On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.

Continue Reading Amadeus IT Group Receives GDPR Fine

On May 19, 2026, the notice and removal requirements set forth in Section 3 of the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (“TAKE IT DOWN Act” or “TIDA”) entered into effect.  Under this section, covered platforms must establish a process for individuals to notify the platform of certain intimate visual depictions that were shared without their consent and to request their removal.  Covered platforms that receive valid requests must remove the visual depictions and identical copies within 48 hours.  The FTC, which enforces the TIDA, intends to do so “vigorously.”  The FTC has launched a website where individuals can submit complaints about platforms that fail to comply with these requirements and has sent warning letters advising companies of their obligations under the law.

Continue Reading The TAKE IT DOWN Act’s Notice and Removal Requirements Enter Into Effect

A federal court recently addressed whether plaintiffs alleging misleading commercial email practices in violation of Washington’s Commercial Electronic Mail Act (“CEMA”) have Article III standing to pursue claims. The ruling suggests that alleged violations of CEMA, standing alone, could constitute a concrete injury for Article III standing, where the asserted harm aligns with the statute’s purpose.

Continue Reading Washington Anti-Spam Law Decision Addresses Article III Standing in CEMA Cases

On May 28, 2026, the European Union Agency for Cybersecurity (“ENISA”) published the third edition of its NIS360 report, an annual benchmarking tool that assesses the cybersecurity maturity of entities in the sectors set out in Annex I of the NIS2 Directive (which includes certain entities in the energy, transport, healthcare, digital infrastructure, and space sectors), as well as the relative criticality of the relevant sectors. The NIS360 is designed to support national authorities, policymakers, and other stakeholders in understanding where sectors stand in terms of cybersecurity readiness, including where more support or oversight might be needed.

Continue Reading ENISA’s NIS360 2026 report highlights both the criticality of the European space sector, and flags a persistent cybersecurity maturity gap

On 20 May 2026, Brazil adopted Presidential Decree No. 12,976, establishing a comprehensive framework to address violence against women online. Adopted alongside a parallel decree (No. 12,975) reforming intermediary liability, it reflects a more assertive approach to regulating online harms, including those driven or amplified by AI. Together, these measures will require companies to reassess internal processes to ensure rapid content removal and more proactive monitoring, including for AI‑enabled services.

Continue Reading Brazil Steps Up Regulation of Violence Against Women in the Digital Environment

On 19 May 2026, the European Commission published its long-awaited draft, non-binding guidelines on the classification of high-risk AI systems (“HRAIs”) under the EU AI Act (the “Guidelines”). Across three documents—covering general principles, high-risk classification in the context of regulated products (Annex I), and high-risk use cases (Annex III)—the Commission sets out its approach to one of the AI Act’s central questions: when does an AI system fall within the high-risk regime (and, just as importantly, when does it not)?

Rather than restating every aspect of the Guidelines, this post highlights a number of interpretative points likely to matter most in practice.

Continue Reading EU AI Act Update: The European Commission Publishes Draft Guidelines on HRAIs

On May 29, 2026, the Governor of Louisiana signed into law SB 386, the Louisiana Data Privacy Act (“LDPA”). Louisiana joins Alabama and Oklahoma as the third state to enact a comprehensive privacy law this year. The law will take effect on January 1, 2027.

Continue Reading Louisiana Enacts Comprehensive Privacy Law

On June 2, 2026, the White House issued an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security” (the “Order”).  The Order reflects the Administration’s stated policy of advancing U.S. leadership in artificial intelligence (“AI”) while addressing national security risks associated with increasingly capable AI systems.  To

Continue Reading White House Releases Executive Order on Advanced AI Innovation and Security

Last month, the Illinois Department of Human Rights (“IDHR”) released draft regulations addressing employers’ use of AI in employment decisions and invited public comment. The IDHR will hold a hearing on the draft regulations on June 10, and the public comment period will close on June 29.

Background

HB

Continue Reading Illinois Department of Human Rights Seeks Public Comment on Draft AI Employment Regulations

On May 27, 2026, the Connecticut governor signed SB 4, an omnibus privacy law, which among other things, amends the Connecticut Data Privacy Act (“CTDPA”), establishes a data broker registry and accessible deletion mechanism, imposes restrictions on the use of price setting devices and surveillance pricing, and creates requirements for direct-to-consumer genetic testing companies.

Continue Reading Connecticut Enacts Omnibus Privacy Law