This month, we have added “API mapping” and “JavaScript file analysis” as core components of the NT Analyzer tool suite. This post explains what API Mapping is and how the feature provides critical insights regarding the transmission and processing of
Data Protection Report
Data protection legal insight at the speed of technology
Blog Authors
Latest from Data Protection Report
New York Attorney General, personal data, and SHIELD Act
On March 20, 2025, the New York Attorney General (“NYAG”) announced a settlement with Ohio-based Root Insurance, regarding privacy practices relating to its auto insurance online quoting tool. As part of the settlement, Root agreed to pay $975,000 and to…
The differences between non-disclosure, exfiltration and notice – a court’s view
By David Kessler and Sue Ross
Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another…
What do organisations need to disclose to individuals about AI and automated decisions?

Individuals have the right to receive meaningful information about solely automated decisions with significant effects under the General Data Protection Regulation (GDPR). This includes decisions that will impact an individual’s finances or employment. But how much information are individuals entitled…
Prohibited practices under the AI Act: Answered and unanswered questions in the Commission’s guidelines
The EU AI Act’s prohibitions came into effect on 2 February 2025 and carry fines of 7% worldwide annual turnover for non-compliance. The prohibitions at Article 5 and accompanying recitals (particularly recitals 28-44) set out a complex set of provisions.…
Federal government announces latest National Cyber Security Strategy

On February 6, the Government of Canada announced its latest National Cyber Security Strategy (the NCSS), detailing the federal government’s plan to help Canadian organizations prepare for and respond to the rapidly evolving and increasingly sophisticated cyber security threats of…
Happy Information Governance Day
Happy February 20th and Information Governance Day! Today is an opportunity to reflect on the evolution of information governance and, more importantly, its future. In our view, information governance is in its ascendency and is only becoming more and more…
New York changes data breach law—in December and February
New York just finished a series of adjustments to its data breach notification requirements. Effective immediately, organizations must notify impacted individuals of a data breach within 30 days of its discovery instead of “in the most expedient time possible and…
FTC settlement requires disconnection of hardware from all no longer supported software
On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world: GoDaddy. According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its…
The Commission’s guidelines on AI systems – what can we infer?

The EU’s AI Act imposes extensive obligations on the development and use of AI. Most of the obligations in the AI Act look to regulate the impact of the specific use cases on health, safety, or fundamental rights. These sets…