globalisation-3390877_1280

On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”), which went into effect on April 8, 2025. The release included additional guidance, frequently asked questions, and an enforcement policy for the first 90 days. Much of the material re-articulated language in the Final Rule, but the release did include some notable new information for organizations assessing their compliance, key points of which we summarize below.

Earlier this year, Ropes & Gray published an Alert providing an overview of the Final Rule, material changes from the DOJ’s Notice of Proposed Rulemaking (“NPRM”), and guidance on steps organizations should take to come into compliance. (Ropes & Gray also published Alerts on the NPRM and the Advance Notice of Proposed Rulemaking).

To read the full Ropes & Gray client alert, click here.

digitization-5231610_1280

Today, the Department of Justice’s (“DOJ”) Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”) took effect.

Earlier this year, Ropes & Gray published an alert providing an overview of the Final Rule, material changes from the DOJ’s Notice of Proposed Rulemaking (“NPRM”), and guidance on steps organizations should take to come into compliance. (Ropes & Gray also published alerts on the NPRM and the Advance Notice of Proposed Rulemaking).

If they haven’t already, organizations should evaluate their obligations under the Final Rule and make compliance changes accordingly.

pexels-gstudio-8640331

In an International Association of Privacy Professionals (IAPP) article, health care partner David Peloquin and data, privacy and cybersecurity associate Jake Barr along with Legend Biotech Chief Privacy Officer and Assistant General Counsel Corey Dennis discuss the landmark rule limiting sensitive data transfers to “countries of concern.” The article reviews key aspects for health care and life sciences companies, key exemptions, and best practices to ensure compliance. To read the full IAPP article click here.

pexels-ramaz-bluashvili-26344937-7017138

The Trump Administration’s recent AI pronouncements decry “ideological bias or engineered social agendas” as antithetical to continued American AI leadership. Executive Order 14179, repealing prior Biden Administration Executive Order 14110 on AI safety, reflects that theme and so does Vice President Vance’s speech at the February 11 Paris AI summit. “We feel very strongly,” Vance remarked, “that AI must remain free from ideological bias.” The Trump Administration’s view appears to be that overzealous regulation, likely including nondiscrimination, safety, and transparency regulation, puts American AI development at a disadvantage. The release of DeepSeek undoubtedly reinforces such concerns. As White House Press Secretary Karoline Leavitt put it, “[DeepSeek] is a wake-up call to the American AI industry.”

Continue Reading Trump’s New AI Executive Order: Navigating the Conflicting Poles of AI Regulation
money-7923867_1280

In 2024, financial sector regulators prioritized cybersecurity issues impacting financial institutions and the public. Key U.S. federal agencies—including the Securities and Exchange Commission, Federal Trade Commission, and the Consumer Financial Protection Bureau—have been joined by state regulators such as the New York Department of Financial Services in significant new federal and state regulations and more robust and novel enforcement actions. This trend is expected to continue in 2025 as the rise of digital transactions and advent of AI introduce additional risks and cyberattacks become increasingly complex and prevalent.

Click here to read the full Ropes & Gray client alert.

pexels-tima-miroshnichenko-9574323

On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act. If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the Connecticut Data Privacy Act. Importantly, NY HIPA could have a significant impact on companies across the country that collect or process health information of New York residents.

Click here to read the full Ropes & Gray client alert.

lady-justice-2388500_1280

The U.S. Department of Justice (DOJ) announced last Wednesday that settlements and judgments under the False Claims Act (FCA) exceeded $2.9 billion in fiscal year 2024—up approximately 5% from last year. DOJ’s announcement underscores its commitment to FCA enforcement, particularly in the healthcare industry and now with increased activity in the areas of pandemic relief programs, military procurement, and cybersecurity.

Click here to read the full Ropes & Gray client alert detailing the key takeaways from DOJ’s press release, along with our key insights as companies try to anticipate what lies ahead.

ai-generated-9106907_1280

In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under state law (a “Data Breach”), require Data Breaches to be reported to the New York State Department of Financial Services (“NYSDFS”), and add medical information and health insurance information to categories of private information that may be subject to a Data Breach. According to their legislative history, the Bills were introduced in order to address “a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, [are] charged with the responsibility to monitor and do regular supervision on cybersecurity.”3 While the Bills are likely to have a limited effect on HIPAA covered entities and business associates, they stand to significantly impact other persons and businesses in New York, including life sciences and consumer health care companies that are not subject to HIPAA.

Click here to read the full Ropes & Gray client alert.

pexels-cottonbro-7578799

In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).

The New HTI Final Rules will affect Trusted Exchange Framework and Common Agreement (“TEFCA”) qualified health information networks (“QHINs”) and health care organizations that exchange data through QHINs, as well as developers of certified health information technology, health information exchanges and networks, and health care providers (collectively, “Actors”) that are subject to the Information Blocking Rule.

Click here to read the full Ropes & Gray client alert which summarizes key provisions of the New HTI Final Rules.

digitization-5231610_1280

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024, and its Advance Notice of Proposed Rulemaking (“ANPRM”) earlier in 2024. (Ropes & Gray published alerts on the NPRM and ANPRM)

The Final Rule continues to assert the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals located in or otherwise having relationships with the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the Final Rule for potential impacts on their business models. The Final Rule prohibits certain data brokerage transactions and transactions involving human ‘omic data. The Final Rule also creates a set of restricted transactions involving vendor agreements, employment agreements, or investment agreements in which U.S. persons may engage only if they comply with a set of cybersecurity requirements. In tandem with the publication of the Final Rule, on January 8, 2025 Cybersecurity and Infrastructure Security Agency (“CISA”) published its final security requirements for restricted transactions.

Click here to read the full Ropes & Gray client alert for more detailed information.