Insights

On June 13, 2024, the European Union (EU) adopted the Artificial Intelligence Act (EU AI Act), making it the first-ever global law to regulate the use of artificial intelligence in a broad and horizontal manner. The historic measure applies to the development, deployment, and use of AI in the EU. Importantly, the EU AI Act has a certain “extra-territorial” effect to the extent that it is applicable to providers placing AI systems on the market in the EU, even if these providers are established outside the EU.

The EU Cyber Resilience Act (CRA) was formally adopted by the European Council on October 10, 2024. Its main goal is to enhance cybersecurity and cyber resilience across the EU by establishing common cybersecurity standards for digitally enabled products, such as required incident reports and automatic security updates. This includes, for example, connected home products (cameras, fridges, toys), password managers, firewalls, and VPNs.

In March 2024, after years of preparation, the Council of the European Union and the European Parliament reached a provisional agreement on a new regulation governing electronic health data. The regulation, known as the European Health Data Space, was first proposed in March 2022 and, when formally adopted, will apply to the primary use and secondary use of health data. This initiative is a key component of the broader EU data strategy and represents the first of nine sector– and domain–specific data spaces outlined in the European Commission’s 2020 communication on “A European strategy for data.”

When President Joe Biden issued the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence in 2023, his administration recognized not only the extraordinary promise of artificial intelligence (AI) but also the risks that irresponsible use of the technology posed. The risks identified by the President include algorithmic discrimination in activities that impact consumers, job candidates, and employees.

The People’s Republic of China’s data protection laws have evolved rapidly in recent years, reflecting the global trend towards greater data privacy and security. The cornerstone of this legal framework has been a trio of measures: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). These three laws collectively govern the whole lifecycle of data processing.

In 2024, Latin American countries ramped up their data protection laws, following the general trend seen in international privacy law outside of the European Union. While many countries in Latin America enacted measures in 2024, others scheduled their regulations to go into effect in early 2025, and still others continue to wrestle with the legislative process.

On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) entered into force. The NIS2 Directive outlines the cybersecurity responsibilities of both “essential” and “important” entities, and sets out the duties of “management bodies,” emphasizing their potential liability for failure to comply with the new mandates, along with significant penalties for entities that fail to meet their obligations.

After years of anticipation and a series of delays, implementation of the U.S. Department of Defense’s Cyber Maturity Model Certification Program (CMMC) is rapidly approaching. Though CMMC is not expected to enter into effect until early-to- mid 2025, DOD contactors can start taking steps now to ensure a smooth transition into this new regulatory era.

The start of 2025 has seen the introduction of the new arbitration rules for the Qatar International Center for Conciliation and Arbitration (“QICCA”). The new rules, entitled the ‘Arbitration Rules 2024’, reflect the changing world of dispute resolution, and the rules are nearly double in length to the 2012 rules reflecting the QICCA’s understanding that arbitration is a competitive environment, and that institutional bodies need to adapt to meet the end-users’ needs. The 2024 rules are a considerable improvement, offering new regimes of expedited and emergency procedures, and transparency on third-party funding, making dispute resolution more accessible and user-friendly. We detail some of the more significant changes below.

U.S. colleges and universities watched closely this summer when the DOJ, in a novel move, scrutinized the cybersecurity compliance of a research lab at an academic institution.

As companies consider taking class actions to trial, a blockbuster decision from the U.S. Supreme Court instructing lower courts not to defer to federal agencies’ interpretations of the statutes Congress charged them with administering may prove useful. Companies should also be aware of a second decision holding agencies’ use of in-house judges to mete out civil penalties to be unconstitutional.

On a very basic level, generative artificial intelligence (Gen AI) takes in vast amounts of information, analyzes it, and provides results. It uses mathematical algorithms to find patterns in the information and exploits those patterns to achieve the user’s goal.

In class action lawsuits, much of the focus is on pretrial motions—and often, the appeal of lower court rulings on those motions. But for defendants, two trends could make it more difficult to win on those appeals.

Artificial intelligence (AI) has been finding its way into business for some time, but that trend was dramatically accelerated with the arrival of generative AI (Gen AI), which can create new content on its own. The release of a relatively easy-to-use version of Gen AI in late 2022 was followed by the rapid adoption of the technology—and not long after, by the arrival of class action lawsuits centered on AI.

As high-stakes class action lawsuits multiply, the standard playbook for defending against them may no longer work. A revised strategy involves some key departures from the traditional approach.