Data in the Balance: Political Influence on EU-U.S. Data Transfers
In politically uncertain times, is your organisation’s data transfer compliance unquestionable?
The EU-U.S. Data Privacy Framework (DPF) serves as a useful mechanism for transatlantic data transfers, and it can assist organisations in meeting the compliance requirements of the European Union’s General Data Protection Regulation (GDPR). However, recent actions by the Trump administration have raised concerns about the framework’s stability and triggered doubts regarding the DPF adequacy decision by the European Commission and its future.
Quick Hits
Staying up to date with regulatory change will remain key; currently, more than 2,800 U.S. companies rely on the EU-U.S. Data Privacy Framework.
Operating on an invalid or outdated mechanism may cause significant operational interruptions for organisations.
Organisations that fail to protect personal data being internally transferred are being actively penalised by European (and UK) regulators.
The DPF, which was developed collaboratively by the Biden administration and the European Commission (EC), addresses the requirements under GDPR Articles 44–49 regarding data transfers to the United States, allowing participating organisations to rely on this as a valid transfer mechanism without the need to identify and implement additional safeguards to protect data. Key to the DPF’s functionality, and its EC adequacy status, is the involvement of independent oversight agencies and their respective powers, including advisory and audit rights, regarding actions of the U.S. government and how these impact individuals’ rights.
Although to date, none of the current administration’s decisions have directly referred to the DPF, there are increasing concerns that U.S. actions might lead to a situation in which the Court of Justice of the European Union (CJEU) invalidates the EC’s DPF adequacy decision, mirroring the fate of the DPF’s predecessors.
One such action was taken on February 18, 2025, when the Trump administration issued Executive Order 14215, “Ensuring Accountability for All Agencies,” an order that aims to harmonise regulatory practices across federal agencies, including the Federal Trade Commission (FTC), an agency that plays a crucial role in enforcing the DPF. A key provision of this order is that there will be presidential review of all significant regulatory actions proposed by federal agencies, including the FTC. Concerns have been raised that the requirements of this order could potentially compromise the FTC’s independence, which is integral to the operation of the DPF.
In addition, in January 2025, the administration terminated all Democratic members of another independent agency, the U.S. Privacy and Civil Liberties Oversight Board (PCLOB). Again, the DPF agreement requires the PCLOB to operate independently when providing privacy-related oversight of U.S. counterterrorism activities, including how those activities are balanced against the privacy rights of individuals, and when conducting annual reviews of the DPF’s redress mechanism. Both the independent nature and the functionality of the PCLOB are being called into question, raising concerns for the future of the DPF.
The evolving political landscape means that organisations will likely want to carefully and continuously monitor for potential changes and possibly adapt their approach when transferring personal data internationally. The CJEU’s previous invalidation of international data transfer mechanisms, such as the EU-U.S. Privacy Shield, highlights the potential risks and the severity of the actions taken by the CJEU to ensure the safeguarding of EU data.
In the event that the DPF were invalidated, all transfers taking place by way of the DPF would be required to cease with immediate effect, and any subsequent transfers operating under an invalid DPF would be found to be illegal. It would be necessary for organisations to identify, and implement, alternative transfer mechanisms, such as EU-approved Standard Contractual Clauses (SCCs) (and UK Addendum or International Data Transfer Agreements) for all international transfers, even if a transfer occurs between different entities of the same organisation.
When relying on SCCs, organisations are legally required to carry out transfer impact assessments (TIAs), which assess the laws and practices of the country where the EU data will be transferred. Organisations may want to stay informed of regulatory developments and undertake periodic reassessments of potential risks. More information on international data transfers and identifying the most appropriate international transfer mechanisms can be found in our previous article.
Organisations may want to assess the scope and types of data transfers that they carry out in the course of their business operations and identify which transfer mechanism is most sensible from a commercial and business continuity perspective.
Failure to comply with up-to-date data protection laws and data transfer rules can lead to commercial and reputational damage. If appropriate measures are not taken, corrective sanctions can be enforced, such as orders to cease transfers of personal data and significant financial penalties.
Lorraine Matthews contributed to this article
Privacy Tip #438 – FTC Chairman Shares Concerns Over 23andMe Data
In the ongoing saga of the 23andMe bankruptcy, Federal Trade Commission Chairman Andrew N. Ferguson recently sent a letter to the Trustee overseeing the 23andMe bankruptcy proceeding stating, “As Chairman of the Federal Trade Commission, I write to express the FTC’s interests and concerns relating to the potential sale or transfer of millions of American consumers’ sensitive personal information.”
The letter further outlined the promises 23andMe made to consumers about protecting the sensitive information it collected and maintained and that it had “made direct representations to its users about how it uses, discloses, and protects their personal information, including how personal information will be safeguarded in the event of bankruptcy.” It outlined additional promises 23andMe made to consumers and that “these types of promises to consumers must be kept.” Importantly, the letter states:
This means that any bankruptcy-related sale or transfer involving 23andMe users’ personal information and biological samples will be subject to the representations the Company has made to users about both privacy and data security, and which users relied upon in providing their sensitive data to the Company. Moreover, as promised by 23andMe, any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies.
For 23andMe customers, now is the time to request the deletion of their data. Hopefully, the letter from the FTC will also escalate the concern over the potential sale of genetic information.
The BR Privacy & Security Download: April 2025
STATE & LOCAL LAWS & REGULATIONS
Virginia Governor Vetoes AI Bill: Virginia Governor Glenn Youngkin vetoed the Virginia High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). The Act was similar to the Colorado AI Act and would have required developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would have been required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The governor stated that the Act’s “rigid framework fails to account for the rapidly evolving and fast-moving nature of the AI industry and puts an especially onerous burden on smaller firms and startups that lack large legal compliance departments” and that the Act “would harm the creation of new jobs, the attraction of new business investment, and the availability of innovative technology” in the state. The governor also noted that existing state laws “protect consumers and place responsibilities on companies relating to discriminatory practices, privacy, data use, libel, and more” and that an executive order issued by the governor in 2024 established safeguards and oversight for AI use.
CPPA Advances Regulations for Data Broker Deletion Mechanism: The California Privacy Protection Agency (“CPPA”) advanced proposed California Delete Act regulations through the establishment of the Delete Request and Opt-Out Platform (“DROP”). These regulations would create an accessible mechanism for consumers to request the deletion of all their non-exempt personal information held by registered data brokers via a single request to the CPPA. The proposed rules also clarify the definition of a “direct relationship” with a consumer, specifying that simply collecting personal information directly from a consumer does not constitute a direct relationship unless the consumer intends to interact with the business. This revision could bring more businesses, such as third-party cookie providers, under the definition of data brokers. Consumers will likely be able to access DROP by January 1, 2026, and data brokers will be required to access it by August 1, 2026.
Virginia Enacts Reproductive Privacy Law: Virginia enacted amendments to the Virginia Consumer Data Protection Act to prohibit the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health data without consent. “Reproductive or sexual health information” is defined under the law as “information relating to the past, present, or future reproductive or sexual health of an individual,” including: (1) efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies; (2) reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex; (3) reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy; (4) use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients; (5) bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels; (6) any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described in 1 through 5; and (7) any information described in 1 through 6 that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data. “Reproductive or sexual health information” does not include protected health information as defined by HIPAA.
Oregon Attorney General Releases Enforcement Report on Oregon’s Consumer Privacy Act: The Oregon Attorney General released a six-month report on the enforcement of Oregon’s comprehensive privacy law, the Consumer Privacy Act (“OCPA”), which took effect on July 1, 2024. The report provides that, as of the beginning of 2025, the Privacy Unit within the Civil Enforcement Division at Oregon’s Department of Justice (“Privacy Unit”) received 110 complaints. Most of these complaints were about online data brokers. In the last six months, the Privacy Unit initiated and closed 21 matters after sending cure notices (the OCPA provides for a 30-day cure period, which sunsets on January 1, 2026) and broader information requests. Some of the most common deficiencies identified were the lack of requisite disclosures or confusing privacy notices (e.g., not listing the OCPA rights or not naming Oregon in “your state rights” section), and lacking or burdensome rights mechanisms (e.g., the lack of a webpage link for consumers to submit opt-out requests).
Utah Becomes First State to Enact Legislation Requiring App Stores to Verify Users’ Ages:Utah has enacted the App Store Accountability Act, which mandates that major app store providers must verify the age of every user in the state. For users under 18, the law requires verifiable parental consent before any app can be downloaded, including free apps, or any in-app purchases can be made. App stores must also confirm a user’s age category (adult, older teen (16-17), younger teen (13-15), or child (under 13)). When a minor creates an account, it must be linked to a parent’s account. App store providers are responsible for building systems to verify ages, obtain parental consent, and share this data with app developers. They must also provide sufficient disclosure to parents about app ratings and content and notify them of significant changes to apps their children use, requiring renewed consent. Violations of the law will be considered deceptive trade practices, and the act creates a private right of action for harmed minors or their parents. The core requirements for age verification and parental consent are set to take effect on May 6, 2026.
Michigan Legislative Committee Advances Judicial Privacy Bill: The Michigan Senate Committee on Civil Rights, Judiciary, and Public Safety provided a favorable recommendation for a judicial privacy bill that would allow state and federal judges to request the deletion of their personal information from public listings. The Michigan bill would create a private right of action with mandatory recovery of legal fees for any entity that fails to respond to a valid deletion request. The purpose of the bill is to protect against a significant uptick in threats against judicial officers and their families. The bill is based on Jersey’s Daniel’s Law, which has sparked a wave of class action lawsuits against data brokers and online listing companies. If passed, businesses that receive a valid request from a member of the judiciary or their immediate family members under the proposed bill would have to remove from publication any covered information pertaining to the requestor.
Virginia Legislature Passes Consumer Data Protection Act Amendments Restricting Minors’ Use of Social Media; Governor Declines to Sign: The Virginia Legislature unanimously passed a bill to amend the Virginia Consumer Data Protection Act to limit minors’ use of social media to one hour per day. Specifically, the bill would require that any social media platform operator to (1) use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor younger than 16 years of age and (2) limit any such minor’s use of such social media platform to one hour per day, per service or application, and allow a parent to give verifiable parental consent to increase or decrease the daily time limit. Virginia Governor Glenn Youngkin declined to sign the bill as passed, recommending several changes to strengthen the bill. These recommendations include raising the age of covered users from 16 to 18 and requiring social media platform operators to disable infinite scroll features and auto-playing videos unless the operator has obtained verifiable parental consent.
FEDERAL LAWS & REGULATIONS
Lawmakers Reintroduce COPPA 2.0 to Strengthen Children and Teens’ Online Privacy:U.S. Senators Bill Cassidy (R-LA) and Edward Markey (D-MA) have reintroduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”), aiming to update online data privacy rules to better protect children and teenagers. The bill seeks to address the youth mental health crisis by stopping data practices that contribute to it. COPPA 2.0 proposes several key measures, including a ban on targeted advertising to children and teens and the creation of an “Eraser Button,” allowing users to delete personal information. It also establishes data minimization rules to limit the excessive collection of young people’s data and revises the “actual knowledge” standard to prevent platforms from ignoring children on their sites. Furthermore, the legislation would require internet companies to obtain consent before collecting personal information from users aged 13 to 16. Previous versions of COPPA 2.0 have advanced in Congress, passing the Senate and a House committee in the past.
White House Seeks Stakeholder Input for Trump Administration’s AI Action Plan:The White House Office of Science and Technology Policy issued a Request for Information to gather public input on the administration’s AI Action Plan. This AI Action Plan intends to define priority policy actions to enhance America’s position as an AI powerhouse and prevent unnecessary regulations from hindering private sector innovation. The focus is on promoting U.S. competitiveness in AI, limiting regulatory burdens, and developing safeguards that support responsible AI advancement. Stakeholders, including academia, industry groups, and private sector organizations, were encouraged to share their policy ideas on topics such as model development, cybersecurity, data privacy, regulation, national security, innovation, and international collaboration. The submitted comments will be used to inform future regulatory proposals.
Congresswoman Issues RFI for Input on U.S. Privacy Act Reform: Congresswoman Lori Trahan (D-MA) announced her effort to reform the Privacy Act of 1974, aiming to protect Americans’ data from government abuse. The proposed reforms seek to address outdated provisions in the act and enhance privacy protections for individuals in the digital age. Trahan emphasized the importance of updating the act to reflect modern technological advancements and the increasing amount of personal data collected by government agencies. The initiative includes measures to ensure greater transparency, accountability, and oversight of data collection practices. Trahan highlights the urgency of the issue as a result of access by the Department of Government Efficiency staff to personal data held by several agencies and calls for legislative action to protect citizens’ privacy rights and prevent government overreach.
U.S. LITIGATION
Court Blocks Enforcement of California Age-Appropriate Design Code: Industry group NetChoice scored yet another victory over the California Age-Appropriate Design Code Act, obtaining a second preliminary injunction temporarily blocking its enforcement. The act was passed unanimously by the California legislature in 2022 and—if enforced—would place extensive new requirements on websites and online services that are “likely to be accessed by children” under the age of 18. NetChoice won its first preliminary injunction in September 2023 on the grounds that the act would likely violate the First Amendment. In August 2024, the Ninth Circuit partially upheld this injunction, finding that NetChoice was likely to succeed in demonstrating that the act’s data protection impact assessment provisions violated the First Amendment. However, the Ninth Circuit remanded the case for determination of the constitutionality of the remaining provisions as well as whether any unconstitutional provisions could be severed from the remainder of the act. On remand, Judge Beth Labson Freeman again granted NetChoice’s motion for preliminary injunction finding that the act regulates protected speech, triggering a strict scrutiny review. Judge Freeman concluded that although California has a compelling interest in protecting the privacy and well-being of children, this interest alone is not sufficient to satisfy a strict scrutiny standard. This ruling is likely to strengthen NetChoice’s opposition of similar acts, such as the Maryland Age-Appropriate Design Code Act.
Court Rejects Allegheny Health Network’s Attempt to Force Arbitration over Meta Pixel Tracking:The U.S. District Court for the Western District of Pennsylvania ruled that Allegheny Health Network (“AHN”) cannot compel arbitration in a class action lawsuit filed by a patient under a pseudonym. The patient alleged that AHN unlawfully collected and disclosed his confidential health information to Meta Platforms. AHN initially sought to compel arbitration based on an arbitration provision within their website’s Terms of Service. However, the court denied this motion, finding that the patient did not have actual or constructive notice of the arbitration agreement. The court found that the link to the AHN’s Terms of Service, a “browsewrap” agreement, was not sufficiently conspicuous, as it was located at the bottom of the homepage among numerous other links and in a less visible footer on its “Find a Doctor” page. Additionally, the court found AHN failed to prove the patient had seen the specific Terms of Service containing the arbitration provision that was added to the website.
Supreme Court Declines Review of Sandhills Medical Data Breach Suit:The U.S. Supreme Court has declined to review a Fourth Circuit decision that ruled Sandhills Medical Foundation Inc. (“Sandhills Medical”), a federally funded health center, cannot use federal immunity to shield itself from a data breach lawsuit. The lawsuit was brought by Joann Ford following a data breach at Sandhills Medical. Sandhills Medical argued it was entitled to federal immunity under 42 U.S.C. § 233(a), which protects federally funded health centers from lawsuits related to the performance of medical, surgical, dental, or related functions. The Fourth Circuit, however, interpreted “related functions” narrowly, stating it did not cover data protection. Sandhills Medical, in its petition to the Supreme Court, contended that this ruling created a circuit split with the Ninth and Second Circuits, which have taken a broader view of the immunity. Sandhills Medical warned that the Fourth Circuit’s “unnaturally cramped” reading of the statute needed correction. Despite these arguments, the Supreme Court denied Sandhills Medical’s petition, meaning the health center will now face the lawsuit in South Carolina District Court.
Utah Attorney General Seeks Reinstatement of Utah Minor Protection in Social Media Act: Utah has requested a federal appeals court to reinstate a law that imposes restrictions on social media platforms. The Utah Minor Protection in Social Media Act (the “Act”), passed in 2024, was previously blocked by a lower court. The act aims to protect minors from harmful content and requires social media companies to verify the age of users and obtain parental consent for minors. Utah’s Attorney General argues that the law is necessary to safeguard children from online dangers and prevent exploitation. Previously, tech industry group NetChoice successfully sued to block the law, arguing it infringes on First Amendment rights and imposes undue burdens on businesses.
Court Holds Sharing of IP Address Insufficient to Prove Harm in CIPA Case: Judge Edgardo Ramos of the Southern District of New York granted defendant Insider, Inc.’s (“Insider”) motion to dismiss claims that its use of Audiencerate’s website analytics tools constituted an unlawful ‘pen register’ in violation of California’s Invasion of Privacy Act (“CIPA”). Plaintiffs argued that Insider invaded their privacy when it installed a tracker on their browsers, sending their IP addresses to a third party, Audiencerate, without their consent. However, Judge Ramos found that this collection and disclosure of IP addresses was insufficient to establish harm for purposes of Article III standing. He found that unlike a Facebook ID, which can be used to track or identify specific individuals, an IP address cannot be used to identify an individual and can only provide geographic information “as granular as a zip code.” Therefore, disclosure of an IP address would not be highly offensive to a reasonable person. Judge Ramos further emphasized that this “conclusion is consistent with the general understanding that in the Fourth Amendment context a person has no reasonable expectation of privacy in an IP address.” Despite this ruling, CIPA class actions and demands are likely to remain a constant threat to business with California-facing websites.
Periodical Publisher Unable to Dismiss VPPA Class Action: Judge Lewis J. Liman of the Southern District of New York denied defendant Springer Nature America’s (“Nature”) motion to dismiss claims that its use of Meta Pixel violated the Video Privacy Protection Act (“VPPA”). The VPPA prohibits videotape service providers from knowingly disclosing personally identifiable information about their renters, purchasers, or subscribers. Despite being drafted to address information collected through physical video stores, the VPPA has become a potent tool in the hands of the plaintiffs’ bar to challenge websites containing video content. Although Nature is primarily a research journal publication, Judge Lewis found that it could qualify as a videotape service provider as defined under the VPPA in part because of the video content on its website and its subscription-based business model. Relying on the recent Second Circuit decision in Salazar v. National Basketball Association, Judge Liman also found that the plaintiff had alleged a concrete injury sufficient to confer standing because the disclosure of information about videos viewed was adequately similar to the public disclosure of private facts. This ruling should remind companies whose websites contain significant video content to carefully review their cookie usage and consent management capabilities.
U.S. ENFORCEMENT
CPPA Requires Data Broker to Shut Down: As part of its public investigative sweep of data broker registration compliance, the CPPA reached a settlement agreement with Background Alert, Inc. (“Background Alert”) for failing to register and pay an annual fee as required by California’s Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. As part of the settlement, Background Alert must shut down its operations for three years for failing to register between February 1 and October 8, 2024. If Background Alert violates any term of the settlement, including the requirement to shut down its operations, it must pay a $50,000 fine to the CPPA.
New York Attorney General Settles with App Developer for Failure to Protect Students’ Privacy: The New York Attorney General settled with Saturn Technologies, the developer of the Saturn app, for failing to protect students’ privacy. Saturn allows high school students to create a personal calendar, interact with other users, share social media accounts, and know where other users are located based on their calendars. The New York Attorney General’s investigation found that unlike what Saturn Technologies represented, the company failed to verify users’ school email and age to ensure only high school students from the same high school interacted. The investigation also found that Saturn Technologies used copies of users’ contact books even when the user changed their phone settings to deny Saturn’s access to their contact book. Under the settlement, Saturn Technologies must pay $650,000 in penalties and change its verification process, provide enhanced privacy options for students under 18, and prompt users under 18 to review their privacy settings every six months.
New York Attorney General Sues Insurance Companies for Back-to-Back Data Breaches: The New York Attorney General sued insurance companies National General and Allstate Insurance Company for back-to-back data breaches, which exposed the driver’s license numbers of more than 165,000 New Yorkers. In 2020, attackers took advantage of a flaw on two of National General’s auto insurance quoting websites, which displayed consumers’ full driver’s license numbers in plain text. The complaint alleges that National General failed to detect the breach for two months and failed to notify consumers and the appropriate state agencies. The complaint also alleges that National General continued to leave driver’s license numbers exposed on a different quoting website for independent insurance agents, resulting in another data breach in 2021. This action is the New York Attorney General’s latest effort to hold auto insurance companies accountable for failing to protect consumers’ personal information against an industry-wide campaign by attackers targeting online auto insurance quoting applications.
California Attorney General Announces Investigative Sweep of Location Data Industry: The California Attorney General announced an ongoing investigative sweep into the location data industry. The California Attorney General sent letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). The enforcement sweep is intended to ensure that businesses comply with their obligations under the CCPA with respect to consumers’ rights to opt out of the sale and sharing of personal information and limit the use of sensitive personal information, which includes precise geolocation data. The letters sent by the California Attorney General notify recipients of potential violations of the CCPA and request additional information regarding how the recipients offer and effectuate such CCPA rights. Location data has become an enforcement priority for the California Attorney General given the federal landscape affecting California’s immigrant communities and reproductive and gender-affirming healthcare.
CPPA Settles with Auto Manufacturer for CCPA Violations: The CPPA settled with American Honda Motor Co. (“Honda”) for its alleged CCPA violations. The CPPA alleged that Honda (1) required consumers to verify themselves and provide excessive personal information to exercise their rights to opt out and limit; (2) used an online privacy management tool that failed to offer consumers their CCPA rights in a symmetrical way; (3) made it difficult for consumers to authorize agents to exercise their CCPA rights on their behalf; and (4) shared personal information with ad tech companies without contracts containing CCPA-required language. As part of the settlement, Honda must pay $632,500, implement new and simpler methods for submitting CCPA requests, and consult a user experience designer to evaluate its methods, train its employees, and ensure the requisite contracts are in place with third parties with whom it shares personal information. This action is a part of the CPPA’s investigative sweep of connected vehicle manufacturers and related technologies.
OCR Settles with Healthcare Provider for HIPAA Violations: The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) settled with Oregon Health & Science University (“OHSU”) over potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule’s right of access provisions. The HIPAA Privacy Rule requires covered entities to provide individuals or their personal representatives access to their protected health information within thirty days of a request (with the possibility of a 30-day extension) for a reasonable, cost-based fee. OCR initiated an investigation against OHSU for a second complaint OCR received in January 2021 from the individual’s personal representative. OCR resolved the first complaint in September 2020, when OCR notified OHSU of its potential noncompliance with the Privacy Rule for only providing part of the requested records. However, OHSU did not provide all of the requested records until August 2021. As part of the settlement, OHSU must pay $200,000 in penalties.
Democratic FTC Commissioners Fired by Trump Administration: The Trump administration fired the Federal Trade Commission’s (“FTC”) Democratic Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter. Their removal leaves the FTC with no minority party representation among the agency’s five commissioner bench. Slaughter was originally nominated by Trump in 2018 and was serving her second term. Bedoya was in his first term as commissioner. Bedoya and Slaughter indicated in public statements that they would take legal action to challenge the firings. Among potential privacy impacts of the firings is how the lack of minority party representation may affect the enforcement of the EU-U.S. Data Privacy Framework (“DPF”), which is used by many businesses to legally transfer personal data from the EU to the United States. The DPF is intended to be an independent data transfer mechanism, and the removal may heighten concerns about the independence of agencies tasked with enforcing the DPF. The move at the FTC follows the prior removal of democrats from the U.S. Privacy and Civil Liberties Oversight Board, which is charged with providing oversight of the redress mechanism for non-U.S. citizens under the DPF.
CFPB Drops Suit Against TransUnion: The Consumer Financial Protection Bureau (“CFPB”) voluntarily dismissed with prejudice its lawsuit against TransUnion in which it alleged that TransUnion engaged in deceptive marketing practices in violation of a 2017 consent order. The CFPB provided no explanation for its decision and each party agreed to bear its own litigation costs and attorneys’ fees.
INTERNATIONAL LAWS & REGULATIONS
CJEU Rules Data Subject Is Entitled to Explanation of Automated Decision Making: The Court of Justice of the European Union (“CJEU”) ruled that a controller must describe the procedure and principles applied in any automated decision-making technology in a way that the data subject can understand what personal data was used, and how it was used, in the automated decision making. The ruling stemmed from an Austrian case where a mobile telephone operator refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria. The court also stated that the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation. In order to meet the requirements of transparency and intelligibility, it may be appropriate to inform the data subject of the extent to which a variation in the personal data would have led to a different result. Companies will have to be creative in assessing what information is required to ensure the explainability of automated decision-making to data subjects.
European Parliament Publishes Report on Potential Conflicts Between GDPR and EU AI Act: The European Parliament published a report on the interplay of the EU AI Act with the EU General Data Protection Regulation (“GDPR”). One of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment, and use of “high-risk AI systems.” To achieve this, the EU AI Act allows “special categories of personal data” to be processed, based on a set of conditions (e.g., privacy-preserving measures) designed to identify and to avoid discrimination that might occur when using such new technology. The report concludes that the GDPR, which imposes limits on the processing of special categories of personal data, might prove restrictive in the circumstances under which the GDPR allows the processing of special categories of personal data. The paper recommends that GDPR reforms of further guidelines on how the GDPR works with the EU AI Act would help address any conflicts.
Norwegian and Swedish Data Protection Authorities Release FAQs on Personal Data Transfers to United States: The Norwegian and Swedish data protection authorities issued FAQs on Personal Data Transfers to the United States in response to the dismissal of several members of the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”). The PCLOB is responsible for providing oversight of the redress mechanism for non-U.S. citizens under the U.S.-EU Data Protection Framework (“DPF”), which is one legal mechanism available to transfer EU personal data to the U.S. under the GDPR. Datatilsynet, the Norwegian data protection authority, stated that it understands that the intent is to appoint new PCLOB members in the future and that, even without a quorum, the PCLOB can perform some tasks related to the DPF. Accordingly, Datatilsynet stated that issues would only arise in the adequacy decision underpinning the DPF as a result of the removal of the PCLOB members if the appointment of new members takes a long time. The Swedish data protection authority, Integritetsskydds myndigheten (“IMY”) also cited confusion of the European business community following the dismissal of several members of the PCLOB. The IMY stated that the Court of Justice of the European Union has the authority to annul the DPF adequacy decision but has not taken such action. As a result, the DPF is still a valid mechanism for data transfer according to the IMY. Both data protection authorities indicated they would continue to monitor the situation in the U.S. to determine if anything occurred that affected the DPF and its underlying adequacy decision.
OECD Releases Common Reporting Framework for AI Incidents: The OECD Organization for Economic Co-operation and Development (“OECD”) released a paper titled “Towards a Common Reporting Framework for AI Incidents.” The paper outlines the need for a standardized approach to reporting AI-related incidents. It emphasizes the importance of transparency and accountability in AI systems to ensure public trust and safety. The report proposes a framework that includes guidelines for identifying, documenting, and reporting incidents involving AI technologies. The paper specifically identifies 88 potential criteria for a common AI incident reporting framework across 8 dimensions. The 8 dimensions are (1) incident metadata, such as date of occurrence, title, and description of the incident; (2) harm details focusing on severity, type, and impact; (3) people and planet, describing impacted stakeholders and associated AI principles; (4) economic context describing the economic sectors where the AI was deployed; (5) data and input, which includes a description of the inputs selected to train the AI system; (6) AI model providing information related to the model type; (7) task and output, describing the AI system tasks, automation level, and outputs; and (8) other information about the incident to catch any complementary information reported with respect to an incident.
China Issues Draft Measures for Financial Institutions to Report Cybersecurity Incidents and for Data Compliance Audits: The People’s Bank of China (“PBOC”) released draft administrative measures for reporting cybersecurity incidents in the financial sector (“Draft Measures”). The Draft Measures provide guidelines for identifying, reporting, and managing cybersecurity incidents by financial institutions regulated by the PBOC. Reporting requirements and timing vary according to type of entity and classification of incidents. Incidents would be classified as one of four categories – especially significant, significant, large, and average. Separately, the Cyberspace Administration of China (“CAC”) issued administrative measures on data protection audit requirements (“Data Protection Audit Measures”). The Data Protection Audit Measures provide (1) the conditions under which an audit of a data handler’s compliance with relevant personal information protection legal requirements would be required; (2) selection of third-party compliance auditors; (3) frequency of compliance audits; and (4) obligations of data handlers and third-party auditors in conducting compliance audits. The Data Protection Audit Measures include guidelines setting forth the specific factors that data handlers must evaluate in an audit, including the legal basis for processing personal information, whether the data handler has complied with notice obligations, how personal information is transferred outside of China, and the technical security measures employed by the data handler to protect personal information, among other factors.
European Commission Releases Third Draft of General-Purpose AI Code of Practice: The European Commission announced the publication of the third draft of the EU General-Purpose AI Code (“Code”). The first two sections of the draft Code detail transparency and copyright obligations for all providers of general-purpose AI models, with notable exemptions from the transparency obligations for providers of certain open-source models in line with the AI Act. The third section of the Code is only relevant for a small number of providers of most advanced general-purpose AI models that could pose systemic risks, in accordance with the classification criteria in Article 51 of the AI Act. In the third section, the Code outlines measures for systemic risk assessment and mitigation, including model evaluations, incident reporting, and cybersecurity obligations. A final version of the General-Purpose AI Code of Practice is due to be presented and published to the European Commission in May.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.
DEFENSE WIN: Court Dismisses TCPA Class Action – Recruitment Calls Are Not “Telephone Solicitations”
Hey TCPAWorld!
TCPA litigation is on the rise, with plaintiffs’ attorneys often trying to target companies that aren’t actually engaged in telemarketing. But not this time, the Court got it right and Defendant walked away with a Win (for now at least).
We have an exciting and interesting case out of the Western District of New York where the Court granted Defendant’s Motion to Dismiss finding that the calls made by Medicus Healthcare Solutions, LLC (“Medicus”) were not in violation of the Telephone Consumer Protection Act of 1991 (TCPA). Rockwell v. Medicus Healthcare Solutions, 2025 WL 959745 (W.D.N.Y. Mar. 31, 2025).
Plaintiff Rockwell, a physician, alleged that Medicus made multiple unwanted calls to him in 2023 regarding temporary physician placement opportunities. Rockwell, who was registered on the national Do Not Call Registry, received four calls from Medicus offering locum tenens opportunities and other professional services. Despite requesting that the calls stop, he claims that he continued to receive them.
According to his complaint, Rockwell claims that these calls violated the TCPA, which prohibits multiple unsolicited calls to a number on the Do Not Call Registry within a 12-month period and the TCPA implementing regulations, including “No person or entity shall initiate any telephone solicitation to…[a] residential telephone subscriber who has registered his or her telephone number on the national do not-call registry of persons who do not wish to receive telephone solicitations that is maintained by the federal government.” 47 C.F.R. § 64.1200(c)(2).“Telephone solicitation” is defined as “the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services.” 47 U.S.C. § 227(a)(4); 47 C.F.R. § 64.1200(f)(15).
But Medicus correctly argued that the calls were not “telephone solicitations” because they were recruiting calls, not calls to sell or market a product or service. Defendant contended that simply informing Rockwell of job opportunities did not encourage the purchase, rental, or investment in property, goods, or services. Exactly!
The Court noted that several district courts have concluded that communications sent for the purpose of job recruitment do not constitute telemarketing or telephone solicitations and ultimately, sided with Medicus, citing the case of Gerrard v. Acara Solutions, Inc., where recruitment calls were found not to violate the TCPA. The Court emphasized that Medicus’s calls were not made to sell anything to Rockwell; instead, they were designed to recruit physicians for staffing opportunities, which does not fall under the definition of “telemarketing” or “telephone solicitation” under the TCPA.
The Court also noted that Rockwell did not allege that Medicus would receive payment for the professional services provided to him or that any of those services were intended to generate revenue from him.
“It is possible that an individual client like Rockwell would pay a fee if he accepted Medicus’s placement for professional services or have a portion of his eventual income earmarked to cover those services. But it is equally possible that Medicus receives no payment for these services and simply uses them as a tool to ensure it has qualified candidates to place with its corporate clients seeking short-term staffing. In the absence of any allegations about the workings of Medicus’s business model and the role that its professional services play in that business model, this Court cannot conclude that the telephone calls Rockwell received constituted “telemarketing” or “telephone solicitation” under the TCPA and its implementing regulations.”
Without this critical element, the Court could not conclude that the calls constituted a violation of the TCPA. As a result, the Court granted Medicus’s Motion to Dismiss the complaint, dismissing it without prejudice. Rockwell was given 30 days to amend his complaint to address any deficiencies identified by the Court.
This ruling underscores that recruitment calls—without the element of selling goods or services—do not violate the TCPA.
Til next time!!!
EdTech and Privacy of Student Information: A Case Study
On March 27, 2025, a class action lawsuit was filed against the education technology (EdTech) company Instructure, the parent company of Canvas, a popular learning management system. The complaint alleges that Instructure violated children’s federal and state privacy rights. According to the complaint, Instructure states that it collects various account information about children, including name, gender/pronouns, academic institution and student ID, as well as profile pictures. Instructure also reportedly collects student activity data, such as messages, discussion comments, test results and grades, search activity, and user-submitted content. User-submitted content includes uploaded files, such as essays, research reports, photo/video media, and creative writing. The complaint asserts that this amount of data surpasses what is traditionally considered an education record and allows Instructure to “build dynamic, robust, and intimate dossiers of children.”
Let’s dive deeper into various allegations within the complaint and consider several themes.
Words matter
According to the complaint, Instructure’s terms state that it uses and discloses student information to, among other purposes, personalize the user experience, analyze trends, and track users’ movements around products. Specifically, the plaintiffs claim that some of Instructure’s platforms are designed to assist colleges and employers with recruitment by providing them access to data-derived student “insights.”
Companies should consider whether their uses and disclosures pertaining to personal information are transparent. If data may be used for marketing or advertising purposes, that should be clear to the consumer. If the data may be used in other related contexts, policies and terms should also make that clear. Vague words could lead to allegations of misleading statements.
The complaint also compiles various statements by Instructure and its officers regarding the organization’s data practices, including the Data Protection Officer’s statement that “privacy standards are embedded in our corporate DNA” and that Instructure’s privacy approach is “built upon five key principles: transparency, accountability, integrity, security, and confidentiality.”
Companies should be able to back up their statements about privacy practices with their actual privacy approach, or such publicly-made statements could be used against them in litigation.
Clarity of third-party access
The complaint asserts that Instructure uses an application programming interface (API) to allow third-party developers to build integrations through Instructure’s product suite. An API allows software applications to communicate and exchange data. According to the plaintiffs, Instructure’s Live Event API enables third parties to “access granular, child-specific information, such as time taken to finish a test, when a student submits a test, how long a child uses a product at a time, ‘common patterns’ among a child’s product usage, [and] what assignments are most challenging.” Furthermore, the product-specific Canvas API reportedly allows third parties to access data relating to user communications and group discussions, quiz submissions, and grades.
The average consumer does not understand “API” and “live event” nor know how an API transfers information, even if a company discloses its API use. Companies should make clear, in plain language, the nature and extent of information they share with partner institutions to avoid unauthorized disclosure claims.
Reasonably understandable information and informed consent
The plaintiffs assert that users of Instructure products cannot provide informed consent because a reasonable person would not know what they were consenting to in agreeing to use these products. The complaint lists 19 separate policies on Instructure’s data practices available on its website – including terms of use, privacy notice, and acceptable use policy – noting that “information relating to Instructure’s data practices and those of its third-party partners are scattered across its sprawling website and others’ websites.”
Companies may consider making their website terms of use and related agreements more understandable and accessible to the average consumer of that product/service to minimize the risk of “no consent” claims. For example, consumers in states with opt-out rights should easily be able to access information to exercise those rights. Providing numerous forms across varying locations could leave room for allegations that the company hid the ball regarding privacy.
Evolving role of EdTech
Among other state law claims, the complaint sets forth claims under the Fourth and 14th Amendments to the U.S. Constitution. Though claims of constitutional violations can only be brought against government entities, plaintiffs allege that Instructure is authorized to “perform a function that is traditionally and exclusively a public function performed by the government, namely, the collection and management of public-school-related data, including education records and other student information,” thereby making the company subject to constitutional requirements as a “state actor.” When our parents and grandparents went to school, digital access to student information with the click of a button did not exist. The digital transformation has allowed public and private entities to outsource various functions to third-party technology companies. In the state actor context, this evolution of roles poses an interesting question of where to draw the line on whether private technology companies themselves should become subject to the same regulations imposed on public actors in the interest of protecting fundamental rights
CISA Issues Malware Analysis Report on RESURGE Malware
On March 28, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on RESURGE malware, which is associated with the product Ivanti Connect Secure.
According to the MAR, “RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
Create a web shell, manipulate integrity checks, and modify files.
Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.”
To address the vulnerability, CISA recommends that users and administrators:
Consider a factory reset.
Follow Ivanti’s recommended recovery steps.
Reset credentials of all accounts.
Reset passwords for all domain users and local accounts.
Review access policies to temporarily revoke access for affected devices.
Reset account credentials or access keys.
Monitor related accounts, especially administrative accounts.
Report incidents and anomalous activity to CISA.
The MAR is an important read for any businesses using Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
TWICE AS BAD: Choice Home Warranty Suffers Massive TCPA Loss That Opens the Door to Double Dipping
The TCPA is bad enough without Plaintiffs being able to recover twice under the statute’s abusive provisions for a single phone call or text. But that is exactly what just happened in New Jersey with Choice Home Warranty losing a motion to dismiss a double dip effort by a number of individual TCPA litigators.
In Jubb v. CHW, 2025 WL 942961 (D. N.J. March 28, 2025) the Plaintiffs each alleged several calls from CHW that allegedly were made without consent in violation of the TCPA’s DNC provisions.
CHW moved to dismiss on several grounds asserting the complaint did not either directly or indirectly link the calls back to it, but the court completely disagreed and found the complaint adequately alleged both direct and vicarious liability.
This is bad enough but the Court also refused to dismiss the Plaintiff’s time restriction claim–i.e. that the calls had been made before 8 am or after 9 pm–even though they plaintiffs were separately suing for those same calls under a basic DNC violation theory.
In other words, the court just allowed the plaintiffs to double dip and recover twice under 227(c) for a single call.
Not good. This is especially true given the massive onslaught of time restriction TCPA class actions that have been filed as of late.
So big loss for CHW and now, potentially, the industry.
Cleo AI Agrees to $17 Million Settlement with FTC
Sometimes, deals are too good to be true. That was the case for Cleo AI, an online cash advance company that promised consumers fast, up-front cash payments. According to the Federal Trade Commission (FTC), Cleo AI offered consumers a mobile personal finance application that “promises consumers instant or same-day cash advances of hundreds of dollars.” When a consumer requests a cash advance, Cleo AI offers two subscription models, Cleo Plus and Cleo Builder. Once the consumer picks a subscription, they must provide a payment method that Cleo AI can use to obtain a cash advance repayment and subscription and other fees.
According to the FTC’s Complaint filed against Cleo AI, the company limits the cash advances promised to consumers below the advertised amounts. In addition, Cleo AI “falsely promises that consumers can obtain cash advances ‘today’ or instantly,” while it actually takes several days. Cleo AI required consumers to pay an extra fee to obtain the cash advance the same day or the next.
After much dissatisfaction, many consumers attempted to cancel their subscriptions. However, Cleo AI made it difficult to cancel their subscriptions and stop the recurring fees.
The FTC alleges that Cleo AI violated Section 5 of the FTC Act because it made material misrepresentations or deceptive omissions of material fact to consumers that constitute deceptive acts or practices. It also alleges violations of the Restore Online Shoppers’ Confidence Act.
Cleo AI has agreed to pay $17 million to settle the allegations against it.
This settlement reinforces that the FTC will not tolerate companies making misrepresentations to consumers. It also teaches consumers to: a) beware of advertisements that are too good to be true, and b) be wary of providing payment information for a subscription. Once they have your payment information, it is difficult to end the subscription.
Latest FCA Cybersecurity Settlement Shows Enforcement Remains a Priority Under Trump Administration
A recent United States Department of Justice (DOJ) announcement reinforces that enforcement of cybersecurity requirements under the False Claims Act (FCA) remains an ongoing risk. According to the press release, defense contractor MORSECORP Inc. (MORSE) agreed to pay US$4.6 million to resolve a FCA matter arising from a qui tam relator’s suit alleging that MORSE failed to comply with certain U.S. Department of Defense (DOD) cybersecurity requirements. This is the most recent settlement involving DOJ cybersecurity enforcement, a topic that Foley reported on previously.
The MORSE Settlement
Qui tam relator Kevin Berich, MORSE’s Head of Security, filed an FCA complaint against MORSE and its CEO in January 2023. MORSE is a software development company that had contracts and subcontracts with the U.S. Army and Air Force. Federal regulations dictate that DOD contracts like those entered into by MORSE require implementation of cybersecurity controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). But Mr. Berich alleged that he witnessed MORSE continually fail to implement NIST SP 800-171 controls, including by failing to use multi-factor authentication, using non-compliant email and video call-hosting services, and using employee personal devices to access MORSE systems and transmit controlled unclassified information (CUI).
Under the FCA, a qui tam complaint is filed under seal, shared with DOJ, and not shared with the defendant so that DOJ can investigate the matter. After investigating for over two years, in March 2025, DOJ announced a settlement with MORSE and Mr. Berich for US$4.6 million. According to the announcement, MORSE admitted that it:
Used a third-party vendor for email hosting without ensuring that vendor met the necessary security requirements.
Failed to implement all NIST SP 800-171 controls or maintain a system security plan for its covered information systems.
Submitted a self-assessed score of 104 to DOD for its NIST SP 800-171 implementation and continued to report that score even after an outside audit notified MORSE that it failed to implement 78 percent of the required security measures and had an actual score of -142.
Notably, the settlement does not indicate that there were any breaches or other compromises of CUI or other protected information; rather, the case appears to have been premised on the possibility that such breaches could occur as a result of MORSE’s sub-standard cybersecurity program.
The MORSE settlement demonstrates the risk of failing to prioritize cybersecurity controls, especially given that FCA qui tam suits can be filed by insiders such as the Head of Security that initiated the MORSE suit. The case also underscores DOJ’s ongoing focus on cybersecurity enforcement, which includes the 2021 Department of Justice Cyber-Fraud Initiative and appears to be continuing full-steam ahead in the current Trump administration.
Recommendations
Given those risks, defense contractors and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
Catalogue and monitor compliance with all government-imposed cybersecurity standards. A first step is to ensure your organization has a comprehensive list of all cybersecurity requirements and covered systems in your organization. These requirements may come not only from prime government contracts but also subcontracts, grants, or other federal programs. This includes not only ongoing knowledge of the organization’s contracts, but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards. This assessment should also consider third-party relationships, such as vendors or service providers.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. As the MORSE settlement illustrates, it is critical to respond to employees’ concerns effectively.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
Foley Automotive Update with Tariff Rundown
Special Update — Trump Administration and Tariff Policies
Foley & Lardner partner Vanessa Miller commented on the Trump administration’s imposition of automotive tariffs in the Associated Press article, “Trump’s latest auto tariffs explained: What car buyers should know this year.” Miller, who is chair of Foley’s national Automotive Team, said that while some companies will be able to pivot their operations to the United States, others are too integrated with factories in Mexico and elsewhere to make a speedy transition.
Foley & Lardner provided an update for multinational companies regarding the potential for criminal enforcement of trade, import, and tariff rules. Visit Foley & Lardner’s 100 Days and Beyond: A Presidential Transition Hub for more updates on policy analysis and the business implications of the Trump administration across a range of areas.
Fully assembled automobiles are subject to a 25% U.S. import tariff,effective at 12:01 a.m. on April 3, 2025, through President Trump’s March 26 proclamation (90 FR 14705). An accompanying Fact Sheet states: “Importers of automobiles under the United States-Mexico-Canada Agreement will be given the opportunity to certify their U.S. content and systems will be implemented such that the 25% tariff will only apply to the value of their non-U.S. content.”
U.S. import tariffs of 25% on certain major auto parts (engines and engine parts, transmissions and powertrain parts, and electrical components) are scheduled to take effect no later than May 3. The March 26 proclamation states “the ad valorem tariff of 25 percent described in clause (1) of this proclamation shall not apply to automobile parts that qualify for preferential treatment under the USMCA until such time that the Secretary, in consultation with CBP, establishes a process to apply the tariff exclusively to the value of the non-U.S. content of such automobile parts and publishes notice in the Federal Register.”
Reciprocal tariffs announced April 2 will be established at a baseline of 10% and ranging up 49% beginning on April 5. The reciprocal rates include 34% on China, 20% on the European Union, 46% on Vietnam and 32% on Taiwan. This announcement did not impose reciprocal tariff rates on Canada or Mexico.
The European Union intends to pursue countermeasures in response to the Trump administration’s reciprocal tariffs.
Mexican President Claudia Sheinbaum indicated trade negotiations are ongoing with the Trump administration, and Mexico thus far has not announced retaliatory tariffs.
The Canadian government imposed retaliatory tariffs on C$60 billion ($42 billion) worth of U.S.-made goods in response to U.S. import tariffs on steel and aluminum.
U.S. import tariffs on copper could be implemented before the 270-day deadline established in a February 25 executive order which directed the government to assess possible levies on the metal, according to unnamed sources in Bloomberg.
The U.S. Senate on April 2 voted 51-48 to approve a joint resolution (SJ Res 37) to terminate the national emergency declared on February 1, 2025, by the President in Executive Order 14193 (90 Fed. Reg. 9113) to impose tariffs on imports from Canada. The measure does not have the force of law, however it notably received support from four Republican Senators: Rand Paul (KY), Susan Collins (ME), Lisa Murkowski (AK) and Mitch McConnell (KY). The U.S. House recently took steps to block the ability of tariff critics to expedite a floor vote on the issue.
Dozens of Chinese companies were added to a Commerce Department entity list to restrict trade due to national security concerns.
Automotive Key Developments
Foley & Lardner provided an update on a notable federal court ruling against Stellantis in a supplier pricing dispute, and assessed the impact of the case in regards to what constitutes a valid requirements contract under Michigan law.
Certain major automakers could incur up to $1 billion to $7 billion annually in U.S. import costs, depending on the breadth and duration of the 25% automobile and auto parts tariffs announced by President Trump on March 26. The effects of these sector-specific tariffs in their current form could cost the auto industry up to $110 billion annually, according to investment bank estimates featured in The Wall Street Journaland Bloomberg.
S&P Global Mobility predicts U.S. light-vehicle sales could decline to between 14.5 and 15 million units annually if the automotive import tariffs proceed as announced, and the duties could “create a reset of the automotive value chain within North America and the world.”
Nearly 50% of U.S. new light vehicles sold in 2024 were assembled outside the U.S., and up to 70% of vehicles sold in the U.S. in a typical year contain imported components. New-vehicle prices could increase by 11% to 15% due to the pass-through effects of automotive import tariffs, and consumers could encounter tariffed inventory at dealerships by May or sooner.
President Trump warned U.S. automakers not to raise prices in response to tariffs, according to unnamed sources in The Wall Street Journal. The president stated in an NBC News interview that he “couldn’t care less” if foreign automakers raised prices because consumers would instead “buy American cars.” In the interview, the president did not comment on the potential for higher prices in domestically manufactured vehicles that may result from duties on imported components.
Cox Automotive estimates the cost impact of tariffs could make at least half of the 20 vehicle models priced below $30,000 “unviable for the U.S. market.”
Bloomberg reports Senate Republicans intend to utilize the Congressional Review Act to revoke the Environmental Protection Agency’s authority to grant Clean Air Act waivers allowing California to impose emissions standards that exceed federal regulations.
U.S. new light-vehicle sales in March reached a SAAR of 17.8 million units, representing an increase of 11% year-over-year, according to preliminary estimates from GlobalData. Increased volumes in March were attributed to accelerated consumer purchases to avoid tariffs.
OEMs/Suppliers
Hyundai on March 24 announced plans to invest an additional $21 billion in U.S.-based vehicle manufacturing and supply chains for critical materials, including a new steel mill in Louisiana.
Cleveland-Cliffs plans to lay off over 1,200 workers in Michigan and Minnesota due to market challenges that include the expectation for declining automotive demand amid higher prices caused by tariffs.
Toyota and Honda stated they currently have no plans to reduce manufacturing in Ontario, Canada in response to U.S. trade policies.
Certain luxury brands that performed well during previous market disruptions could be significantly exposed to automotive import tariffs because the vehicles do not meet the U.S.-Mexico-Canada free-trade agreement rules.
The American Trucking Associations estimates automotive import tariffs could add upwards of $30,000 to the cost of a new Class 8 truck.
Crain’s Detroit provided estimates of the Detroit Three automakers’ U.S. plant utilization rates, and an overview of which factories in Michigan have excess capacity.
The UAW in a March 26 statement praised President Trump’s automotive import tariffs, and suggested automakers could shift production to the U.S. “within a matter of months” by “adding additional shifts or lines in a number of underutilized auto plants.”
At least two major automakers recently stopped tracking purchases with minority-owned suppliers, according to a report in Crain’s Detroit.
Taiwanese automotive lighting supplier TYC Americas plans to invest $18.75 million to establish production in Wixom, Michigan.
The Chinese government intends to restructure a number of China’s state-owned automakers to improve competitiveness and market share. This could affect automakers including Dongfeng Motor Group, China FAW Group, Changan Automobile Co., SAIC Motor Corp., GAC Motor Co., BAIC Motor Co., Chery Automobile Co., and Jianghuai Automobile Co.
Toyota Chairman Akio Toyoda spoke to Automotive News about the challenges of automotive consolidation.
Market Trends and Regulatory
The National Highway Traffic Safety Administration (NHTSA) launched an investigation into more than 2 million Honda vehicles over reports that engines can fail to restart from idling.
The U.S. Commerce Department delayed a preliminary ruling on a Chinese graphite anode countervailing duty case to May 19, 2025. North American graphite miners had petitioned last year to impose a 920% tariff on Chinese suppliers to counter China’s control over critical minerals. Graphite is a key component in EV lithium-ion batteries.
President Trump stated U.S. House Speaker Mike Johnson is “working on” a proposal that could allow tax deductions for the interest paid on auto loans for U.S.-made vehicles. Details of the plan were not provided.
President Trump nominated Derek Barrs, a former Florida Highway Patrol chief, to head the Federal Motor Carrier Safety Administration.
An estimated 1.73 million vehicles were repossessed in the U.S. in 2024, representing the highest level since 2009.
The University of Michigan’s March 2025 Index of Consumer Sentiment fell to 57, the lowest level since 2022. Two-thirds of consumers expect higher unemployment in the next year, the highest reading since 2009.
The Conference Board’s March 2025 Consumer Confidence Survey found that short-term expectations for income, business and labor-market conditions were at the lowest level in 12 years.
New vehicle registrations in the European Union declined 3% year-over-year in the first two months of 2025, according to analysis from the European Automobile Manufacturers’ Association (ACEA). Registrations of new battery-electric vehicles (BEVs) in the EU increased 28.4% YOY, reaching 255,489 units for a 15.2% share of the total EU market. New EU registrations of hybrid-electric vehicles rose 18.7% YOY for a 35.2% share of the EU market.
The European Commission granted final approval to Tesla’s 2025 EU emissions pool, which includes Stellantis, Toyota, Ford, Honda, Mazda, Subaru and Suzuki. The bloc’s other key pool is managed by Mercedes-Benz and it includes several Geely brands.
The European Commission fined 15 automakers and the European Automobiles Manufacturers’ Association (ACEA) €458 million ($495.3 million) over participating in anticompetitive agreements concerning end-of-life vehicle recycling.
U.S. traffic fatalities in the first half of 2024 were 25% higher compared to the same period in 2014. Pedestrian fatalities in H1 2024 were up by 48% compared to H1 2014.
Autonomous Technologies and Vehicle Software
Ford intends to use artificial intelligence systems and Nvidia GPUs to improve the process of designing and bringing new vehicles to market.
Waymo plans to launch robotaxi services in Washington D.C. in 2026, following previously announced expansions in Miami and Atlanta. Waymo currently operates in parts of San Francisco, Los Angeles, Phoenix, and Austin.
Lyft could offer driverless rides on its platform “as soon as this summer.”
Caterpillar will integrate lidar technology from Luminar to the Cat Command autonomy platform on its heavy-duty construction equipment.
Volkswagen will partner with Valeo and Mobileye to develop Level 2 advanced driver assistance systems (ADAS) for upcoming vehicle models. The Society of Automotive Engineers (SAE) defines Level 2 as driver support features that require constant control and supervision.
Electric Vehicles and Low-Emissions Technology
BYD reported 2024 net income of 40 billion yuan ($5.6 billion) on total revenue of 777.1 billion yuan ($107 billion), representing YOY increases of 34% and 29%, respectively. BYD’s global vehicle sales rose 41% YOY to 4.27 million units in 2024, and it has a goal to double sales outside of China to over 800,000 units in 2025.
The Michigan Strategic Fund approved the transfer of over $180 million in state and local incentives to LG Energy Solution after GM exited a $2.5 billion project to construct an EV battery plant in Lansing.
Rivian will spin out its electric micromobility platform, Also Inc., into a new startup focused on lightweight vehicles that include scooters and bicycles.
Governor Gavin Newsom announced California has 178, 549 public and shared private EV chargers, which is 48% higher than the amount of gasoline nozzles in the state.
Contract electronics maker Hon Hai Precision Industry, known as Foxconn, is reported to be pursuing an agreement to produce EVs for Mitsubishi.
Immigration Enforcement and Healthcare Facilities: Key Considerations for Providers
Recent changes in federal immigration enforcement practices have prompted renewed attention to how healthcare providers manage requests from law enforcement agencies. While federal policy continues to recognize healthcare facilities as sensitive environments, there has been increased interest in enforcement activity in or around such locations. Healthcare organizations should consider taking this opportunity to review internal protocols and confirm they are prepared to respond in a manner that is consistent with applicable federal and state law.
This post outlines key considerations related to patient privacy, facility access, and provider obligations when immigration enforcement activity intersects with clinical operations.
Patient Privacy and Requests for Information
Healthcare providers remain subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which generally prohibits the disclosure of protected health information (PHI) without patient authorization, except in limited circumstances. One such exception is when disclosure is required by law—for example, pursuant to a valid court order or a judicial warrant.
Providers should be aware that administrative warrants issued by immigration authorities alone typically do not meet HIPAA’s “required by law” standard. In such instances, providers should consider verifying whether the request is supported by sufficient legal authority before disclosing patient information. Internal policies and staff training may help ensure that any disclosures are appropriately limited in scope and consistent with federal and state privacy laws.
Facility Access and On-Site Enforcement Activity
In some cases, immigration officials or other law enforcement personnel may seek to enter a healthcare facility to interview or take custody of an individual. Providers should consider preparing for such scenarios by identifying points of contact for handling law enforcement inquiries, establishing protocols for reviewing documentation, and confirming when legal counsel should be contacted.
Importantly, hospitals and other emergency care providers remain obligated to comply with the Emergency Medical Treatment and Labor Act, which requires the screening and stabilization of patients seeking emergency care, regardless of their background or circumstances.
Nondiscrimination and Access to Care
Providers that participate in Medicare or Medicaid are also subject to federal nondiscrimination requirements under the Civil Rights Act and Section 1557 of the Affordable Care Act, as well as state civil rights laws. These laws generally prohibit denying care on the basis of national origin or perceived immigration status. Healthcare organizations may wish to review their policies to ensure they reflect these ongoing obligations.
State and Local Considerations
In addition to federal law, healthcare providers should consider any applicable state or local requirements related to law enforcement interactions, patient rights, or data privacy. Several state attorneys general and regulatory agencies have issued advisories or guidance materials to assist providers in navigating these issues. For example, Maryland’s attorney general released guidance for Maryland providers in light of the recent policy changes on immigration enforcement. Reviewing such materials in consultation with counsel may help organizations develop compliant, well-informed operational protocols.
Conclusion
As enforcement practices evolve, healthcare providers would benefit from reviewing their procedures for responding to law enforcement activity—particularly in contexts involving patient privacy, facility access, and legal process. A proactive approach can help ensure compliance with relevant laws and support the delivery of uninterrupted, nondiscriminatory care.
Providers with questions about specific scenarios or legal requirements are encouraged to consult our team to assess how these considerations apply in their jurisdiction and operational context.
Listen to this post
FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings
On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.
The primary goals of the FedRAMP 20x initiative include:
Seeking to implement the use of automated validation for 80% of FedRAMP requirements, which would leave about 20% of narrative as opposed to the current 100% narrative explanations required in the document submission package.
Leaning on industry partners to provide continuous simple standardized machine-readable validation of continuous monitoring decisions.
Fostering trust between industry and federal agencies to promote direct relationships between cloud service providers and customers. Note, this appears to indicate that the FedRAMP Program Management Office (“PMO”) will have a much smaller role moving forward with respect to the authorization process and assessments.
Replacing annual assessments with simple automated checks.
Replacing the significant change process with an approved business process that will not require additional oversight to be developed in collaboration with industry.
FedRAMP 20x is an initiative that will be implemented in phases. The timeline for Phase 1 has not been announced but, once it is open, Phase 1 seeks to streamline the authorization process for eligible participants and authorized cloud service offerings in weeks rather than months. Phase 1 will focus on Software-as-a-Service offerings with the following characteristics:
Deployed on an existing FedRAMP Authorized cloud service offering using entirely or primarily cloud-native services;
Minimal or no third party cloud interconnections with all services handling federal information FedRAMP Authorized;
Service is provided only via the web (browser and/or APIs);
Offering supports a few standard customer configured features needed by federal agencies (or the cloud provider willing to build that capability quickly); and
Existing adoption of commercial security frameworks are a plus (SOC 2, ISO 27000, CIS Controls, HITRUST, etc.).
The practical implications of Phase 1 appear to be positive. Cloud service providers will be able to submit fewer pages for authorization submissions (i.e., less narrative, and more standard configuration choices for documentation). The documentation required for Phase 1 includes (1) documentation of security controls implemented by the cloud service provider and (2) materials demonstrating the cloud service provider’s existing commercial security framework to the extent it overlaps with FedRAMP requirements (e.g., a Security & Privacy Policy). There will be an automated validation component for Phase 1 authorizations, which may involve making configuration changes as needed to meet certain security controls. Following the assessment process, the cloud service offering will receive a score related to Confidentiality, Integrity, and Availability of federal information, and federal agencies will review this information to make risk assessments prior to adoption. Lastly, there will be changes to continuous monitoring with the replacement of annual assessments with simple automated checks and a new significant change process that will not require additional oversight.
Overall, with less documentation and narrative explanation, a more automated process with quicker authorization timelines, and less burdensome continuous monitoring activities due to enhancements through automation, the goal of FedRAMP 20x changes is to establish more efficient authorization and continuous monitoring processes. This should make it easier for cloud providers to sell their offerings to the government. Industry participation is a major focus of the new initiative. There are community engagement groups planning to begin meeting immediately and there will be opportunities for public comment as new ideas and documentation are rolled out. The community group meetings are focused on four topics: (1) Rev 5 Continuous Monitoring, (2) Automating Assessments, (3) Applying Existing Frameworks, and (4) Continuous Reporting. For those in this space, it will be important to participate to ensure industry partners are involved in shaping the program. The schedule for the meetings can be found here.
FOOTNOTES
[1] The FedRAMP Rev. 5 baseline aligns with National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5.