Privacy Tip #443 – Fake AI Tools Used to Install Noodlophile
Threat actors are leveraging the publicity around AI tools to trick users into downloading the malware known as Noodlophile through social media sites.
Researchers from Morphisec have observed threat actors, believed to originate from Vietnam, posting on Facebook groups and other social media sites touting free AI tools. Users are tricked into believing that the AI tools are free, and unwittingly download Noodlophile Stealer, “a new malware that steals browser credentials, crypto wallets, and may install remote access trojans like XWorm.” Morphisec observed “fake AI tool posts with over 62,000 views per post.”
According to Morphisec, Noodlophile is a previously undocumented malware that criminals sell as malware-as-a-service, often bundled with other tools designed to steal credentials.
Beware of deals that are too good to be true, and exercise caution when downloading any content from social media.
China’s National Intellectual Property Administration Releases Guidelines for the Construction and Operation of Patent Pools
On May 13, 2025, China’s National Intellectual Property Administration (CNIPA) in conjunction with the Ministry of Science and Technology, the Ministry of Industry and Information Technology, the State-owned Assets Supervision and Administration Commission of the State Council, the State Administration for Market Regulation, and the Chinese Academy of Science released the Guidelines for the Construction and Operation of Patent Pools (专利池建设运行工作指引).
A translation follows. The original text can be found here (Chinese only).
Chapter 1 General Provisions
Article 1 These Guidelines are formulated to guide and strengthen the high-quality construction of patent pools, guide and support the scientific establishment, rational layout, standardized management and efficient operation of patent pools, better operate the role of patent pools, promote the transformation and application of patents, promote fair and orderly competition in the industry, and accelerate the cultivation and development of new quality productivity.Article 2 Patent pool refers to a patent application model in which two or more patent holders entrust one of them or a third-party operation and management organization through an agreement to jointly operate the patents held in a certain technical field, and carry out cross-licensing, one-stop licensing and other businesses and related services.Article 3 Patent pools have the following main functions:(I) Integrate patent resources, reduce patent licensing transaction costs, and improve patent licensing and use efficiency.(II) Promote the industrialization and application of patent technology, expand the scale and benefits of patent industrialization, and accelerate the transformation of innovative achievements into real productivity.(III) Carry out diversified operation services, improve corporate patent compliance awareness and risk prevention level, and optimize the ecological environment for industrial innovation and development.Article 4 The construction and operation of patent pools shall follow the following principles:(I) Market-oriented principle. In accordance with the laws of the market economy, a business operation model that conforms to the characteristics of the industry and the needs of enterprises shall be established to ensure the market-oriented operation and sustainable development of the patent pool.(ii) The principle of interest balance. The legitimate rights and interests of patent licensors and licensees shall be protected, the balance between licensing rates and industrial profits shall be taken into account, and the due interest returns of various entities in the whole process from innovation investment to implementation of results shall be guaranteed.(iii) The principle of openness. All types of qualified domestic and foreign patent holders shall be supported to join the patent pool, participate in the operation of the patent pool and obtain due rights and interests, and encourage and support the market-oriented, standardized and international development of the patent pool.(iv) The principle of non-discrimination. The licensing business shall be carried out equally for the whole society to ensure that all patent users have equal opportunities and obtain licenses in accordance with fair, reasonable and non-discriminatory rules.Article 5 The CNNIPA shall, together with relevant departments, provide overall guidance and support for the construction and operation of patent pools. Local intellectual property management departments and relevant departments are encouraged to strengthen guidance, support and service guarantees for the construction of patent pools according to local conditions.
Chapter II Establishment of Patent Pool
Article 6 Patent pools are usually initiated and established by patent owners or patent operation management organizations with significant innovation advantages and greater industry influence in the industry, and patent owners in related fields are absorbed as members of the patent pool.Article 7 The main links of the establishment of patent pools include:(i) Clarify the basic positioning. The initiator shall determine the basic positioning of the patent pool, such as the expected functions, business forms, business models and development directions, based on the needs.(ii) Determine the patent pool operation management organization. The patent pool operation management organization shall have relevant professional capabilities such as patent resource integration, operation management, consultation and negotiation, and risk response, and shall be responsible for the operation and management of the patent pool under the entrustment of the patent owner.(iii) Formulate the charter. The initiator shall formulate the organizational charter based on the basic functional positioning of the patent pool, which mainly includes the purpose, criteria, rules of procedure, organizational structure, responsibilities and powers of the operation management organization, member joining and exit mechanism, member rights and obligations, business development model, risk prevention and dispute resolution mechanism, etc.(iv) Screening patents to be included in the pool.——Establish standards. The patent pool operation and management organization shall formulate fair and reasonable patent entry standards and clarify the evaluation and review mechanism for patents entering the pool.——Application for entry into the pool. The patent owner shall submit a patent entry application to the patent pool operation and management organization and provide relevant information. For utility model and design patents, a patent right evaluation report may be required.——Evaluation and review. The patent pool operation and management organization shall organize experts or entrust a third-party evaluation service organization to evaluate and review the patents applied for entry into the pool in accordance with the patent entry standards and determine the list of patents entering the pool.——Signing an agreement. The patent pool operation and management organization shall sign a patent entry agreement with the patent owner to agree on the list of patents entering the pool, the rights and obligations of both parties, the method of income distribution, the entry period, the exit mechanism, confidentiality requirements and dispute resolution.
Chapter III Operation and Management of Patent Pools
Article 8 Establish a reasonable licensing fee mechanism. Patent pool members mainly obtain income through the patent pool’s external one-stop licensing. The licensing fee rate is generally determined by the initiator or patent pool operation and management organization based on the number of patents, patent value, average profit margin of related industries, price of patent products, contribution of patents to product value, stage of technology development, industry acceptance, judicial judgment results and other factors. When the patent pool determines or adjusts the licensing fee rate, it can fully communicate and negotiate with potential licensees to balance the interests of the relevant parties.Article 9 Establish a fair income distribution mechanism. The patent pool operation and management organization may extract management fees from the operating income according to a certain proportion or charge service fees according to the agreed operating model, and determine the income distribution ratio of the patent pool members based on the patent pool entry agreement, combined with factors such as the number of licensed patents and patent contribution.Article 10 Establish a flexible and efficient service management model. The patent pool operation and management organization may actively expand its operating business based on the needs of industrial development and the functional positioning of the patent pool, and provide value-added or public welfare services such as evaluation consultation, litigation response, negotiation, overseas risk analysis, and compliance investigation to patent pool members or other entities. Strengthen the internal management of the patent pool and establish a sound member communication and consultation mechanism.Article 11 Establish a moderately transparent information disclosure mechanism. Encourage patent pool operation and management institutions to appropriately disclose relevant information based on the functional positioning of patent pools, or provide necessary information based on the reasonable requirements of relevant parties. For patent pools of standard essential patents, encourage patent pool operation and management institutions to timely and fully disclose information such as claim comparison tables of patents in the pool and the results of necessity examination.
Chapter IV Safeguard Measures
Article 12 Support the formulation of relevant norms and standards for the construction and operation of patent pools. Encourage patent pools that are in line with the national industrial development orientation, have standardized and efficient construction and operation, and have a significant role in promoting industrial innovation and development to report relevant information to the CNIPA on a voluntary basis. Support the exploration of the construction of patent pool information resource centers to track and publish relevant information about patent pools.Article 13 Strengthen business training and personnel training. Encourage local government departments to organize and carry out relevant training on the construction and operation of patent pools in combination with the needs of industrial development. Strengthen the construction of professional personnel teams and encourage patent pool operation and management institutions to cultivate and introduce professional personnel with international vision and advanced management concepts. Promote the establishment of a patent pool operation and management expert team to strengthen the talent guarantee and professional support for the construction and operation of patent pools.Article 14 Strengthen publicity and exchanges. All departments and localities should timely summarize and publicize the progress, achievements and experience of the construction and operation of patent pools, positively guide and widely popularize the concept of patent pool operation, and promote the formation of a good atmosphere conducive to the high-quality construction and operation of patent pools. Support the development of domestic and foreign exchange activities, share and absorb the successful experience of the construction and operation of patent pools, continuously strengthen international consensus, and explore and promote the formation of fair, reasonable, open, inclusive, mutually beneficial and win-win international rules for the construction and operation of patent pools.
Chapter V Supplementary Provisions
Article 15 The construction and operation of patent pools shall strictly abide by national laws and regulations, and shall not violate the Anti-Monopoly Law of the People’s Republic of China, the Anti-Monopoly Guidelines of the Anti-Monopoly Commission of the State Council on the Field of Intellectual Property Rights, the Anti-Monopoly Guidelines for Standard Essential Patents, the Provisions on Prohibition of Abuse of Intellectual Property Rights to Exclude and Restrict Competition, and the Provisions on the Administration of Patents Involving National Standards (Interim) and other relevant regulations, and shall not hinder fair competition in the market and the healthy development of the industry. Patent pool operation management agencies are encouraged to report to antitrust law enforcement agencies in advance, actively accept supervision and guidance, and ensure the compliance construction and operation of patent pools.Article 16 Encourage and support relevant departments, local governments, social groups, industry organizations, etc. to refer to and use these guidelines in the construction and operation of patent pools.
Regulation on Preventing the Loss of Plastic Pellets to Reduce Microplastic Pollution – Draft Agreement Reached Between the Council and the Parliament
On 16 October 2023, the European Commission (EC) proposed a Regulation [1] aimed at preventing plastic pellet losses in order to tackle one of the main sources of unintentional microplastic pollution.
A provisional Draft Agreement on the final text was reached between the European Parliament and the Council on 8 April 2025 [2]. The Council’s first reading position is expected to be adopted in the autumn, followed by a second EP vote recommending final approval. It will then be formally adopted by both institutions, following a legal and linguistic review, and published in the Official Journal of the EU.
The Regulation applies to economic operators in the EU handling quantities of plastic pellets equal to or exceeding five tonnes per year, based on the previous calendar year. It also covers economic operators of facilities within the EU that clean plastic pellet containers and tanks. Furthermore, the scope extends to both EU and non-EU carriers.
The overarching objective of the Regulation is to ensure the safe handling of plastic pellets at every point in the supply chain, regardless of their intended end use. The main obligations are as follows:
Article 3 sets out the duty to take immediate action to contain and clean up any pellet losses, as well as to notify the relevant national authorities about each installation involved in pellet handling.
Under Article 4, economic operators must develop a risk management plan for each of their installations. This plan must comply with the requirements of Annex I of the Regulation and be submitted to the competent authority in the Member State where the installation is located, accompanied by a declaration of conformity as specified in Annex II. Operators must also ensure that all relevant staff receive appropriate training. Additionally, both EU and non-EU carriers are required to keep annual records detailing the estimated volume of plastic pellets handled and any losses incurred.
Article 5 introduces a certification regime. Operators handling 1,500 tonnes or more of plastic pellets annually will be required to obtain certification from an independent third party two years after the Regulation enters into force, and every three years thereafter. Medium-sized operators handling more than 1,500 tonnes must obtain certification within 36 months, with renewal required every four years. Small enterprises handling over 1,500 tonnes must also obtain certification within 60 months of the Regulation’s entry into force, with certification valid for five years. However, Member States may grant permits under Article 5a, exempting certain operators from this certification requirement.
The Draft Agreement introduces new labelling obligations for any manufacturer, importer, downstream user, or distributor placing on the market plastic pellets that qualify as synthetic polymer microparticles, as defined in Annex XVII, entry 78, to Regulation (EC) 1907/2006) [3]. The required information, detailed in Annex IVb of the Regulation (see image below), must be included on the label, packaging, packaging leaflet, or safety data sheet.
The Draft Agreement also sets out rules governing compliance and access to information. While it is the responsibility of Member States to establish specific penalties for infringements of the Regulation, the Regulation itself sets minimum standards for enforcement. In cases of the most serious infringements committed by a legal entity, the maximum level of administrative financial penalty must be at least 3% of the operator’s annual EU turnover in the previous financial year. In addition to administrative penalties, Member States retain the discretion to impose criminal sanctions where appropriate.
The Regulation includes a delayed application date, taking effect two years after its official entry into force. To ease the transition for the maritime sector, the co-legislators have introduced a further one-year delay in the application of the relevant provisions for operators, agents, and masters of sea-going vessels. This additional time is intended to facilitate compliance with the new requirements specific to maritime transport.
[1] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on preventing plastic pellet losses to reduce microplastic pollution, COM(2023) 645 final – 2023/0373 (COD). Available at: https://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2023/0645/COM_COM(2023)0645_EN.pdf
[2] Provisional Draft Agreement, adopted 15 May 2025, at the ENVI Committee, available at: https://www.europarl.europa.eu/meetdocs/2024_2029/plmrep/COMMITTEES/ENVI/DV/2025/05-12/Item10_2023_0373COD_consolidatedandmarked_EN.pdf
[3] Please refer to COMMISSION REGULATION (EU) 2023/2055 of 25 September 2023 amending Annex XVII to Regulation (EC) No 1907/2006 of the European Parliament and of the Council concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) as regards synthetic polymer microparticles, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32023R2055
UK Government Publishes New Software and Cyber Security Codes of Practice
As cyber security continues to make be headline news it is timely that on 7 May 2025 the UK government published a new voluntary Software Security Code of Practice: Software Security Code of Practice – GOV.UK
This Code is designed to be complementary to relevant international approaches and existing standards and where possible reflects internationally recognized best practice including as outlined in the US Secure Software Development Framework (Secure Software Development Framework | CSRC) and the EU Cyber Resilience Act (Cyber Resilience Act (CRA) | Updates, Compliance, Training).
This Code consists of 14 principles split across 4 themes (secure design and development; build environment security; secure deployment and maintenance; and communication with customers) that software vendors are expected (but to stress the voluntary nature of this code, are not legally obliged) to implement to establish a consistent baseline of software security and resilience across the market – these principles are stated to be relevant to any type of software supplied to business customers.
“Software Vendors” are defined under this Code as organisations that develop and sell software or software services; “Software” is code, programmes and applications that run on devices including on hardware devices and via cloud/SaaS.
A self-assessment form is also made available (Software-Security-Code-of-Practice-Self-Assessment-Template.docx) which software vendors can use to assess and evidence compliance with this Code.
This Code follows on from the Cyber Governance Code of Practice and supporting tool kit published on 8 April 2025 (Cyber Governance Code of Practice – GOV.UK) to support boards and directors of medium and large organizations to govern cyber security risks. The emphasis of this Code is to support boards and directors to effectively govern and monitor cyber security within their business, but it is not intended for use by those people in a business whose role is the day-to-day management of cyber security.
As cyber security continues to be a high-profile and business critical issue for many businesses it is likely that in the coming months we may start to see compliance with these voluntary codes becoming contractual obligations imposed on suppliers.
EDPB and EDPS Support GDPR Record-Keeping Simplification Proposal
On May 8, 2025, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted a joint letter addressed to the European Commission regarding the upcoming proposal to simplify record-keeping obligations under the EU General Data Protection Regulation (“GDPR”). This proposal aims to amend Article 30(5) of the GDPR, simplifying the record-keeping requirements and reducing administrative burdens while maintaining robust data protection standards.
The European Commission proposed the following changes to Article 30(5) of the GDPR:
Exemptions for Small Mid-Cap Companies: Extending the derogation which currently applies to enterprises or organizations with fewer than 250 employees (including small and medium-sized enterprises or SMEs), to also cover “small mid-cap companies,” i.e., companies with fewer than 500 employees and with a defined annual turnover, as well as organizations such as non-profits with fewer than 500 employees.
Expansion of Application: Modifying the derogation so it would not apply if the processing is “likely to result in a high risk to the rights and freedoms of natural persons,” as opposed to the current provision, which only mentions processing likely to result in a “risk,” therefore broadening the ability to use the derogation.
Limiting Record-Keeping Exceptions: Removing certain exceptions to the record-keeping derogation, including references to occasional processing and possibly special categories of data.
Employment, Social Security or Social Protection Law Exception: Introducing a recital clarifying that the obligation to maintain records of processing activities would not apply to the processing of special categories of data to comply with legal obligations in the field of employment, social security or social protection law in accordance with Article 9(2)(b) of the GDPR.
In their joint letter, the EDPB and EDPS express “preliminary support to this targeted simplification initiative,” noting that they support the retention of a risk-based approach in respect of processing, and observing that “even very small companies can still engage in high-risk processing.” Both parties welcome the opportunity for a formal consultation to take place after the publication of the draft legislative change.
FCA’s Discretion Upheld in IRHP Redress Scheme Judicial Review
Timely insights into the design of mass consumer redress schemes
In R (All-Party Parliamentary Group on Fair Banking) v Financial Conduct Authority [2025] EWHC 525 (Admin), the High Court examined the FCA’s decision regarding the exclusion of certain customers from the scope of the voluntary Interest Rate Hedging Products (IRHP) redress scheme established in 2012, which was criticised in a subsequent independent review. The case contains important insights into the trade-offs involved in the design of such schemes, given the high likelihood that the FCA will soon be rolling out a redress scheme to deal with motor finance mis-selling.
Background
From 2010 onwards, large numbers of complaints began to be made about mis-selling of IRHPs alongside small and medium sized business loans. The IRHPs, which typically swapped floating for fixed interest rates, had become ruinously expensive for many bank customers after interest rates fell sharply during the 2008 financial crisis. Following supervisory intervention by the FSA (the predecessor of the FCA), a voluntary redress scheme was negotiated with various large banks in 2012. The scheme incorporated a “sophistication test”, which excluded customers that exceeded certain objective metrics or were otherwise sophisticated in the use of financial products from being eligible to receive compensation under the scheme for mis-sold financial products.
Subsequently the FCA committed to a review of its supervisory intervention on IRHPs by a leading King’s Counsel. That review concluded (among other things) that the FCA should not have excluded a subset of customers from the scheme via the sophistication test. The FCA disagreed with these findings and decided to take no further action to address that conclusion. The All-Party Parliamentary Group on Fair Banking challenged this exclusion by way of judicial review proceedings, arguing that the FCA’s decision was irrational and procedurally unfair due to a lack of proper consultation with stakeholders.
The FCA argued that it was on balance right (or at least not irrational) to agree the redress scheme incorporating the sophistication test for a number of reasons including that:
There was real urgency to provide prompt assistance to a large number of small businesses that were in distress and prone to going into insolvency as a result of payments required under their IRHPs.
In this context there were significant advantages to a voluntary scheme over use of the FSA’s mandatory s.404 redress powers, which would be slower and more complex to implement, and prone to protracted challenge from the banks involved.
There were reasons for concern that the evidential challenges to the FSA of bringing action to require redress could not be overcome, resulting in worse outcomes all round.
The scheme delivered fair outcomes for those within its scope and the FSA was entitled to prioritize those customers.
The incorporation of the sophistication test followed intensive and robust negotiation with the banks and necessarily involved the need to make trade-offs to achieve the best overall result possible. There was no reason to believe that a better outcome could have been negotiated voluntarily with the banks.
Ultimately the scheme led to c.£2.2 billion being paid in redress in respect of 20,206 IRHP sales, with costs to the banks of c.£920 million.
Court’s Findings
The High Court rejected the challenge to the manner in which the FCA had exercised its discretion not to seek to require further redress to be paid to sophisticated customers excluded from the voluntary scheme, holding that:
Rational Basis: The FCA had a rational basis for its decision. The bar for irrationality is a high one and it was not irrational for the FCA to disagree with the conclusions of the independent review on the basis of a reasoned consideration that it conducted. There was no presumption that a public body in the position of the FCA should follow the recommendations of the independent review absent a good, very good, or cogent reason.
No Duty to Consult: The FCA was not legally obliged to consult stakeholders before making its decision regarding the exclusion criteria.
Regulatory Discretion: The FCA’s actions were within the scope of its regulatory authority and aligned with its statutory purpose of consumer protection. The FCA is afforded a wide measure of discretion as to when and how it will intervene to address potential mis-selling, having regard to its statutory objectives, regulatory principles and regulatory priorities. It could not be said to have misunderstood or misapplied that discretion in acting as it did.
Implications
This judgment reinforces the principles that regulatory bodies like the FCA have broad discretion in designing and implementing redress schemes (whether voluntary or compulsory, especially when balancing regulatory priorities, and the need for timely action, against the complexities of individual cases. Its decisions in such circumstances will not be lightly overturned by the courts. The judgment also shines a light into the decision-making processes of the regulator and the trade-offs that are made when negotiating such schemes. Those insights are worth considering at a time when another mass consumer redress scheme in relation to motor finance mis-selling is highly likely in the coming months, the design of which will inevitably involve similar issues.
Practice Statement: Restructuring Plans and Schemes – What Does this Mean for the Future? (UK)
We have seen an increasing number of contested restructuring plans (RPs) over the last quarter. With a notable shift of RPs into the litigation arena, and some gentle push back from the judiciary about timetabling and use of court time the judiciary has published a draft practice statement for consultation outlining new case management requirements for those proposing a plan.
Replies to the consultation must be submitted by 13 June, and although there is no official date for publication of the finalised statement, this is expected to be sometime in July.
The practice statement requires the parties to identify areas of contention and opposition early, seemingly seeking to streamline and reduce the number of issues that the court is required to deal with at sanction. In doing that there is a significant shift in process – requiring the plan company to issue a claim form before the court hearing is arranged and requiring the explanatory statement and all appendices to be prepared before the convening hearing.
The statement follows the direction of travel we have seen in recent cases, where the court has introduced case management processes – Madagascar Oil is a recent example where the court ordered a case management conference.
The statement is relevant not only to those proposing a plan, but also those who wish to object – requiring issues to be resolved in an efficient and orderly manner. Last minute opposition is unlikely to find much favour with the court moving forward.
Ultimately what the statement hopes to achieve is a more orderly approach to proceedings, but front loading much of the work comes with its own challenges – timing and costs being two.
Although this statement if not the final version, it is unlikely to change significantly between now and final publication, and in line with the approach we have seen the courts take recently it would be remiss not to apply the principles outlined in the statement now.
DHS Announces Termination of Afghanistan TPS Effective July 2025
On May 12, 2025, Secretary of Homeland Security Kristi Noem announced that the Temporary Protected Status (TPS) for Afghanistan will be terminated effective July 14, 2025. The current TPS designation for Afghanistan is scheduled to expire on May 20, 2025. This announcement is the latest in the current administration’s push to roll back immigration benefits for foreign nationals living and working in the United States. Noem stated that permitting Afghan nationals to remain temporarily in the United States is “contrary to the national interest of the United States.”
Quick Hits
On May 12, 2025, Secretary of Homeland Security Kristi Noem announced the termination of TPS for Afghanistan, effective July 14, 2025, as part of the administration’s efforts to reduce immigration benefits.
DHS deemed that the TPS designation, initially granted in 2022 due to the Taliban takeover, was now unnecessary because returning Afghan nationals would not face significant threats to their safety.
Despite Afghanistan’s “Level 4: Do Not Travel” status due to severe security risks, the TPS termination notice allows TPS beneficiaries 60 days to adjust, with work authorization extended until July 14, 2025.
Background
The Department of Homeland Security (DHS) created the TPS designation to provide temporary status to foreign nationals living in the United States who are unable to return to their home countries due to an event or circumstance present in that country. During a designated TPS period, TPS beneficiaries:
“Are not removable from the United States
Can obtain an employment authorization document (EAD)
May be granted travel authorization.”
Afghanistan received its TPS designation in 2022 after the United States withdrew from the country and the Taliban took over. By removing Afghanistan’s TPS designation, DHS has determined that the return of Afghan nationals to Afghanistan “does not pose a threat to their personal safety due to ongoing-armed conflict or extraordinary and temporary conditions.”
Secretary Noem cites the U.S. Citizenship and Immigration Services’s (USCIS) review of the conditions in Afghanistan as the impetus of this decision, along with a consultation with the U.S. Department of State. For those planning to travel to Afghanistan, the DOS has designated Afghanistan as a “Level 4: Do Not Travel” country. This latest update was made on January 13, 2025, “to reflect the security environment, immigration information, and availability of medical care.” [Emphasis omitted.] Afghanistan’s designation as a “Level 4” country is specifically due to “civil unrest, crime, terrorism, risk of wrongful detention, kidnapping, and limited health facilities.” [Emphasis omitted.]
Practical Impact
While the initial TPS designation for Afghanistan was set to expire on May 20, 2025, DHS regulations require that any recission of TPS benefits be accompanied by a 60-day notice period. The TPS termination for Afghanistan was published in the Federal Register on May 13, 2025, resulting in an effective termination date of TPS benefits for Afghan nationals, including work authorization, on July 14, 2025.
The Federal Register notice specifically confirms that Employment Authorization Documents (EADs) granted to Afghan TPS beneficiaries also will be automatically extended through this 60-day notice period. This signifies that employers may accept, for the purposes of I-9 verification, any TPS EADs presented by Afghan beneficiaries with expiration dates of November 20, 2023, or May 20, 2025, as valid through July 14, 2025.
UK Data (Use and Access) Bill Status Update
As the draft UK Data (Use and Access) Bill (the “DUA Bill”) reaches its final stages, the House of Commons and the House of Lords are still debating several key issues. On May 14, 2025, the House of Commons received a program motion, urging it to deliberate on the amendments proposed by the House of Lords on May 12, 2025. The latest amendments introduced by the House of Lords include:
Scientific Data: Limiting the scope of the ‘scientific data’ provision by setting a higher standard for the reasonableness test such that “scientific research must be conducted according to appropriate ethical, legal and professional frameworks, obligations and standards.” This amendment is contrary to the position taken by the House of Commons, which proposed expanding the scope of the ‘scientific data’ provision by removing the requirement for the processing of ‘scientific data’ to be conducted in the ‘public interest.’
AI Models: Introducing transparency requirements for business data used in relation to AI models. The amendment would require developers of AI models to publish all information used in the pre-training, training, fine-tuning and retrieval-augmented generation of the AI model, and to provide a mechanism for copyright owners to identify any individual works they own that may have been used during such processes. The amendment also introduces transparency obligations in respect of “bots,” including the requirement to disclose information on the (1) name of the bot, (2) responsible legal entity the bot, and (3) specific purpose for which each bot is used.
Sex Data: Introducing requirements for ‘sex data’ to be collected in the context of digital verification services.
The House of Commons will now consider such amendments. With the DUA Bill’s progress accelerating, it is anticipated that the DUA Bill will soon be finalized.
Read the latest amendments proposed by the House of Lords.
For more information on the DUA Bill, read our previous update on the DUA Bill.
Data Transactions: DOJ’s Final Rule’s Implications for Academic Medical Centers with Clinical Research Programs
The Department of Justice (DOJ) published its Final Rule to implement Executive Order 14117 on January 8, 2025, with a correcting amendment issued April 18, 2025. Executive Order 14117, issued on February 28, 2024, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” instructed the Attorney General to create regulations that ban or limit U.S. persons from participating in transactions involving property in which a foreign country or its nationals have an interest. Transactions are banned or limited if they involve U.S. government-related data or bulk sensitive personal data (as defined by the final implementing rules), fall into categories deemed by the Attorney General to pose a national security risk (with such security risk arising from potential access to data by identified countries of concern or related individuals), and meet additional criteria outlined in the Executive Order.
The Final Rule outlines categories of transactions that are either banned or limited; designates specific countries and types of individuals or entities with whom transactions involving government-related or bulk U.S. sensitive personal data are restricted; creates a system for granting, modifying, or revoking licenses for otherwise restricted activities and for issuing advisory opinions; and sets requirements for transaction recordkeeping and reporting requirements to support the DOJ’s investigations, enforcement, and regulatory actions in relation to the Executive Order.
Academic Medical Centers (AMCs) and similar entities engaged in clinical research and international collaborations need to be aware of and determine the applicability of the regulatory requirements imposed by the Final Rule. Research partnerships involving biometric identifiers, personal health information, or genomic data may be deemed restricted or prohibited transactions if the partnerships include entities from designated countries of concern.
Summary
The Final Rule is aimed at preventing certain U.S. foreign adversaries — including China, Russia, Iran, North Korea, Cuba, and Venezuela — from accessing sensitive U.S. personal data and government-related information.
Key Definitions. The Final Rule authorizes the DOJ to regulate and enforce restrictions on data transactions with designated “Countries of Concern” and “Covered Persons.”
“Country of Concern” is defined to mean:
any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce, (1) has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons, and (2) poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.
“Covered Person” is defined to include: (1) foreign entities that (a) are fifty percent or more owned, directly or indirectly, by countries of concern or another covered persons; or (b) are organized under the law of, or have their principal place of business in, a Country of Concern; (2) foreign entities that are fifty percent or more owned, directly or indirectly, by Covered Persons, either individuals or entities; (3) foreign individuals who are non-U.S. residents working as employees or contractors of a Country of Concern; (4) foreign individuals primarily residing in Countries of Concern; and (5) other entities or individuals as reasonably determined by the Attorney General based on certain criteria.
Categories of Covered Data. The Final Rule targets eight categories of “Covered Data,” including biometric identifiers, genomic data, health and financial data, precise geolocation information, and personal identifiers that can be linked to other sensitive data. It also includes certain government-related information, such as data tied to U.S. government personnel or the geolocation of sensitive facilities. Notably, the regulations apply regardless of data processing volume when government-related information is involved.
Primary Types of Restricted Transactions. The DOJ identifies three primary types of restricted transactions: employment, investment, and vendor agreements. U.S. businesses must ensure foreign employees, investors, and service providers — especially those linked to Countries of Concern — do not gain access to Covered Data unless strict security protocols are met. This affects a wide range of commercial activities, from hiring and corporate deals to cloud services and software subscriptions, and likely impacts AMCs engaging in clinical research when data is shared with certain employees. Research sponsors, investors and service providers. Prohibitions and restrictions of the Final Rule, however, only apply to Covered Data Transactions with a Country of Concern or Covered Person that involve access by a Country of Concern or Covered Person to government-related data or bulk U.S. sensitive personal data. The Final Rule does not regulate transactions that do not implicate access to government-related data or bulk U.S. sensitive personal data by a Country of Concern or a Covered Person.
Prohibited Transactions. Notably, under the Final Rule certain transactions are absolutely prohibited, such as those involving the sale or licensing of Covered Data to foreign entities in data brokerage arrangements, or those involving biometric data or biospecimens.
Penalties for Non-Compliance. Violations of the Final Rule carry significant fines and penalties. Civil fines can reach the greater of US$368,136 or twice the transaction amount. Willful violations may result in criminal penalties of up to US$1 million and up to 20 years in prison.
The Bottom Line for Clinical Research. To comply with the Final Rule, AMCs must engage in rigorous and thorough diligence on proposed, and existing research activities, collaborations and operations, including on their partners, clients, employees/contractors, and data recipients, to determine if a proposed or existing transaction falls within the ambit of the Final Rule. The scope and penalties for violations of and non-compliance with the Final Rule are a clear indicator that a process to determine and ensure compliance with the Final Rule will be critical for AMCs, and businesses across industries, that engage in activities and transactions involving personal or government-related data.
Implications for Academic Medical Centers with Clinical Research Programs
The Final Rule adds a new layer of regulatory compliance complexity for AMCs and similar entities engaged in clinical research and international collaborations.
Research studies and activities, including research collaborations and partnerships involving biometric identifiers, personal health information or genomic data, may be deemed restricted or prohibited transactions if the partnerships include entities from designated Countries of Concern and/or Covered Persons.
Existing and proposed multi-national studies and data-sharing initiatives must be reviewed to determine if the Final Rule is applicable to the study or activity, and if so, to ensure compliance.
Additionally, AMCs must also ensure that vendors, including cloud and AI service providers, are not affiliated with Countries of Concern and that all data processing activities meet stringent new security and compliance standards. As noted above, ensuring compliance with the Final Rule will necessitate a thorough review of the AMC’s vendor contracts.
Further, the Final Rule necessitates a reassessment by AMCs, of their data-sharing policies and multi-site protocols, and will likely require the incorporation of national security-focused compliance clauses in certain data sharing agreements (such as data use agreements) and the enhancement of institutional data governance frameworks, which frameworks should be designed to avoid and mitigate any legal and regulatory exposure, and ensure that the institution is able to maintain eligibility for receipt of federal funding.
Next Steps
This Final Rule prescribes significant categorical rules that prevent U.S. persons from providing government-related data or U.S. citizens’ bulk, sensitive personal data, including through commercial data-brokerage transactions, to Countries of Concern or Covered Persons. Compliance with the Final Rule specifically necessitates that AMCs and institution implement security measures when engaging in investment transactions, employment agreements, and vendor contracts, that involve either government-related data or large-scale collections of sensitive personal data — such as health records, biometric identifiers, or financial information.
The requirements of the Final Rule are intended to prevent foreign adversaries from indirectly accessing this data through commercial relationships. By identifying these specific transaction types, the Final Rule seeks to address perceived national security gaps and provides clear, enforceable standards that define when and how data-related dealings with foreign actors are restricted.
Failure to comply with these new requirements could result in fines and penalties, regulatory scrutiny, loss of federal funding, and enforcement actions, making compliance with the Final Rule, when and as applicable to a transaction and activity, a critical compliance priority for AMCs and institutions handling large volumes of sensitive personal data.
Application of the Insolvency Claw-Back Barrier under Article 16 of the EU Insolvency Regulation to Cross-Border Shareholder Loans
Article 7(m) of the EU Insolvency Regulation (2015/848) provides that the law of the EU Member State in which insolvency proceedings have been commenced in respect of a company determines whether certain acts carried out prior to the commencement of insolvency proceedings, (such as payments made by the company), are void, voidable or unenforceable and may therefore be clawed back by the insolvency administrator.
However, Article 16 of the same Regulation provides an exception to this. This applies where the relevant relationship under which the payment was made is subject to the law of another EU Member State and under the law of that other Member State the payment cannot be challenged – the claw back barrier provisions.
Application of the “claw back” barrier provisions in practice
The impact of the “claw back” barrier provisions under the EU Insolvency Regulation is currently being considered by the European Court of Justice (ECJ). In this case, an Austrian holding company had provided an Austrian law governed shareholder loan to its German subsidiary. Before insolvency proceedings were opened in Germany against the subsidiary, the Austrian parent received payments of interest and principal under that loan. The German insolvency administrator wishes to claw back these payments and wishes to treat the claims of the Austrian holding company as subordinated to all other creditors of the German subsidiary.
The German Federal Supreme Court (Bundesgerichtshof – “BGH”) in an interim decision dated 16 January 2025 put forward a number of questions for the ECJ to consider, the answers to which will be relevant to how Article 16 of the EU Insolvency Regulation is applied throughout the EU. Although the decision of the BGH relates to Article 13 of EU Insolvency Regulation (1346/2000), that provision is materially identical to Article 16 of the Regulation and thus any judgment of the ECJ is likely also to apply to Article 16.
The reason for the challenge is based on arguments that local laws and rules in the jurisdiction where the insolvent company has its centre of main interest and which are based on corporate law should take priority over Article 16.
Under German insolvency law, shareholder loans granted to a German company would in principle be subordinated in a German insolvency of the German company. Therefore, any payments (like payments of principal and interest) can more easily be challenged and clawed back in the insolvency than other third-party payments. The litigation in this case has arisen, because Austrian law rules differ from such German corporate law rules and therefore the holding company invoked Austrian law and Article 16 in the German proceedings.
Impact of the ECJs findings
The ruling of the ECJ will be significant in determining whether, and to what extent, the risk of claw-back (in the context of shareholder loans) can be mitigated by choosing the law of another EU Member State as the law governing the shareholder loan.
Belgium’s Private Investigations Act: Is Your Internal Investigations Service in Focus?
In December 2024, the new Private Investigations Act came into force. The Act replaced the Private Detectives Act of 1991 and was long overdue, considering how much has changed in the world of private investigations. The 1991 law focused on detectives as sole practitioners, think Columbo or Magnum P.I., a world of uncertain ethics, periodic violence and grubby raincoats, most of which no longer exists outside the small screen. The new Act aims to modernise the applicable legal framework in light of new investigation methods and bring it into line with the General Data Protection Regulation (GDPR), though sadly not to address the traditional private detective issues of implausible dialogue and unhappy dress choices.
The Act imposes a number of obligations on employers instructing investigations on their employees, and we will discuss these changes at length in future blogs, but there is a more pressing issue we need to deal with first, and that regards your internal investigations service. The Act extends its scope from solo private detectives to all types of investigations companies but more importantly, also to internal investigations services. An internal investigations service is defined by the Act as ‘any service organised by a natural or legal person for its own purposes for the systematic performance of private investigation activities’. This definition is very wide and has prompted the legislator to exclude a number of roles and functions, such as lawyers, bailiffs and auditors.
The legislator has taken into account that in practice, internal services are often organised at group level and has therefore provided that investigation activities still qualify as internal when they are performed for the benefit of companies in the same group structure. What the legislator has seemingly not considered, however, is that international groups will often have an investigations team in one location, which is not necessarily Belgium, that will conduct all investigations for the group, including those concerning employees located in Belgium. This means that the Belgian legislator has probably also not fully realised that the registration obligation imposed by the Act may thus also extend to these internal investigations services located outside of Belgium, if their remit extends to this country.
The Act provides an exception for members of the HR team “who carry out private investigation activities on behalf of their own employer within the framework of incident investigations [not defined] involving employees of that employer”. The HR team will not be considered to perform the activities of an internal investigations service, so the registration obligation will not apply to them. The criterion of distinction would be the focus of the team: is it day-to-day HR activities, with an exceptional side activity of investigative work, or is investigation work the main focus for the team?
So what does this registration obligation entail? Internal investigations services must obtain a prior authorisation or licence from the Ministry of Interior to lawfully conduct private investigations in Belgium. The licence is granted for a renewable period of five years. It will only be awarded if the members of the team have a clean criminal record (minus some minor offences), they have undergone specific training and are Belgian nationals or have their main residence in the EEA or Switzerland. This would seem to suggest the end of investigations being carried out more or less remotely by the US parents of local subsidiaries, though it is unclear at this stage just how much (substantial) advisory input into the investigation process and/or decisions there can still be from abroad so long as the team is fronted by someone satisfying the above conditions. The members of the team should also have a certain “desired profile”, meaning that they will honour individuals’ fundamental rights, be loyal and discrete, and not entertain suspicious relations with criminal organisations, etc.
The license is awarded by the Ministry of Interior, which may or should in some cases seek the prior advice of the public prosecutor.
If an internal investigations service was already validly performing private investigation activities on the date of entry into force of the Act, 16 December 2024, they may continue to perform such services, but they will need to make a request to obtain a licence by 16 June 2025. The members of these teams will have 18 months after their company obtained a license to undergo the required training and obtain a licence card. The specific training requirements are in fact still to be defined by Royal Decree.