however, the appellate court noted the language of the statute repeatedly referenced telephone calls and not text messages. It determined the language of the statute simply could not be read to include text messages, even though texts are a common way of using a telephone:
The State argues that a plain language construction will lead to absurd results in a time when “text messaging is considered the prevalent form of communication in the United States.” According to the State, “[t]o conclude that the primary form of cell phone communication does not qualify as “use of a telephone” would render the telephone harassment statute partially useless” and “might permit violent, threatening text messages to be sent in New Mexico with no legal consequences.” Even if text messaging is more prevalent than telephone calls, we are not persuaded that a plain language reading would either render the telephone statute useless or preclude legal consequences for the type of harassment that occurred here.
Wow.
So there you go. At least one court agrees that statutes regulating the use of a telephone and telephone calls does not cover text messages.
We’ll keep an eye on this.
Navigating Change: The Impact of the UK’s Data (Use and Access) Bill on Businesses
The UK Data (Use and Access) Bill (the “DUA Bill”) has been subject to a surprisingly prolonged legislative journey, oscillating between the House of Commons and the House of Lords as it approaches the final stages. This back-and-forth reflects the complexity and controversy surrounding certain of its provisions. Once the DUA Bill is agreed, it is estimated that it will come into effect within approximately 12 months. This article summarises certain of the key changes to UK data protection and privacy legislation proposed by the DUA Bill, considers the impact of such changes on the UK’s existing EU Commission adequacy decision and discusses how businesses should approach compliance.
How the DUA Bill Amends Data Protection and Privacy Legislation
The DUA Bill proposes fundamental changes to the UK’s data protection and privacy legislation, including the UK General Data Protection Regulation (“UK GDPR”). The focus of the UK government is to modernise and streamline existing legislation as part of an effort to bolster data governance in the UK. It addresses key areas of data protection and privacy, such as legitimate interests, international data transfers and automated decision-making (“ADM”), while also covering other data-related areas, including smart data and public registers. It seeks to balance the need for flexibility in data processing with robust safeguards for personal data, reflecting the evolving digital landscape and the increasing importance of data-driven technologies. The UK government believes that the proposed legislative amendments will foster innovation and enhance public trust, while remaining aligned with international standards and the EU General Data Protection Regulation.
AI Models
The key topic which remains under debate between the House of Lords and the House of Commons is whether to include provisions related to AI models. The House of Lords argued for the inclusion of transparency requirements for business data used in relation to AI models and inserted provisions requiring developers of AI models to publish all information used in the pre-training, training, fine-tuning and retrieval-augmented generation of the AI model, and to provide a mechanism for copyright owners to identify any individual works they own that may have been used during such processes. These provisions emerged as the most contentious aspect of the DUA Bill, contributing significantly to its ongoing back-and-forth between the House of Commons and the House of Lords. The House of Commons is of the view that transparency requirements for AI models warrant separate legislative action, arguing that their inclusion in the DUA Bill would complicate the overarching framework and would require additional public funds. As of the time of writing, the transparency provisions for AI models have been removed from the DUA Bill and replaced with provisions requiring the Secretary of State to introduce, amongst other things, draft legislation containing proposals to provide transparency to copyright owners regarding the use of their copyright works as data inputs for AI models. We now wait to see whether this approach will be agreed to between the House of Lords and House of Commons.
Recognised Legitimate Interests and Legitimate Interests
The DUA Bill introduces “recognised legitimate interests” as a new, lawful basis for processing personal data. Building on the existing lawful basis of legitimate interests, this new basis allows businesses to process data for specific purposes defined under the DUA Bill without conducting a traditional legitimate interests assessment (“LIA”). The listed processing activities include national security and defence, and responding to emergencies and safeguarding vulnerable people.
Additionally, the DUA Bill outlines a further list of processing activities which “may” be processed under the existing legitimate interests lawful basis. While such activities are not “recognised legitimate interests” and therefore still require an LIA, the legislative footing allows businesses more surety when seeking to rely on legitimate interests for the activity. The activities include direct marketing, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems.
International Data Transfers
The DUA Bill amends the adequacy decision framework in several ways. The amendments re-work Article 45 of the UK GDPR so the framework comprises “transfers approved by regulations,” as opposed to “transfers on the basis of an adequacy decision.” To approve a country by regulations, the UK Secretary of State must be of the view that the “data protection test” is met, i.e., the standard of protection in the third country is “not materially lower” than that of the UK. Similar to the UK GDPR, the DUA Bill sets out considerations which the UK Secretary of State should take into account when assessing whether the data protection test is met for a third country, including, for example, whether the third country has respect for the rule of law and human rights, and whether the third country has an authority for enforcing data protection. While the amendments initially appear as fairly substantial, they are unlikely to significantly affect international data transfers from the UK as they do not radically reform the existing framework.
Data Subject Access Requests
The DUA Bill seeks to address certain challenges posed by data subject access requests (“DSARs”). The amendments clarify that data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, the intention being to reduce the cost and administrative burden on businesses of fulfilling DSARs. The DUA Bill also amends the time limit for responding to a DSAR, enabling businesses to extend the initial one-month period for responding by a further two months where it is deemed necessary by reason of the “complexity” or “number” of requests by a data subject.
Automated Decision-Making
The DUA Bill relaxes restrictions on the use of ADM, enabling ADM without the existing restrictions under Article 22 of the UK GDPR (e.g., procuring consent of the individual) where special category data is not to be processed. Where ADM is conducted without special category data, the DUA Bill still requires safeguards be implemented such as transparency regarding the ADM and allowing individuals to contest decisions and seek human review.
Scientific Research Provisions
The DUA Bill broadens the definition of scientific research to encompass any research “reasonably described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity,” expanding the exemptions for processing of special category data under the UK GDPR to include privately funded and commercial research. The definition also removes the need for a public interest assessment with respect to the processing of scientific research data. Under the new definition, data subjects will be able to consent to the use of their data for scientific research purposes even if such purposes are not yet “possible to identify.”
Purpose Limitation
The DUA Bill clarifies the concept of “further processing.” Amongst other things, it outlines criteria to help assess whether further processing is compatible with the original purpose, such as the link between the new and original purposes, the context in which the data was originally collected and the possible consequences for data subjects of the further processing being contemplated. It also sets out instances when processing for a new purpose would be deemed compatible with the original purpose, for example where the data subject consents or where the processing meets a condition set out in the new Annex 2, for example, where the processing is necessary for the purposes of complying with an obligation of the controller under an enactment, a rule of law or a court order or tribunal.
Children’s Data
Emphasising the protection of children’s data, the DUA Bill introduces the concept of “children’s higher protection matters” to the principle of data protection by design and default in the context of providing an information society service which is likely accessible by a child. This places additional duties on businesses and the Information Commissioner’s Office (the “ICO”) to consider the vulnerability of children when carrying out responsibilities under data protection law in an effort to ensure enhanced safeguards for young individuals.
Cookie Requirements and PECR Fines
The DUA Bill introduces key changes to the rules governing the use of cookies and similar tracking technologies under Privacy and Electronic Communications Regulations (“PECR”), most notably regarding the need for consent. The DUA Bill provides exemptions from the requirement to seek consent for certain non-essential cookies and similar tracking technologies used solely to collect statistical data with a view to improve the appearance or performance of a website, adapt a website to a user’s preferences, or to make improvements to services or a website. It also includes an exhaustive list of purposes for using cookies and similar tracking technologies which can be considered strictly necessary, such as security and fraud detection. The impact of such is that consent is not required to use the cookies and similar tracking technologies, nor are businesses required to offer the ability to opt-out. Additionally, the DUA Bill aligns fines for non-compliance with PECR with the UK GDPR, setting sanctions at up to 4 percent of global turnover or £17.5 million, whichever is higher.
Information Commission
The DUA Bill provides for significant organisational changes to the ICO. For example, the DUA Bill abolishes the ICO and replaces it with the Information Commission and replaces the lead Information Commissioner role with a Chair and executive/non-executive members. It also reforms the process by which data subjects can submit complaints to the ICO by requiring complaints be addressed by the relevant business first. The complaint can only be escalated to the ICO when it has not been dealt with satisfactorily, thereby reducing the number of complaints reaching the ICO.
Other Provisions
Beyond the amendments to data protection regulations, the DUA Bill introduces other provisions that, according to the UK government, seek to promote the growth of the UK economy, improve UK public services and make people’s lives easier, such as:
Smart Data: The DUA Bill introduces provisions enabling Smart Data Schemes, whereby the Secretary of State can issue regulations governing access to customer and business data. Open Banking is an example of a Smart Data Scheme already existing in the UK. Government consultations will define which businesses can access data and what safeguards apply.
Digital Verification Services: The DUA Bill establishes a framework for “trusted” providers of digital verification services (“DVS”) by introducing a DVS register with additional certification through a DVS Trust Framework which will be created by the Secretary of State in consultation with the ICO. This initiative aims to enhance trust and security in digital verification processes.
Healthcare Data: To facilitate data sharing across platforms, the DUA Bill mandates that IT systems in the healthcare system must meet common standards. The Secretary of State will be given the power to publish an information standard on IT services in the healthcare setting, including on technical provisions such as functionality, connectivity, interoperability, portability, storage and data security.
Conclusion
The DUA Bill represents a comprehensive effort to modernise data protection laws in the UK, balancing the need for economic growth and innovation with the imperative to safeguard individual privacy and data security.
The UK government is optimistic that these changes will be well-received by the European Commission when considering the UK’s adequacy decisions. The European Commission recently granted a six-month extension to the UK’s two adequacy decisions to allow the UK additional time to finalise the DUA Bill, after which the European Commission intends to reassess the adequacy of data protection in the UK (see here for more information on the extensions).
As it nears implementation, businesses impacted by the DUA Bill should take proactive measures to review their data processing practices in anticipation of the new requirements set forth by the legislation. This preparation involves not only ensuring compliance with the new obligations but also capitalising on opportunities to enhance data management and security, and to streamline certain processing activities such as the use of ADM and cookies.