Dechert Cyber Bits

Omnibus IV Package: EU Commission Proposes Simplification of GDPR

The European Commission has proposed a rule simplification package, known as Omnibus IV, aimed at, among other things, easing the regulatory burden of the GDPR on small and medium sized companies and small mid-caps companies (which can employ up to 750 employees and generate turnovers of up to €150m (or have up to €129m in total assets)) (“SMCs”).

Currently, companies with fewer than 250 employees are in some circumstances exempt from certain data privacy rules such as the requirement to keep a record of processing activities, with the aim of reducing administrative costs. The Omnibus IV package would broaden the exemption and extend it to organizations with fewer than 750 employees. These entities would only be required to maintain processing records where activities are considered “high risk.” The Commission states that these changes should help companies save €66m per year. In addition, the package would require the specific needs of SMCs to be taken into account in the drawing up of codes of conduct and establishment of certification mechanisms and data protection seals and marks.

The package may be further amended by the European Parliament and the Council of the EU before being finally adopted.

Takeaway: Since the Commission had indicated in its press release of May 21, 2025 that the Omnibus IV package had been presented in an effort to reduce bureaucracy and foster a regulatory environment that promotes innovation, growth, quality jobs, and investment, the simplification proposals have been much anticipated. As drafted, the proposals are relatively limited in scope and are unlikely to make much practical difference to many organizations. For those falling under the 750-employee threshold though, the absence of a strict requirement to maintain records of processing for all but high-risk activities may prove a welcome relief. In any case, the Omnibus IV package is a positive step, and we can hope that the Commission will adopt more proposals in the future to continue to gradually simplify and streamline GDPR processes and reduce bureaucracy.  

Acting Director of SEC’s Division of Examinations Warns of Upcoming Regulation S-P Examinations for Financing Institutions

On May 14, 2025, Keith Cassidy, Acting Director of the SEC’s Division of Examinations, shared details on the Commission’s enforcement priorities in a speech on the May 2024 Regulation S-P amendments. Cassidy noted that the Commission will host three outreach events that are intended to address the basics of what to expect during an examination where Regulation S-P is in scope. These events are to be led by staff in the SEC’s Technology Controls Program, which Cassidy stated will include “technologists, industry experts, former CISOs, intelligence analysts, specialized contractors, attorneys, and examiners.” Cassidy acknowledged recent requests to extend the compliance dates for the Regulation S-P amendments, but did not commit to an extension. He noted that, even in advance of the compliance dates, registrants should expect examiners to inquire about their preparations to ensure compliance: “[t]he Division will conduct examinations to assist the Commission in understanding the level of readiness across the sector before the compliance dates.”

As we covered in more depth here, the Regulation S-P amendments apply to broker-dealers, investment companies, registered investment advisers, and transfer agents. Larger institutions, including registered investment advisers with $1.5 billion or more in assets under management, will be required to comply as soon as December 3, 2025, with certain smaller institutions to follow starting in June 2026.

Takeaway: Cassidy stated that additional details regarding the outreach program will be published in the near future. Registrants should be on the lookout for these programs, as they will shed light on the SEC’s examination focus in the early days of the Regulation S-P amendments. Registrants should continue taking steps to come into compliance with the new Regulation S-P requirements, which include among other things the requirement to implement an incident response program and oversee third-party service providers.

UK ICO Consults on Updated Encryption Guidance

The UK Information Commissioner's Office (“ICO”) has launched a consultation on its draft updated encryption guidance, which will remain open until June 24, 2025. This guidance aims to provide detailed clarification on when and how data encryption can support compliance with the UK GDPR. The initiative follows the ICO’s observation of numerous incidents where personal data was compromised due to inadequate protection, leading to enforcement actions against organizations that failed to implement appropriate security measures such as encryption.

The updated guidance follows the ICO's "must, should, could" framework, offering clear expectations on encryption measures for data protection officers and those responsible for data security in organizations of all sizes. It covers various scenarios where encryption can be applied to safeguard personal data, including email and attachments, cloud storage, backups, CCTV and video surveillance, and Internet of Things devices. Additionally, the guidance addresses the residual risks associated with using encryption. The guidance states that organizations should use encryption to protect personal information when in transit electronically (e.g., online) and when storing it on computing devices or removable media.

Takeaway: The guidance will be particularly helpful as it offers many detailed examples and scenarios to help organizations understand the benefits and risks of encryption in context. It also (sensibly) clarifies that encryption is typically a pseudonymization technique and that encrypted data is still personal information in the hands of the organization.

FTC Chairman Andrew Ferguson Signals Both Hairpin Turns and Straightaways in Enforcement Priorities

On May 15, 2025, Federal Trade Commission (“FTC”) Chairman Andrew Ferguson testified before the House Appropriations Committee’s Financial Services and General Government Subcommittee to address the FTC’s budget and outline its enforcement priorities. “Vigorous enforcement of the law is our focus,” the Chairman explained, “not to make the rules,” signaling a return to less aggressive and more predictable enforcement focusing on well-established legal principles. In addition to announcing a 16% reduction in staff from its fiscal 2025 levels, the Chairman emphasized the below priority areas:

• AI: The Chairman emphasized the rapid development and use of AI, highlighting that “tools powered by artificial intelligence present significant opportunities for consumers, workers, and our economy.” The FTC will continue to seek enforcement actions against companies that use deceptive claims and promises involving AI. The Chairman noted that “[u]sing circumspect and appropriate enforcement of existing laws” will remain central to preventing AI-related fraud.
• Children’s Privacy: Stating that “protecting children and teens online is similarly of paramount importance to the Trump-Vance FTC,” the Chairman affirmed the FTC’s dedication to pursuing Children’s Online Privacy Protection Act (“COPPA”) violations and pledged to explore other ways that the FTC can protect children.
• Data Security: The Chairman reiterated the FTC’s commitment to enforcing data security standards to hold companies accountable for failing to protect personal information.
• Sector-Specific Laws: The Chairman reiterated the Commission’s enforcement of sector-specific laws, such as the Gramm-Leach-Bliley Act’s Privacy Rule and Safeguards Rule, the Fair Credit Reporting Act and Section 5 of the FTC Act.

Takeaway: Chairman Ferguson’s testimony outlines a strategic vision for the coming year, emphasizing a continued focus on children’s privacy and data security – issues that enjoy bipartisan support. AI enforcement is expected to concentrate more on deceptive claims; remedies such as data and algorithmic disgorgement employed by the FTC under Lina Khan’s leadership may become less common. Additionally, the announced staffing reductions suggest a potentially less aggressive enforcement stance compared to previous years, with fewer but more targeted enforcement actions.

Dechert Tidbits

German Consumer Rights Group Fails in Bid to Stop Meta Training its AI with EU User Data

According to a press release (in German) dated May 13, 2025, the Consumer Advice Center for the German state of North Rhine-Westphalia (“CAC NRW”) is battling with Meta Platforms Ireland Limited (“Meta”) to stop Meta’s new practice of using public posts from EU users on Facebook and Instagram for AI training purposes, as announced by Meta in April. On May 23, 2025, the Higher Regional Court of Cologne dismissed CAC NRW’s application, reportedly concluding that Meta could rely on legitimate interests (instead of consent) and had taken effective measures to mitigate interference with data subjects’ rights. It remains to be seen if further legal action will be taken in the future, as certain groups remain critical and continue to raise concerns about legality and user privacy.

CFPB Dials Back Data Broker Proposal

In a recently posted withdrawal of notice, the Consumer Financial Protection Bureau (“CFPB”) announced its decision to rescind its proposed rules regarding the regulation of data brokers, which we covered in Cyber Bits Issue 40. The proposed rule, “Protecting Americans from Harmful Data Broker Practices,” would have required certain sellers of income data or other financial information to comply with Fair Credit Reporting Act obligations.

Global Technical Standard for AI Systems Published by ETSI

The UK National Cyber Security Centre (“NCSC”) reports that the European Telecommunications Standards Institute (“ETSI”) has published a new technical specification for baseline cybersecurity requirements for AI models and systems. It follows prior guidance by the NCSC and UK government departments, who worked on the specification along with other governments and industry leaders. The NCSC notes that the specification is the first global standard that sets minimum security requirements across the entire AI life cycle for all stakeholders in the AI supply chain.