What changed

EDPB FAQ on Data Privacy Framework — Verification and Onward-Transfer Flow-Down Obligations (January 2026)

On 2026-01-15, the European Data Protection Board announced publication of Version 2.0 of its FAQ for European businesses on the EU-U.S. Data Privacy Framework, with reported scope covering certification verification procedures, HR data transfers, and onward-transfer flow-down obligations under the DPF Accountability for Onward Transfer Principle; the full text of the FAQ has not been independently verified and specific content should not be relied upon until confirmed.

NYC Local Law 144 — AEDT bias audit requirements take effect with July 2026 enforcement update

In July 2023, Local Law 144 took effect under NYC Admin. Code § 20-871 requiring bias audits for automated employment decision tools; in June 2026, the Department of Consumer and Worker Protection amended 55 RCNY ch. 7 to confirm that tools producing ranked or scored candidate lists qualify as AEDTs and to require intersectional demographic analysis in required audits.

CPPA finalizes automated decision technology opt-out regulations under CPRA

In March 2026, the California Privacy Protection Agency's final regulations governing automated decision technology took effect under Cal. Code Regs. tit. 11, § 7030 et seq., implementing the CPRA's provisions requiring businesses to disclose ADT use and provide California consumers with opt-out rights and, in specified high-stakes categories, human-review rights.

California CIPA extended to first-party pixel and session-replay tools by Court of Appeal

The First Appellate District of the California Court of Appeal held in March 2026, in Yockey v. Salesforce, Inc., No. A168195, that real-time capture of website visitor keystrokes and clicks by session-replay vendors constitutes an interception under California Penal Code section 631.

EU AI Office publishes first systemic-risk model list — three frontier models designated

On May 14, 2026, the EU AI Office issued Decision 2026/SR-01, designating three frontier general-purpose AI models as systemic-risk GPAI models under the EU AI Act's capability-assessment pathway.

EU AI Act — General Purpose AI Model obligations now in force for providers above threshold

In August 2025, the EU AI Act's General Purpose AI chapter, Regulation (EU) 2024/1689 Arts. 51-56, entered into force, imposing obligations on providers of general-purpose AI models with EU market exposure.

CISA proposes 72-hour cyber incident reporting for critical infrastructure — CIRCIA NPRM

On April 4, 2024, CISA published a Notice of Proposed Rulemaking at 89 Fed. Reg. 23644 under the Cyber Incident Reporting for Critical Infrastructure Act proposing a 72-hour window for covered entities to report substantial cyber incidents; CISA's May 2026 supplemental guidance confirms that cloud and IT service providers to critical infrastructure owners are likely covered entities under the proposed rule.

Irish DPC — Final Decision, Permanent TSB Inquiry (GDPR)

The Irish Data Protection Commission issued a final decision in its GDPR inquiry into Permanent TSB, a financial institution, in 2026, following an inquiry conducted under the Commission's supervisory remit.

Irish DPC — Final Decision, Midlands Regional Hospital Tullamore Inquiry (GDPR)

On or around 2026-06-21, the Irish Data Protection Commission issued a final decision in its inquiry into Midlands Regional Hospital Tullamore under the General Data Protection Regulation; the specific findings, infringed articles, and any penalty amount have not been publicly confirmed.

Irish DPC — Final Decision, University of Limerick Inquiry (GDPR)

On 2026-06-21, the Irish Data Protection Commission issued a final decision concluding its GDPR inquiry into the University of Limerick; the specific articles found to be infringed, any financial penalty, and required corrective measures have not been publicly confirmed.

A G Equipment — EEOC Religious and Disability Discrimination Settlement (Vaccine Mandate)

The EEOC announced a consent resolution of charges against A G Equipment Company, a Broken Arrow, Oklahoma manufacturer, resolving religious and disability discrimination claims arising from the company's COVID-19 vaccine mandate, with reported monetary relief of $4,250,000 covering a class of more than 40 employees. [Announcement date unverified — confirm from primary source before publishing.]

EEOC Federal-Sector Appellate Decision — Religious Accommodation to COVID-19 Vaccine Mandate (Bureau of Indian Education)

On 2026-06-21, the EEOC's Office of Federal Operations reportedly issued an appellate decision finding that the U.S. Department of the Interior, Bureau of Indian Education, violated Title VII of the Civil Rights Act of 1964 in connection with the denial of religious accommodation requests from three federal employees subject to a COVID-19 vaccine mandate; the specific holding, reasoning, and relief have not been confirmed from a primary source.

Central Transport — EEOC Sex Discrimination in Hiring Resolution (Female Truck Drivers)

The EEOC reached an early resolution of charges against Central Transport, LLC under Title VII of the Civil Rights Act, with the Michigan-based trucking company agreeing to pay $5.5 million to settle allegations that it systematically refused to hire qualified female truck drivers across its more than 200 facilities nationwide.

EU AI Office — Forthcoming Guidelines Supporting Implementation of the AI Act

The European Commission's AI Office announced that it will issue implementation guidelines under the EU AI Act, according to the agency's announcement; the date of the announcement has not been confirmed from the source text, and the guideline text has not been published.

NLRB Modification of Procedures in Representation Cases (2020 Rule)

The NLRB published a final rule at 84 FR 69524 (Dec. 13, 2019) modifying representation case procedures, with an effective date ultimately set to May 31, 2020 following a COVID-19-related delay from the originally scheduled April 16, 2020 date.

NLRB Blocking Charge Policy, Voluntary Recognition Bar, and Section 9(a) Construction Industry Rule (2020)

On April 1, 2020, the NLRB published a final rule at 85 FR 18353, effective June 1, 2020, amending 29 C.F.R. Part 103 to revise the blocking charge policy, restore a 45-day open election period following voluntary recognition, and require affirmative majority-support evidence for Section 9(a) relationships in the construction industry.

Kaiser Permanente — EEOC Religious Discrimination Settlement (Vaccine Mandate)

The EEOC announced a settlement resolving 12 charges of religious discrimination against Kaiser Permanente arising from the company's vaccine mandate policy, with Kaiser agreeing to $358,000 in monetary relief plus injunctive relief whose specific terms have not been publicly confirmed. [NOTE TO EDITOR: Announcement date must be verified from primary source before publication — the date '2026-06-20' could not be confirmed and is likely erroneous.]

EEOC Additional Instructions for MD-715 Reporting, FY2026

On 2026-01-01, the EEOC issued additional instructions governing federal agencies' FY2026 submissions under Management Directive 715, the directive that requires federal agencies to establish and maintain effective equal employment opportunity and affirmative employment programs.

EEOC National Enforcement Plan FY2025-2029

In or around early 2025, the EEOC approved a National Enforcement Plan covering fiscal years 2025 through 2029, according to agency reporting; the full text of the plan has not been independently confirmed.

Northwestern Medicine — EEOC Religious Discrimination Conciliation (Vaccine Exemptions)

The EEOC resolved religious discrimination charges against Northwestern Medical Group under Title VII of the Civil Rights Act, with Northwestern agreeing to pay a reported $325,000 in monetary relief to a class of employees who were denied vaccine-exemption requests based on religious beliefs. The resolution date has not been confirmed from the cited source.

EDPB FAQ on Data Privacy Framework — Verification and Onward-Transfer Flow-Down Obligations (January 2026)

On 2026-01-15, the European Data Protection Board announced publication of Version 2.0 of its FAQ for European businesses on the EU-U.S. Data Privacy Framework, with reported scope covering certification verification procedures, HR data transfers, and onward-transfer flow-down obligations under the DPF Accountability for Onward Transfer Principle; the full text of the FAQ has not been independently verified and specific content should not be relied upon until confirmed.

NYC Local Law 144 — AEDT bias audit requirements take effect with July 2026 enforcement update

In July 2023, Local Law 144 took effect under NYC Admin. Code § 20-871 requiring bias audits for automated employment decision tools; in June 2026, the Department of Consumer and Worker Protection amended 55 RCNY ch. 7 to confirm that tools producing ranked or scored candidate lists qualify as AEDTs and to require intersectional demographic analysis in required audits.

CPPA finalizes automated decision technology opt-out regulations under CPRA

In March 2026, the California Privacy Protection Agency's final regulations governing automated decision technology took effect under Cal. Code Regs. tit. 11, § 7030 et seq., implementing the CPRA's provisions requiring businesses to disclose ADT use and provide California consumers with opt-out rights and, in specified high-stakes categories, human-review rights.

California CIPA extended to first-party pixel and session-replay tools by Court of Appeal

The First Appellate District of the California Court of Appeal held in March 2026, in Yockey v. Salesforce, Inc., No. A168195, that real-time capture of website visitor keystrokes and clicks by session-replay vendors constitutes an interception under California Penal Code section 631.

EU AI Office publishes first systemic-risk model list — three frontier models designated

On May 14, 2026, the EU AI Office issued Decision 2026/SR-01, designating three frontier general-purpose AI models as systemic-risk GPAI models under the EU AI Act's capability-assessment pathway.

EU AI Act — General Purpose AI Model obligations now in force for providers above threshold

In August 2025, the EU AI Act's General Purpose AI chapter, Regulation (EU) 2024/1689 Arts. 51-56, entered into force, imposing obligations on providers of general-purpose AI models with EU market exposure.

CISA proposes 72-hour cyber incident reporting for critical infrastructure — CIRCIA NPRM

On April 4, 2024, CISA published a Notice of Proposed Rulemaking at 89 Fed. Reg. 23644 under the Cyber Incident Reporting for Critical Infrastructure Act proposing a 72-hour window for covered entities to report substantial cyber incidents; CISA's May 2026 supplemental guidance confirms that cloud and IT service providers to critical infrastructure owners are likely covered entities under the proposed rule.

Irish DPC — Final Decision, Permanent TSB Inquiry (GDPR)

The Irish Data Protection Commission issued a final decision in its GDPR inquiry into Permanent TSB, a financial institution, in 2026, following an inquiry conducted under the Commission's supervisory remit.

Irish DPC — Final Decision, Midlands Regional Hospital Tullamore Inquiry (GDPR)

On or around 2026-06-21, the Irish Data Protection Commission issued a final decision in its inquiry into Midlands Regional Hospital Tullamore under the General Data Protection Regulation; the specific findings, infringed articles, and any penalty amount have not been publicly confirmed.

Irish DPC — Final Decision, University of Limerick Inquiry (GDPR)

On 2026-06-21, the Irish Data Protection Commission issued a final decision concluding its GDPR inquiry into the University of Limerick; the specific articles found to be infringed, any financial penalty, and required corrective measures have not been publicly confirmed.

A G Equipment — EEOC Religious and Disability Discrimination Settlement (Vaccine Mandate)

The EEOC announced a consent resolution of charges against A G Equipment Company, a Broken Arrow, Oklahoma manufacturer, resolving religious and disability discrimination claims arising from the company's COVID-19 vaccine mandate, with reported monetary relief of $4,250,000 covering a class of more than 40 employees. [Announcement date unverified — confirm from primary source before publishing.]

EEOC Federal-Sector Appellate Decision — Religious Accommodation to COVID-19 Vaccine Mandate (Bureau of Indian Education)

On 2026-06-21, the EEOC's Office of Federal Operations reportedly issued an appellate decision finding that the U.S. Department of the Interior, Bureau of Indian Education, violated Title VII of the Civil Rights Act of 1964 in connection with the denial of religious accommodation requests from three federal employees subject to a COVID-19 vaccine mandate; the specific holding, reasoning, and relief have not been confirmed from a primary source.

Central Transport — EEOC Sex Discrimination in Hiring Resolution (Female Truck Drivers)

The EEOC reached an early resolution of charges against Central Transport, LLC under Title VII of the Civil Rights Act, with the Michigan-based trucking company agreeing to pay $5.5 million to settle allegations that it systematically refused to hire qualified female truck drivers across its more than 200 facilities nationwide.

EU AI Office — Forthcoming Guidelines Supporting Implementation of the AI Act

The European Commission's AI Office announced that it will issue implementation guidelines under the EU AI Act, according to the agency's announcement; the date of the announcement has not been confirmed from the source text, and the guideline text has not been published.

NLRB Modification of Procedures in Representation Cases (2020 Rule)

The NLRB published a final rule at 84 FR 69524 (Dec. 13, 2019) modifying representation case procedures, with an effective date ultimately set to May 31, 2020 following a COVID-19-related delay from the originally scheduled April 16, 2020 date.

NLRB Blocking Charge Policy, Voluntary Recognition Bar, and Section 9(a) Construction Industry Rule (2020)

On April 1, 2020, the NLRB published a final rule at 85 FR 18353, effective June 1, 2020, amending 29 C.F.R. Part 103 to revise the blocking charge policy, restore a 45-day open election period following voluntary recognition, and require affirmative majority-support evidence for Section 9(a) relationships in the construction industry.

Kaiser Permanente — EEOC Religious Discrimination Settlement (Vaccine Mandate)

The EEOC announced a settlement resolving 12 charges of religious discrimination against Kaiser Permanente arising from the company's vaccine mandate policy, with Kaiser agreeing to $358,000 in monetary relief plus injunctive relief whose specific terms have not been publicly confirmed. [NOTE TO EDITOR: Announcement date must be verified from primary source before publication — the date '2026-06-20' could not be confirmed and is likely erroneous.]

EEOC Additional Instructions for MD-715 Reporting, FY2026

On 2026-01-01, the EEOC issued additional instructions governing federal agencies' FY2026 submissions under Management Directive 715, the directive that requires federal agencies to establish and maintain effective equal employment opportunity and affirmative employment programs.

EEOC National Enforcement Plan FY2025-2029

In or around early 2025, the EEOC approved a National Enforcement Plan covering fiscal years 2025 through 2029, according to agency reporting; the full text of the plan has not been independently confirmed.

Northwestern Medicine — EEOC Religious Discrimination Conciliation (Vaccine Exemptions)

The EEOC resolved religious discrimination charges against Northwestern Medical Group under Title VII of the Civil Rights Act, with Northwestern agreeing to pay a reported $325,000 in monetary relief to a class of employees who were denied vaccine-exemption requests based on religious beliefs. The resolution date has not been confirmed from the cited source.