Privacy + Data Security Predictions for 2025

Keep up with the latest legal and industry insights, news, and events from MoFo

The Morrison Foerster Privacy + Data Security team excels in providing creative and practical advice across all stages of the information life cycle. This includes counseling on compliance with complex privacy laws, resolving breach situations, litigating privacy and data security claims, and defending enforcement actions.

With 2025 expected to bring significant changes in the sector, key trends include:

More stringent global regulations
Greater adoption of AI and machine learning for data protection
Increased use of advanced encryption and anonymization techniques
A continued rise in ransomware attacks
Growing exploitation of supply chain vulnerabilities
Increased consumer awareness of data rights and control
A surge in class action lawsuits related to data breaches and privacy violations

We consulted our Privacy team—thought leaders in the field—to share their insights on what you can expect in the privacy and data security sector in 2025. Explore our predictions, organized by topic, for the year ahead:

U.S. State Privacy Laws
Bulk Data Transfers
Direct Marketing
Health Privacy
Bio metrics
Cybersecurity
Quantum Computing
AI
Data Privacy in the EU
UK Data Protection Reforms
Japanese Privacy Laws
China Privacy Laws
Hong Kong Privacy Laws
U.S. National Security
U.S. Federal Privacy Laws
South Asia

U.S. State Privacy Laws

2025 Smells Like Teen Data

Mary Race (Of Counsel, Privacy + Data Security)

2025 will bring increased focus on protecting the personal data of teens. Since the federal Children’s Online Privacy Protection Act was originally passed, the United States has been primarily focused on protecting data of children under 13. Now, 25+ years later, this is no longer the case. Several recent U.S. state consumer privacy laws provide special protections for consumers under 18, particularly around the sale of teen data and the use of teen data for targeted advertising. Watch for more states to follow suit in 2025, and be on the lookout for additional state social media laws that also cover teen data.

U.S. State Enforcement Gets More Aggressive

Boris Segalis (Partner, Privacy + Data Security)

State regulators, including New York, Texas, and California, will intensify privacy and cybersecurity enforcement, leveraging newly enacted state laws and existing state UDAP statutes. As federal enforcement potentially slows, states are primed to act more aggressively, often with less nuance and greater punitive focus. Unlike the FTC, states have the authority to impose fines for UDAP violations, giving them more leverage. Companies should anticipate stricter, less-forgiving state enforcement and prepare for a regulatory environment that may prioritize penalties over collaboration on compliance.

Data Brokers in the Crosshairs of Judicial Privacy Laws

Kathryn Taylor (Associate, Privacy + Data Security)

2024 saw a surge of litigation under New Jersey’s Daniel’s Law targeting data brokers and people look-up services for publishing judges’ and other public officials’ residential addresses, as well as an uptick in other states considering and passing similar legislation. Individuals will seize on the growing number of judicial privacy laws to fuel additional waves of lawsuits against data brokers.

Thought Leadership:

A MoFo Privacy Minute Q&A: New York’s Court Officers Get Privacy Rights Under New Judicial Security Act

It’s All In Your Head: The Impact of Neural Data Privacy

Mary Race (Of Counsel, Privacy + Data Security) and Carson Martinez (Associate, Privacy + Data Security)

Neural privacy will be a hot topic in 2025, impacting technologies such as wearable devices, virtual reality headsets, and other brain-computer interfaces that have the potential to reveal sensitive data, such as a person’s truthfulness, political leanings, sexual orientation, or health conditions. In 2024, Colorado and California amended their consumer privacy laws to provide protections for “neural data,” and we expect other states to follow suit. Organizations such as The Neurorights Foundation will continue working with state legislatures to enshrine protections for neural data, and there will be increased pressure on industry to develop standards to protect neural privacy and promote the ethical use of neurotechnology.

Thought Leadership:

Active States Continue to Fill a Vacuum

Dillon Kraus (Associate, Privacy + Data Security)

While it seems unlikely that federal privacy legislation is passed in 2025, its absence continues to push states to step in. On top of that, the new presidential administration has indicated that it will reel in recently active federal agencies such as the FTC. This will create another vacuum into which state legislators and attorneys general are likely to step. Adding to these challenges, as states attempt to enforce newly enacted privacy laws, all the kinks that come with first-time enforcements will need to be ironed out. In particular, many new state laws regarding children’s privacy are preparing to roll out and are likely to face legal challenges (if they have not already). Uncertainty may make operating in this space difficult.

The Texas AG Ramps Up Enforcement

Josh Fattal (Associate, Privacy + Data Security)

California has a new colleague in town as the Texas attorney general engages in a series of privacy enforcement activities. Over the second half of 2024, the AG has overseen an investigation into car manufacturers, a biometric data settlement, and a lawsuit over the sharing of children’s data. The AG, Ken Paxton, has demonstrated that his office is positioning itself as a leader in U.S. state privacy enforcement—and we expect this trend to continue in 2025. Companies operating in Texas should take this opportunity to review their compliance posture under Texas’s privacy and biometric data laws.

Thought Leadership:

Texas Privacy Enforcement Heats Up

Bulk Data Transfers

The Other Bulk Data Transfer Law

Joseph Folio III (Partner, Privacy + Data Security)

In March 2024, Congress quietly included the PADFAA in a foreign aid bill. PADFAA, which entered into force in June 2024, empowers the FTC to regulate transactions with foreign adversaries involving the personal data of Americans. This new enforcement authority has seemingly been overshadowed by the DOJ’s proposed bulk data regulations. I predict that the FTC will file its inaugural enforcement action—a negotiated resolution with a data broker for a sizeable fine—before the DOJ’s regulations go into effect in 2025.

United States Tightens Grip: New Regulations on Foreign Data Sales

Josh Fattal (Associate, Privacy + Data Security)

Companies will need to build out their compliance programs in 2025 to keep up with new restrictions on foreign data sales. Companies that have foreign subsidiaries or affiliates, or that sell, license, or otherwise transfer sensitive personal data to certain countries abroad, will need to determine applicable obligations. Understanding relevant data flows will be a critical first step. Expect enforcement in this area to increase as the U.S. government continues to work to prevent foreign adversaries from accessing Americans’ sensitive data.

Bulk Data Transfers to China

Damian Mencini (Senior Cyber Advisor, Privacy + Data Security)

This year, the U.S. government added new tools to its national security toolkit—regulating foreign adversaries’ access to sensitive U.S. data. Through the DOJ’s new Bulk Sensitive Data Regulatory Program and the Protecting Americans’ Data from Foreign Adversaries Act, the U.S. government has shown its intent on protecting American data. While aspects of these programs may shift some in the new year, one constant will be a laser focus on China—and preventing transfers or access of sensitive American data to China.

Direct Marketing

The Future of TCPA Rules Remains Uncertain

Jonathan Newmark (Of Counsel, Privacy + Data Security)

In 2025, we can expect to see the FCC’s ability to issue controlling TCPA rules significantly weaken. After the Supreme Court eliminated Chevron deference in its 2024 Loper Bright decision, FCC interpretations of the TCPA will not control if a court concludes that those interpretations are not based on the best reading of the statute. Further, the Supreme Court will decide McLaughlin in 2025, the outcome of which may further weaken the weight of FCC guidance. As a result, newer FCC regulations—such as its recent lead generation rule—are vulnerable to second-guessing by the courts. With this uncertainty, class action plaintiffs may turn to surer claims under state TCPA analogs, such as Florida’s Telephone Solicitation Act.

Thought Leadership:

Uptick in Florida Telephone Solicitation Act Litigation and Ways to Mitigate Risk

Health Privacy

Uncertainty for New HIPAA Privacy Rule to Support Reproductive Health Care

Melissa Crespo (Partner, Privacy + Data Security, Privacy + Data Security Litigation)

The HIPAA Privacy Rule to Support Reproductive Health Care goes into effect on December 23, 2024, and introduces new protections for reproductive health information by HIPAA-covered entities and business associates in the wake of Dobbs. The Rule is already experiencing challenges, such as a lawsuit by the Texas AG seeking to vacate the Rule. These challenges are likely to be further amplified by the new administration, which will likely begin the process to repeal the Rule. In the interim, we can expect that the new administration won’t seek to enforce the Rule.

Thought Leadership:

HHS Releases Final Rule to Protect Reproductive Health Care Privacy

OCR’s Focus on Right of Access under HIPAA Continues

Jasmine Arooni (Associate, Privacy + Data Security, Privacy + Data Security Litigation)

Enforcement of HIPAA’s provisions providing individuals with the right to access health records will remain a continued priority for the Department of Health and Human Services’ Office for Civil Rights (OCR). OCR’s enforcement of the failure to provide access to health records will continue to increase, along with the penalties for such violations. HIPAA-covered entities must prioritize efforts to track and streamline access requests to ensure that such requests are addressed in a timely and accurate manner.

Updates to the HIPAA Security Rule. . . 20 Years Later

Melissa Crespo (Partner, Privacy + Data Security, Privacy + Data Security Litigation)

In October 2024, HHS submitted proposed updates to the 20-year-old HIPAA Security Rule to improve cybersecurity in the healthcare sector. The Notice of Proposed Rulemaking is expected to be published in December. While HHS will be under new leadership in January and many efforts undertaken by the Biden administration are likely to be scrutinized, there have been a number of bipartisan efforts to address cybersecurity in the healthcare sector, especially in the wake of the Change Healthcare breach, and I think it is likely that the Security Rule amendments will move forward under the new administration.

HIPAA Risk Analysis Compliance Becomes an Enforcement Priority

Jasmine Arooni (Associate, Privacy + Data Security, Privacy + Data Security Litigation)

OCR will aggressively pursue enforcement of HIPAA’s requirement that covered entities and their business associates carry out a compliant risk analysis to determine the potential risks and vulnerabilities to electronic PHI in their systems. OCR’s risk analysis-focused enforcement actions in the latter half of 2024, as well as OCR’s newly released tool designed to help organizations comply with HIPAA’s risk analysis requirements, indicate OCR’s increased attention to risk analysis compliance.

Biometrics

Biometric Boom: Combating Deep Fakes and Fake IDs in Employment

Miriam Wugmeister (Partner, Privacy + Data Security)

The threat actors are creative, and they have more time and resources to figure out ways to exploit organizations. With the rise of deep fakes and the increased prevalence of North Korean individuals using fake IDs to gain employment and remote work opportunities with companies, we will see an increase in the use of biometric identification as part of the employment process in an effort to thwart the bad guys.

Cybersecurity

Cyber Defense at Risk: How Politicization Could Hinder Public-Private Collaboration

Miriam Wugmeister (Partner, Privacy + Data Security)

Sharing of information between the public and private sector has become essential to helping to stop the threats from nation state and criminal actors. If the FBI and DOJ become more politicized in the next administration, companies will be less inclined to share information about cyber attacks and may resort to sharing only where legally required. This would be a serious loss and will be detrimental to the fight against the nation state and criminal actors.

Rising Tide of Cyber Threats: Anticipating Increased Sophistication in Cybersecurity Incidents

Linda Clark (Partner, Privacy + Data Security) and Dan Alam (Associate, Privacy + Data Security)

Threat actors will continue to conduct more sophisticated and targeted attacks by leveraging AI to generate customized malware, phishing attacks, and deep fakes. In response, organizations will look for ways to shore up their protections against both low-tech risks, like social engineering, and high-tech factors, like AI.

Thought Leadership:

If You Prepare, a Data Security Incident Will Not Cause an Existential Crisis

Emerging Trends in U.S. Federal Government Contracts

Continued move toward enhanced cybersecurity standards.

Tina Reynolds (Partner, Government Contracts + Public Procurement)

In 2024, cybersecurity requirements for Department of Defense contractors were solidified in the form of the Cybersecurity Maturity Model Certification (CMMC) Program final rule. In the coming year, the Federal Acquisition Regulation (FAR) cybersecurity rules will also be finalized. Both impose on federal government contractors the obligation to meet specified cybersecurity standards developed by the National Institutes of Standards and Technology (NIST), and both include certification elements that could give rise to False Claims Act liability if untrue or misleading. The Federal Risk and Authorization Management program (FedRAMP), which approves cloud products and services used by the federal government, will also be modernized.

Thought Leadership:

Uncertainty in the Compliance Environment

Boris Segalis (Partner, Privacy + Data Security)

The incoming administration’s deregulatory agenda will likely increase uncertainty in the privacy and cybersecurity landscape. Without a clear positive agenda, predicting which areas will face deregulation is difficult, especially with expected court challenges. Federal regulations are only one piece of the puzzle, as state laws, private litigation, and market forces will continue to drive compliance. In this environment, businesses must rely on core principles of fairness, transparency, and past experiences to future-proof their products, services, and compliance strategies amidst growing uncertainty.

Congress Stumbles on Comprehensive Privacy Legislation but Advances Targeted Privacy and Cybersecurity Bills

Nathan Taylor (Partner, Privacy + Data Security, Privacy + Data Security Litigation)

Despite having control of Congress for at least 2 years, I predict that the Republican Congress will not pass comprehensive privacy legislation that applies to businesses generally. But Congress will likely enact several more discrete privacy bills, including one targeting social media/technology and one relating to children’s data. Separately, I predict that Congress will enact a bill directing the various federal regulators to harmonize their respective cybersecurity standards.

Beware the Insider Threat: A Growing Concern in Cybersecurity

Damian Mencini (Senior Cybersecurity Advisor, Privacy + Data Security)

Sometimes the easiest way to compromise a company’s cybersecurity defenses is to get a job at the company. We saw this in spades this year as fraudulent IT workers applied for and gained employment in remote-only jobs. As companies invest more in protecting their perimeter, I predict that equal focus will be applied to defending against insider threats.

Public–Private Collaboration in the Face of Cyber Threats

Jasmine Arooni (Associate, Privacy + Data Security, Privacy + Data Security Litigation)

National cybersecurity defense will grow as a U.S. government priority in light of cyber threats to domestic infrastructure. As part of such efforts, the U.S. government may work in conjunction with domestic companies to understand the efforts and costs associated with cybersecurity threats and issue cybersecurity requirements accordingly. Public–private collaboration will become even more prevalent, particularly in the realm of critical infrastructure as the cyber landscape becomes more volatile.

Do You SEC What I See?

Haima Marlier (Partner, Securities Litigation, Enforcement, White-Collar Defense, Privacy + Data Security)

In 2025, the SEC will continue to investigate whether public companies are disclosing material cyber incidents and information, but depart from more novel enforcement theories based on controls violations and allegedly deficient risk disclosures. The federal court order dismissing many of the SEC’s claims against SolarWinds leaves a clear path for the SEC to charge public companies and individuals with securities fraud for making specific cybersecurity statements that are untrue or omit material information. The SEC will leverage its amendments to Regulation S-P to expand its cybersecurity enforcement reach to broker-dealers, investment companies, and registered investment advisers.

Thought Leadership:

Cyber Incident Reporting: Increasing Regulation, Decreasing Harmonization

Damian Mencini (Senior Cybersecurity Advisor, Privacy + Data Security)

This year, we saw Cybersecurity and Infrastructure Security Agency (CISA)’s long-awaited proposed rule for reporting cyber incidents under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). What we didn’t see was any significant progress in harmonizing the existing dozens of federal cyber incident reporting regulations. As cybersecurity continues to be a top priority across the U.S. government, it is more likely that we will see new regulations for cyber reporting than harmonization of existing ones.

Not-So-Obvious Phishing and Social Engineering Efforts

Jasmine Arooni (Associate, Privacy + Data Security, Privacy + Data Security Litigation)

Despite a greater focus on cybersecurity training, awareness, and hygiene, organizations are anticipated to become increasingly vulnerable to social engineering efforts targeting employees. Phishing and other social engineering attacks are expected to continue evolving to become more sophisticated and difficult to identify. The growing sophistication of phishing and social engineering efforts are predicted to spur an increased focus by organizations on building strong and consistent training and awareness programs, fostering an environment of proactive reporting, and implementing creative measures to keep employees interested and engaged in maintaining effective cyber hygiene practices.

Unifying the EU Cybersecurity Landscape: A Comprehensive Outlook

Michelle Luo (Associate, Technology + Transactions, Privacy + Data Security)

Cybersecurity will likely be a top priority for many organizations in 2025 as we anticipate substantial progress being made on multiple EU legislative fronts. Financial services entities and their ICT service providers are expected to be the first in line to bring their cybersecurity practices into compliance, with DORA’s implementation deadline being January 17, 2025. Meanwhile, having already missed the October 17, 2024, deadline, many EU member states will likely play catch-up on implementing NIS 2 (having already been issued with formal infringement notices by the European Commission). Manufacturers, distributors, and importers of digital products falling under the CRA are predicted to also start putting cybersecurity compliance on their radar, as the three-year CRA countdown clock has begun ticking.

Thought Leadership:

Security Urgency Around IT and OT

Jasmine Arooni (Associate, Privacy + Data Security, Privacy + Data Security Litigation)

Cyber threats targeting critical infrastructure and the manufacturing sector will continue to rise, which will require organizations to make clear distinctions between their information technology (IT) and operational technology (OT) systems, and align their IT and OT cybersecurity strategies accordingly.

Cryptocurrency and Cyber Extortion Rise in Tandem

Jasmine Arooni (Associate, Privacy + Data Security, Privacy + Data Security Litigation)

Threat actors will continue to pursue ransomware and cyber extortion efforts with cryptocurrency extortion demands with increased frequency. Potential decreased regulation concerning cryptocurrency (and the rise in the value of cryptocurrencies) in the United States may further bolster the rise of ransomware and cyber extortion attacks. Organizations must focus heavily not only on resilience and recovery in the face of such attacks, but on gaining awareness and preparing for the highly variable costs that may come about in an extortion scenario.

2025 Outlook: DOJ Leadership Shifts, but FCA Enforcement on Cybersecurity Remains Steadfast

Nathaniel Mendell (Partner, Privacy + Data Security)

2025 will bring changes in DOJ leadership and policy, but expect one thing to stay the same: Federal enforcers will continue to use the False Claims Act (FCA) to punish companies that fail to meet the cybersecurity standards set out in their federal contracts. Data breach notifications provide enforcers with a steady supply of potential defendants, and high-profile resolutions (usually involving large penalties) serve DOJ’s policy goals by highlighting the importance of cybersecurity and promoting compliance. That is a combination that will continue to prove attractive in 2025.

Continued Surge in Data Breach Class-Action Litigation

Whitney Lee (Associate, Privacy + Data Security)

Class-action litigation stemming from cybersecurity incidents will remain a significant challenge for companies in 2025, as plaintiffs’ firms continue to view these cases as a profitable avenue for compensation. While not every case will reach high-profile status, the volume of filings is expected to increase, driving companies to enhance their security posture and prioritize proactive measures to mitigate the risk of cyber incidents.

Acceleration of Open Banking Initiatives Globally

Whitney Lee (Associate, Privacy + Data Security)

Momentum for open banking will continue to build in 2025, with countries such as Canada and Australia implementing frameworks that require financial institutions to facilitate secure data sharing with trusted third parties, such as fintech companies or other banks, in response to consumer demand for improved financial services. These initiatives promise to drive fintech innovation and empower consumers with greater control over their financial information, though companies will need to navigate evolving security and privacy compliance challenges.

Quantum Computing

The Quantum Leap: 2024 – The Year of Quantum Computing

Damian Mencini (Senior Cybersecurity Advisor, Privacy + Data Security)

There were two major quantum computing announcements in 2024:

The United Nations proclaimed 2025 as the International Year of Quantum Science and Technology, and
The NIST announced its post-quantum cryptographic standards designed to withstand quantum computing cyber-attacks.

We expect to see a huge focus on quantum computing from nations and companies alike in 2025. This focus, based on years of government-backed investment and research, is likely to show results, including companies hitting new milestones (such as more commercially viable quantum computing products), companies identifying new ways to apply quantum computing, and perhaps significant announcements from nations racing to be the quantum computing leader.

Post-Quantum Cryptography Adoption

Damian Mencini (Senior Cybersecurity Advisor, Privacy + Data Security)

Toward the end of 2024, regulators and companies started to seriously consider how they would address the issues raised by quantum computing and that in the not-too-distant future it has the potential to render commonplace safeguards (like current encryption standards) obsolete. We expect that as regulators become more concerned that the old model for securing systems and data will soon become ineffective, they’ll push companies and governmental agencies alike to future-proof their safeguards and plan for migration to post-quantum standards before it’s too late.

Thought Leadership:

A MoFo Privacy Minute: Data Security & Quantum Computing: An Area of Concern?

AI

Fortifying AI: The Power of Red-Teaming

Linda Clark (Partner, Privacy + Data Security) and Dan Alam (Associate, Privacy + Data Security)

Given the growing number of AI-related cybersecurity incidents and the expectation from regulators that AI systems are used in a way that is secure, organizations will deploy internal and external resources to “red team” their AI systems. Such testing could include prompt testing (e.g., prompts that are designed to cause the AI system to malfunction), infrastructure testing, and broader product testing. Red team exercises should involve a review of operational and legal controls, as well as technical measures.

Balancing Innovation and Compliance: Navigating the Pro-AI Agenda with Robust Governance

Boris Segalis (Partner, Privacy + Data Security)

The new administration’s pro-AI agenda is expected to grant significant freedom for companies to develop and deploy AI technologies. However, existing laws addressing bias, fairness, transparency, and purpose limitations remain in force. Companies will likely maintain governance frameworks based on fairness, transparency, and accountability to meet the expectations of investors, customers, and regulators. Preparing now will position businesses to adapt to potential regulatory changes in the next two to four years while fostering trust with stakeholders and staying competitive in a rapidly evolving market.

Unveiling the Future: What’s on the UK’s AI Horizon?

Michelle Luo (Associate, Technology + Transactions, Privacy + Data Security)

With the ICO concluding its five-part consultation series on generative AI, we can expect to see the fruits of the ICO’s labor in 2025 in the form of new guidance. Mirroring the consultation topics, such guidance will likely focus on: (i) the lawful basis for training generative AI models; (ii) adherence to data protection principles such as purpose limitation and accuracy; (iii) data subject rights; and (iv) controllership. More broadly, we could even see some comprehensive AI legislation arise in the UK, after the government pledged to draft binding regulation for companies developing the “most powerful AI models.”

Thought Leadership:

European Digital Compliance: Key Digital Regulation & Compliance Developments (October 2024)

Transforming Tomorrow: The Rise of AI in the Workplace

Hanno Timner (Partner, Privacy + Data Security, Privacy + Data Litigation)

In 2025, tools relying on sophisticated AI will increasingly be applied in the workplace. This will certainly go far beyond AI-based pre-selection processes for job applicants and work allocation software, e.g., in large logistics companies. EU Data Protection Authorities and the privacy community will need to develop comprehensive guidelines for the use of such AI‑based tools, allowing companies to benefit from the technological progress while safeguarding the employees’ privacy.

Will the AI Act—Like GDPR—Have the Brussels Effect?

Lokke Moerel (Senior Of Counsel, Privacy + Data Security)

In 2025, the EU AI Act will become the de facto global baseline on how to operationalize responsible AI. It took the EU many years to get more clarity and harmonization on the implementation of GDPR, and the EU authorities are not going to make the same mistake. The EC has provided the EU standard-setting agencies with a deadline of April 30, 2025, to issue harmonized standards for the main requirements (such as AI risk management). The EC provided the same deadline to the AI Office to orchestrate the drafting of the General-Purpose AI Code of Practice. This is a tightly regulated iterative drafting process, whereby the best independent experts from around the world are tasked to draft the Code based on the contributions of AI providers, and in total, four rounds of discussion are organized with 1,000 stakeholders. The first draft was published in November and shows a detailed level of practical requirements which, once adopted, will provide for practical implementation baselines for all concerned going forward.

Start Taking Action Now: The EU AI Act Is Coming

Marijn Storm (Partner, Privacy + Data Security, Privacy + Data Litigation)

2024 saw the adoption of the EU AI Act, with transition periods for various categories of AI running into 2025, 2026, and beyond. But this does not mean that enforcement will wait until then. EU data protection authorities can already enforce compliance with broad ethical requirements under the GDPR, such as fairness and lawfulness. Considering that most high‑risk AI use cases are highly likely to involve personal information, EU data protection authorities will likely start taking action before the AI Act’s implementation period has lapsed.

Thought Leadership:

EU AI Act – Landmark Law on Artificial Intelligence Approved by the European Parliament

The AI Legislative Surge: Navigating the Rising Tide of Laws and Bills

Josh Fattal (Associate, Privacy + Data Security)

As companies gear up for enforcement under the EU and Colorado AI laws, a growing flood of new AI-related bills and laws promises to keep governance, compliance, and engineering teams busy into the new year. To tackle the new requirements that these regulations will impose, companies will need to develop new programs to establish the rules of the road for employees’ use of AI tools. Companies will also have to decide which AI tools they will allow, which they will prohibit, and which categories of data they will permit for use in AI systems.

Increased M&A Activity in AI

AI presents thorny issues in legal due diligence.

Annabel Gillham (Partner, Privacy + Data Security), Julie O’Neill (Partner, Privacy + Data Security), and Dan Alam (Associate, Privacy + Data Security)

Following the mass adoption of large language models (LLMs) over the last two years, we will continue to see a high volume of acquisitions in the AI space in 2025. Such acquisitions raise complex issues during privacy and AI legal due diligence, including whether the target has sourced training data lawfully, whether the AI system makes automated decisions that significantly affect individuals, how the target uses customer and personal information for product development purposes, how it has positioned itself in customer contracts, and what AI governance the target has in place. Given the increased regulatory attention on AI governance, potential purchasers of AI companies should ensure that they appropriately diligence these issues prior to signing.

Thought Leadership:

MoFo Advises SoftBank as Lead Investor in a $1 Billion+ Investment round in UK‑Based Autonomous Driving Company Wayve

Shifting Sands: AI Regulation Under a New Administration Focused on Free Speech and Reduced Oversight

Kate Driscoll (Partner, AI and Healthcare Enforcement)

The trajectory of AI regulation may change under a new administration that has said its approach to AI will focus on promoting free speech (as opposed to control of disinformation and related abuses) and reducing regulation. That won’t hinder enforcers from investigating AI tools that they suspect improperly increase reimbursements for federally funded healthcare or skew clinical decision making.

The Bad Guys Have AI Too

Dillon Kraus (Associate, Privacy + Data Security)

We have already begun to see the use of AI-enabled tools to perpetrate cyber attacks and fraud, but it will get much worse before it gets better. AI will serve as a multiplier for existing cybercrime, including phishing and deep fakes, illicit data collection, automated network attacks, data poisoning, and more. At the same time, attackers will work to manipulate existing models to both steal algorithms and exploit vulnerabilities.

Growing Regulatory Focus on AI Data Practices Outside the United States

Whitney Lee (Associate, Privacy + Data Security)

Non-U.S. regulators, particularly in the EU and Asia, are expected to intensify their focus on the intersection of AI and data privacy. New legal frameworks are likely to emerge, aimed at holding organizations accountable for how AI systems collect, store, and process personal data. Mandates for AI explainability, transparency, and data minimization are expected to become central regulatory priorities.

Strengthened AI Oversight in the Netherlands

Marijn Storm (Partner, Privacy + Data Security, Privacy + Data Litigation) and Whitney Lee (Associate, Privacy + Data Security)

EU countries will need to designate supervisory authorities (SAs) for the EU AI Act by August 2025. Contrary to, for example, GDPR, a single country is allowed to appoint multiple AI SAs. For example, an SA could be appointed to supervise AI in healthcare, and a different SA to supervise AI in the banking and finance sector. Most EU countries are yet to decide on their approach to supervising AI, but we predict that several countries will appoint multiple SAs. For example, the Netherlands has already appointed its Authority for Financial Markets and National Bank to handle market surveillance and the Human Environment and Transport Inspectorate to oversee the use of AI in critical infrastructure, and all other SA tasks will be placed with the data protection authority. This fractured landscape will require an increased effort for organizations subject to the EU AI Act to stay on top of all decisions and guidance by their relevant SAs, which will especially be relevant in the early days of the EU AI Act, when a number of key concepts will not have crystallized yet.

Data Privacy in the EU

Anticipating EU Enforcement Trends: A Forward-Looking Analysis

Hanno Timner (Partner, Privacy + Data Security, Privacy + Data Litigation)

Some major proceedings involving high eight-figure fines for data protection violations imposed by European data protection authorities are due to be reviewed by the courts in 2025. It is to be expected that this will help to standardize the presently inconsistent enforcement practices of data protection authorities in the EU in the future.

Anticipating the Future: The Impacts of the German Employee Data Protection Act

Hanno Timner (Partner, Privacy + Data Security, Privacy + Data Litigation)

After the European Court of Justice declared the German regulations on employee data protection invalid, the federal government has presented a draft new employee data protection act. It is expected that the German Federal Parliament (Bundestag) will pass the law in 2025. Companies in Germany will have to review their employee data processing in light of the expected new regulations.

NIS2 Spotlight: National Implementations and Compliance in 2025

Alex van der Wolk (Partner, Privacy + Data Security, Privacy + Data Litigation)

A number of significant and game-changing cybersecurity regulations are going to take center stage in 2025. For example, with most EU member states having missed the implementation deadline of the NIS2 directive in October 2024, eyes will be on key jurisdictions such as Germany, the Netherlands, France, Spain, and Ireland to issue their national implementing laws. As with any directive requiring national implementation, national deviations are to be expected. Furthermore, national competent authorities will likely start their review of registered companies and commence outreaches where they feel that registrations may be trailing.

DORA’s Dawn: Financial Institutions Brace for 2025 Cybersecurity Standards

Alex van der Wolk (Partner, Privacy + Data Security, Privacy + Data Litigation)

Digital Operational Resilience Act (DORA) will take effect in January 2025, and being a regulation, it will have direct effect throughout the EU. Financial institutions as primary “beneficiaries” of DORA will want to benchmark their cybersecurity program against DORA requirements. Third-party ICT service providers should expect a push from their financial institution customers regarding DORA-related contracting and cybersecurity requirements. Critical ICT service providers will want to take note of the fact that they will come under direct DORA oversight.

Get Ahead: Preparing for the EU Cyber Resilience Act Now

Alex van der Wolk (Partner, Privacy + Data Security, Privacy + Data Litigation)

While the EU’s Cyber Resilience Act (CRA) will not take effect until 2026 and 2027, companies that manufacture, import, or distribute connected products will already want to start preparing for this latest piece of EU cyber legislation. Having been finalized late 2024, the timeline of taking effect in 2 and 3 years (depending on the respective obligations) may seem far off. However, considering the object of the CRA—hardware and software products with digital elements—compliance will need to be built into the product’s development life cycle.

Cookie Enforcement Continues to Increase

Marijn Storm (Partner, Privacy + Data Security, Privacy + Data Litigation)

Enforcement of cookie consent requirements has been fairly limited for a few years and saw an uptick in 2024. As supervisory authorities are becoming more tech-savvy and cookie-scanning tools become easier to use and more readily available, supervisory authorities can more easily run wide scans of websites within their jurisdiction and easily identify cookie consent violations. This will likely result in a continued rise in cookie consent enforcement.

UK Data Protection Reforms

This Time’s the Charm?

The UK’s latest attempt to revise its data protection laws will likely be more successful than previous attempts.

Annabel Gillham (Partner, Privacy + Data Security) and Dan Alam (Associate, Privacy + Data Security)

The new UK government has revived attempts to amend the UK’s data protection and e‑privacy laws. The new Data (Use and Access) Bill retains the key requirements of the UK GDPR, but, among other changes, relaxes restrictions on automated decision-making and increases the maximum fine that the UK Information Commissioner’s Office (ICO) can impose for violating e-privacy rules. More controversial aspects of the previous government’s attempts to reform the UK GDPR have been dropped (such as the removal of the concept of a data protection officer and relaxing the requirement to complete data protection impact assessments). In addition to UK GDPR and e-privacy reforms, the Bill includes provisions that may require “data holders” to provide non-personal information to consumers in a similar way to the EU’s Data Act, as well as provisions to revamp the UK’s digital ID infrastructure. Given the current UK government’s large parliamentary majority, it is highly likely that the Bill will pass. Companies should monitor the Bill’s passage through the legislative process and keep an eye out for the EC’s reaction in early 2025, when it comes to renewing its adequacy decision for the UK in respect of cross-border data transfers from the EU to the UK.

DSARs Are Flavor Du Jour

Annabel Gillham (Partner, Privacy + Data Security) and Dan Alam (Associate, Privacy + Data Security)

The volume and complexity of customer, third-party, and employee data subject access requests (DSARs) are on the rise, and DSARs will continue to be a key enforcement priority for UK and EU data protection authorities during 2025 (per the UK Information Commissioner’s keynote at the 2024 Data Protection Practitioners’ Conference and the European Data Protection Board’s Co-ordinated Enforcement Framework). We also expect increased cooperation and knowledge-sharing between data protection authorities on this issue to continue in 2025. Companies should ensure that they dedicate sufficient investment and resources to managing DSARs, including effective technology and staff training.

Children’s Safety Continues to Be on the Agenda Going into Next Year

Mercedes Samavi (Of Counsel, Privacy + Data Security, Privacy + Data Security Litigation)

In the UK, the ICO has already indicated children’s privacy to be a top priority, and we expect other countries to follow suit. The key question is how the regulators will develop their working dynamic where their frameworks overlap—I’m thinking in particular about the relationship between the ICO and Ofcom with respect to the UK Online Safety Act. Organizations may find that their understanding of topics such as data protection, content moderation, freedom of expression, and IP rights can get quickly muddled, so it’s important for them to have a clear understanding of how their online services, products, and content are all impacted by the different legal concepts. Elsewhere, we are seeing similarly robust responses from governments such as Australia and Norway, who are looking to introduce even more stringent laws about children’s online safety. In practice, this means even more monitoring for businesses to make sure that they stay top on a rapidly changing landscape.

Japanese Privacy Laws

Expanding Horizons: Enhanced Safeguards for Personal Data

Yukihiro Terazawa (Partner, Privacy + Data Security) and Takaki Sato (Of Counsel, Privacy + Data Security)

The Japanese privacy regulator (PPC) is considering amending the Act on Protection of Personal Information (APPI). As a result of a public consultation regarding PPC’s interim issue list in July, PPC acknowledged a huge division in thoughts among stakeholders, particularly around a proposal to strengthen the protection for children’s personal information and the enforcement of APPI—e.g., introducing an injunction and the class action as well as the fines which correspond to the violators’ revenue. PPC plans to put together a final report on its policy by the end of 2024, but we do not have clear visibility as to whether and when the legislators will pass a bill.

China Privacy Laws

Mainland China

Streamlining the Future: Simplified Processes for CBDT Regulatory Filings

Paul McKenzie (Partner, Privacy + Data Security) and Tingting Gao (Associate, Privacy + Data Security)

In 2024, the Cyberspace Administration of China (CAC) significantly relaxed China’s cross‑border data transfer (CBDT) regime, raising volume and other thresholds that trigger the requirement for a data controller to make a regulatory filing with CAC and introducing exemptions from the need to make a filing. In 2025, look for CAC at both the central and the local levels to streamline and standardize the filing process for those data controllers that need to make a CBDT filing, applying lessons learned from administering the CBDT filing regime over the last several months. International businesses might expect a more predictable and efficient review process with clearer review criteria. Meanwhile, companies registering in one of the free trade zones (FTZs) may start to enjoy the practical benefit of a central government policy, allowing more permissive CBDT rules to be applied within FTZs, as various FTZ authorities issue implementing measures.

Thought Leadership:

China’s Data Regulator Significantly Relaxes CBDT Regime

Unveiling the Future: The Impact of China’s PIPL and DSL Implementation

Paul McKenzie (Partner, Privacy + Data Security) and Tingting Gao (Associate, Privacy + Data Security)

We also anticipate that other gaps in the implementation of China’s Personal Information Protection Law (PIPL) and Data Security Law (DSL) will be filled in in 2025 and seeing increased enforcement of the PIPL.

China is likely to roll out its reporting system for the regulatory reporting of data breaches in 2025. PIPL requires data controllers to report data breaches to the relevant authorities, without defining what types of breach are reportable and other details of the reporting regime. Draft measures that were circulated for public comment at the end of 2023 fill in the gaps and will likely be promulgated soon.

Heightened Focus on PIPL Audit Provisions Anticipated in 2025

Paul McKenzie (Partner, Privacy + Data Security) and Tingting Gao (Associate, Privacy + Data Security)

We expect to see greater attention by regulators and companies to the audit provisions of PIPL. PIPL requires data controllers to conduct regular audits and, if ordered by the supervisory authority, an ad hoc audit of their personal information processing activities to assure compliance with PIPL requirements. Draft implementing regulations were circulated for public comment during the second half of 2023 and will likely be adopted soon.

China Set To Enforce PIPL’s Extraterritorial Provisions in 2025

Paul McKenzie (Partner, Privacy + Data Security) and Tingting Gao (Associate, Privacy + Data Security)

China will likely start to enforce extraterritorial aspects of PIPL in 2025. Under PIPL, a foreign controller that is subject to PIPL’s extraterritorial jurisdiction is required to report its China representative’s name and contact information to the responsible department without designating which one. The Administrative Regulations on the Security of Network Data, going into effect in 2025, designates the municipal branch of CAC where the representative is located as the department to receive the report. We expect local CAC branches to issue operational rules and start accepting reports soon.

Anticipating Expanded Insights: Future Guidance on Critical Data Scope

Gordon Milner (Partner, Privacy + Data Security) and Tingting Gao (Associate, Privacy + Data Security)

“Important data” is an essential concept under China’s Data Security Law (DSL), which was issued in 2021, and its processing is subject to extensive restrictions and compliance requirements, including in connection with cross-border data transfers (CBDT). Over the years, only a high-level definition of important data was available, and lack of clarity has resulted in challenges for international businesses operating in China. 2024 witnessed various People’s Republic of China regulators, both sectoral and geographical (such as FTZs), filling in the details by publishing helpful catalogues identifying important data within their respective scopes of authority. We anticipate that this trend will continue in 2025. 2025 will also see the coming into force of the Administrative Regulations on the Security of Network Data that will impose enhanced obligations on controllers that process important data that has clearly been identified as such, including to conduct mandatory risk assessments.

Hong Kong Privacy Laws

Upcoming Changes: Hong Kong’s PDPO Amendments and New Cybersecurity Law

Gordon Milner (Partner, Privacy + Data Security), Chuan Sun (Partner, Privacy + Data Security), and Zooey Chen (Associate, Privacy + Data Security)

In 2024, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) has been considering updating the Personal Data (Privacy) Ordinance (PDPO) to enhance privacy protection by adopting rules common in many other jurisdictions, including establishing a mandatory data breach notification mechanism, requiring data users to have a data retention policy, and giving the PCPD the statutory power to impose administrative fines. While no amendments have been made at the time of writing, 2025 is likely to see ongoing debate over modernizing the PDPO. Hong Kong’s first cybersecurity law is also on the horizon for 2025—it may be introduced to the Legislative Council by the end of this year for approval. The current draft proposals borrow elements from European, UK, Australian, and PRC laws, and, if adopted, would require designated operators of critical infrastructure to take measures to strengthen and report on the security of their critical computer systems. A new Commissioner’s Office would also be established with extensive statutory powers to enforce the new law.

National Security

North Korea Fakes: Seeing the Ramifications

Linda Clark (Partner, Privacy + Data Security) and Dan Alam (Associate, Privacy + Data Security)

In 2024, North Korea made millions by placing fake remote IT workers at large multinationals and small companies alike, and we expect to see the ramifications of that continue to play out as some companies have yet to discover they’ve been compromised, and also by other countries copying this scheme. We also expect to see this “remote workers” scheme evolve to include systems compromises, data theft, and extortion.

Federal Privacy Laws

The Era of Open Banking Is Here

Josh Fattal (Associate, Privacy + Data Security)

Banks, data aggregators, fintechs, and other actors in the financial ecosystem will need to determine how the CFPB’s open banking rule, finalized this past fall, will apply to their business. The final rule is designed to push the United States toward a model of open banking, where consumers have access to their financial data and can easily take their data to other financial institutions. Data providers will need to work to develop consumer interfaces to enable access to data, among other compliance steps. The new requirements will add to the workloads of legal, technical, and product teams.

Thought Leadership:

Open Banking Update: CFPB’s Final 1033 Rule, What’s New, What’s Different, and What’s Next?

Privacy in the Balance: The Bipartisan Push for Federal Legislation Amidst State Law Patchwork

Boris Segalis (Partner, Privacy + Data Security)

Privacy has become a rare bipartisan issue, and businesses increasingly support federal legislation to reduce the costs and challenges of complying with a patchwork of state laws. A renewed push for federal privacy and cybersecurity laws could aim to establish uniform standards, with Republicans potentially focusing on preempting state laws and limiting private rights of action. However, the need for 60 votes in the Senate presents a formidable barrier. While a federal law may emerge, progress is likely to be slow and contentious, requiring businesses to continue navigating diverse state requirements.

South Asia

All eyes should be on South Asia in the coming year when new data privacy laws in India and Sri Lanka take effect. Failure to comply with these new rules can result in large financial penalties for companies and, potentially, corporate officers.

India’s Digital Personal Data Protection Act Expected to Take Effect in 2025

Cindy Rich (Senior Privacy Advisor, Privacy + Data Security)

India’s Digital Personal Data Protection Act, enacted in 2023 (see our article), will likely go into effect in 2025, once the long-awaited implementing regulations are issued in final form. Draft regulations are expected to be issued before the end of 2024 and could be approved quickly after a brief consultation period is completed. Once in force, companies that process personal data of individuals located in India will need to ensure that their privacy practices conform to the new Indian requirements. Failure to comply with the law can result in large financial penalties, including up to INR 2.5 billion (USD 29.6 million) for failure to implement reasonable security safeguards to prevent a personal data breach.

Sri Lanka’s Personal Data Protection Act to Be Fully Enforceable by March 2025

Cindy Rich (Senior Privacy Advisor, Privacy + Data Security)

Sri Lanka’s Personal Data Protection Act, enacted in 2022, will be fully operational and enforceable on March 18, 2025. The Sri Lankan data protection authority, established in August 2023, has been busy issuing numerous draft regulations for public consultation. The proposed regulations set forth specific rules pertaining to cross-border data transfers, the appointment of data protection officers, the development of a data protection management program, data breach notification, and data protection impact assessments (DPIAs). Like the EU’s GDPR, the law applies to data processing within Sri Lanka and extraterritorially, regulating entities outside of Sri Lanka that offer goods or services to, or monitor the behavior of, individuals within the country. Although the penalties for law violations are significantly less than those under Indian law, corporate directors and officers are liable and subject to financial penalties unless they can prove that they had no knowledge of the failure to comply with the requirements or that they exercised all due care and diligence to ensure compliance.

In Southeast Asia, the privacy landscape will continue to mature, resulting in more enforcement actions and stricter rules that are more closely aligned with the EU.

Increased Enforcement and Financial Penalties Expected from Thailand’s Data Protection Authority

Cindy Rich (Senior Privacy Advisor, Privacy + Data Security)

ln Thailand, we are likely to see more enforcement actions including those imposing financial penalties by the country’s data protection authority (DPA). Since enforcement began in June 2022, the Thai DPA has issued numerous administrative orders, mainly requiring controllers and/or processors to take corrective actions or cease certain activities. In the wake of numerous complaints and data breaches, the Thai DPA issued its first and highest fine possible under the law (THB 7 million/approx. USD 206,000) to a major Thai e-commerce company in connection with a large data breach, thus demonstrating its willingness to deploy their full enforcement powers as needed.

Malaysia to Implement Clearer Data Transfer Rules and Stricter Compliance Requirements in 2024

Cindy Rich (Senior Privacy Advisor, Privacy + Data Security)

In Malaysia, companies operating there will finally have clearer and more flexible rules for transferring data outside of the country in the coming year because of amendments enacted in 2024 that will enter into force soon. However, at the same time, companies will need to adhere to rules that are more closely aligned with jurisdictions in the EU, such as with respect to security breach notification, mandatory appointment of a data protection officer, data portability rights, and closer supervision of third-party processors. The amended law provides for stronger penalties (including imprisonment) for controllers that fail to ensure that their processors provide sufficient security guarantees.

Vietnam Poised to Enact First Comprehensive Privacy Law by 2026

Cindy Rich (Senior Privacy Advisor, Privacy + Data Security)

In Vietnam, we are likely to see the enactment of the country’s first comprehensive privacy law. In September 2024, Vietnam issued a draft of its proposed Law on Personal Data Protection (Draft Law) for public consultation. The Draft Law sets forth general data protection rules and principles and specific rules covering numerous business activities involving marketing; behavioral advertising; AI; employee data processing and monitoring; credit, health, and insurance data; social networks and OTT services; biometric data; and location data. Companies will be required, among other things, to notify security breaches within 72 hours, establish personal data protection departments that have sufficient technological and legal data protection expertise, and complete DPIAs and transfer impact assessments. Approval by the legislature is anticipated by May 2025 with the legislation entering into force on January 1, 2026.