The Data Chronicles

In our annual “Look Back, Look Forward” edition of The Data Chronicles, Scott Loughlin and Eduardo Ustaran, co-leads of Hogan Lovells’ Global Data, Privacy and Cybersecurity practice, reflect on the most important developments in privacy, cybersecurity, and data regulation in 2025 and share their outlook for 2026. It has become the most popular episode of the year, drawing strong interest from listeners across regions and sectors.   The conversation covers the global impact of artificial intelligence, evolving regulatory priorities in the UK, EU, and US, and the ongoing balance between innovation and regulation. Topics include potential GDPR reform, biometrics and age verification, geopolitics and data protection, international data transfers, and the growing focus on AI governance and children’s data.

What can businesses expect from the U.S. Federal Trade Commission on privacy and data enforcement as we move into 2026? In this episode of The Data Chronicles, host Scott Loughlin is joined by Cobun Zweifel-Keegan, Managing Director at the IAPP, for a practical year-end review of the FTC’s 2025 enforcement priorities and what they signal for the year ahead.   Together, Scott and Cobun break down how a change in administration reshaped the agency’s focus this year, with heightened attention on children’s and teens’ privacy, COPPA enforcement, cross-platform data collection, and growing concerns around the sale of Americans’ sensitive information to foreign adversary countries. They also discuss the FTC’s evolving view of privacy as both a consumer protection and national security issue.   The conversation also covers the operational and strategic impact of the FTC operating with only two sitting commissioners, and how today’s enforcement posture compares with the more aggressive approach under the prior administration.

India has taken a major step in reshaping its digital future. After years of drafts and debate, the country has finalized the Digital Personal Data Protection Act (DPDPA) and issued detailed rules that bring the law fully to life. With implementation now scheduled over the next 18 months, organizations have clear timelines and a more definitive view of the significant compliance work ahead.  In this episode, host Scott Loughlin is joined by Stephen Mathias, partner and head of the Bangalore office at Kochhar & Company, and Hogan Lovells partner Charmian Aw, who leads the Hogan Lovells APAC Data, Privacy and Cybersecurity practice. Together, they discuss the core features of India’s new law, including its consent-based framework, extraterritorial reach, and parallels with the EU GDPR.  The conversation covers the key steps companies should be taking now, from redesigning data architecture and consent flows to assessing breach response readiness. The episode also explores global business implications, enforcement expectations, and how the DPDPA fits into the broader regional privacy landscape.  Whether you’re operating in India or serving customers there, this discussion offers practical insights on what’s changing, why it matters, and how to prepare.

The U.S. Department of Justice’s Data Security Program is reshaping how companies manage cross-border data activities. This episode of The Data Chronicles breaks down what the rule does, why it was created, and the types of transactions it restricts or prohibits—from data brokerage to vendor access to bulk genomic data. Host Scott Loughlin is joined by Hogan Lovells partner James Denvil and associate Lorea Mendiguren to walk through the rule’s core elements and the open questions around implementation, risk, and compliance. They share practical insights from advising companies in e-commerce, health, and life sciences as they adjust to this new national-security-driven framework.

In this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells partners Eduardo Ustaran and Charmian Aw to examine how regulators are rethinking the relationship between AI, innovation, and privacy. They discuss why many regulators view data protection rules not as obstacles, but as guardrails that can support responsible AI development through tools like impact assessments, transparency, and data minimization.   Eduardo shares insights from the Global Privacy Assembly, which brought together more than 140 data protection authorities from over 90 countries for regulator-led discussions on AI in daily life, cross-border data transfers, children’s privacy, privacy-enhancing technologies, and other issues shaping global enforcement trends. Charmian, who leads the firm’s Asia-Pacific Data, Privacy and Cybersecurity team, adds an APAC perspective with takeaways from the Global Cross-Border Privacy Rules Forum and the region’s growing push for interoperability in data transfers and enforcement cooperation.   We also highlight the launch of our Asia Pacific Privacy Legislation Tracker, a new tool that compares privacy requirements across APAC jurisdictions designed to support companies in navigating the region’s evolving data protection landscape.

How are U.S. states shaping the future of artificial intelligence? In this episode of The Data Chronicles, we unpack The State of State AI, the latest report from the Future of Privacy Forum (FPF) analyzing more than 200 AI-related bills introduced across 42 states.  Host Scott Loughlin is joined by Justine Gluck, a policy analyst at FPF, to discuss how lawmakers are shifting toward targeted, transparency-driven regulation, focusing on areas such as healthcare, chatbot use, liability frameworks, and innovation sandboxes, rather than pursuing a single sweeping national approach. Together, they explore how these trends signal where AI policymaking is headed and what it means for developers, deployers, and consumers.

In this episode of The Data Chronicles, host Scott Loughlin welcomes Adam Smith, Regulatory Lead – Cybersecurity at Southwest Airlines, to explore the evolving landscape of cybersecurity in the transportation sector. Together, they fly through the real-world stakes of protecting critical infrastructure – from airports and railways to the systems that underpin national security. The conversation unpacks the complexity of regulatory frameworks, the challenges of incident response, and the vital role of collaboration among regulators, operators, and vendors.

Across the globe, governments are rethinking how to keep kids safe online. New laws in the UK and the U.S. are driving a wave of age verification and content regulation measures that could reshape how young people experience the internet and how platforms operate. In this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells associates, Rob Fett and Georgia Crawford from London, and Sophie Bohm from Colorado, to unpack the UK’s Online Safety Act, the growing patchwork of U.S. state laws, and the complex balance between safety, privacy, and free expression. Together, they explore whether these new rules truly protect children or simply shift the burden to users and platforms.

Discover how the latest U.S. health tech initiative is transforming patient data access and interoperability. In this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells partner Melissa Bianchi to discuss the drive toward seamless digital health records, the rise of public-private partnerships, and the future of secure digital identity in healthcare. They explore what these developments mean for patients, providers, and technology innovators, and why now is the time to prepare for the next era of health information.

Like many others, you have been scammed. Is all hope lost? Maybe not.    On this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells colleagues, Lauren Berkebile and Byron Phillips, to break down today’s most common online fraud schemes and what to do if your organization gets hit.   They trace the shift from the internet’s initial gift card scams to today’s highly targeted wire-fraud campaigns powered by deepfakes, polished phishing, and social engineering. You’ll hear how criminals stage fake transactions over Zoom, why C-suite leaders are targeted, and the first moves that can help you recover funds.   Whether you have been scammed before and are trying to heighten your defenses or you are planning for how to respond to a future scam, this episode will be a great resource.

Consent is one of the most misunderstood concepts in digital privacy.  Every click, swipe, and scroll can trigger a data transaction, yet today’s reliance on cookie banners and CMPs leaves companies exposed. As regulators grow more sophisticated and laws like CIPA and VPPA add new risks, it’s clear consent needs a serious rethink.   In this episode of The Data Chronicles, host Scott Loughlin is joined by Max Anderson, Co-founder and Head of Product Development at Ketch, a provider of consent and data privacy management solutions, to discuss why current mechanisms are failing, how opt-outs are evolving beyond a checkbox, and what it means to embed meaningful consent into the user journey while still enabling innovation.

In this episode of Data Chronicles, host Scott Loughlin explores the challenges of defining artificial intelligence (AI) under emerging laws, including under the EU AI Act. He is joined by Hogan Lovells partner Etienne Drouard and senior associate Olga Kurochkina to discuss the difficulties in drawing clear lines around what qualifies as AI, the importance of that definition under the EU AI Act for both developers and users, and the broader landscape of AI regulation. The conversation highlights the importance of distinguishing AI from automation, the compliance obligations that follow, and the ways AI legislation continues to evolve.

In July 2025, the Trump administration made its first major move in shaping U.S. policy on artificial intelligence, releasing an AI Action Plan after revoking President Biden’s earlier executive order. Host Scott Loughlin is joined by Hogan Lovells partner Cybil Roehrenbeck to break down the plan and its accompanying executive orders, which aim to accelerate development of AI infrastructure, promote the export of AI-based technologies, and impose limits on how the federal government can purchase AI that are determined to have an ideological bias.

Can AI run the government?     In this episode of The Data Chronicles, Scott Loughlin talks with Taka Ariga, former Chief AI Officer at OPM and Chief Data Scientist at GAO, about how the US federal government is approaching its use of AI.  With a focus on the benefits and risks created by AI in the public sector, Scott and Taka explore the impact of AI on the public workforce, public services, national security, and policy making, while discussing agile governance, transparency, and the evolving leadership role of Chief AI Officers.     Two things become clear. First, the government is experiencing the same AI legal concerns as the private sector. And, second, companies and government have much to learn from one another on how they can each harness AI’s promise and manage its risks.

As states race to define the rules of the digital road, 2025 is already proving to be a pivotal year for data legislation.   In this episode of The Data Chronicles, host Scott Loughlin is joined once again by Hogan Lovells colleague Harsimar Dhanoa to unpack the latest developments in state-level laws on privacy, AI safety, and more.   With surprising shifts and emerging trends reshaping how data is governed across the country, Scott and Harsimar offer sharp insights into what’s changed, what’s coming next, and what it all means for businesses and consumers alike. This annual deep dive has become a listener favorite, delivering timely analysis from one of the most informed voices in the policy space.

In the latest episode of The Data Chronicles, Scott Loughlin, along with several members of the privacy and litigation team - Etienne Drouard, Vassi Iliadis, and Katie McMullan - are featured in a webinar that dives into the complex global legal, litigation, and regulatory challenges surrounding cookies. Covering topics such as banner design, sensitive data opt-ins, “accept or pay” models, and cross-border enforcement, this fast-paced session offers a practical guide to one of the most persistent and difficult issues in data protection. Listeners will gain insights into why cookies remain a legal minefield, what regulators are currently focusing on, and whether cookie banners are necessary outside of the EU.

How do advertisers, publishers, and tech platforms share responsibility for user data under the GDPR? In this episode of The Data Chronicles, Scott Loughlin is joined by Etienne Drouard to break down the IAB Europe Transparency and Consent Framework, exploring how recent court rulings clarify liability in the complex ad tech ecosystem. They discuss what this means for organizations’ compliance strategies and why clear documentation and contracts are now more important than ever for managing risk in digital advertising.

Imagine if the tiny tracking code behind personalized ads and website recommendations were suddenly considered unlawful.   That’s exactly what’s happening in the growing legal battle over cookies and tracking pixels across the country with new fronts opening.   In this episode of The Data Chronicles, we examine plaintiffs’ efforts to expand the web tracking litigation battleground by claiming that unconsented use of web trackers constitutes a data breach under the California Consumer Privacy Act (“CCPA”), which entitles comes with statutory damages and a private right of action.   Scott Loughlin is joined by Hogan Lovells litigators Aidan Coleman and Jay Ettinger to break down the legal implications of new case law on this issue and discuss what’s at stake for the internet as we know it.

AI is reshaping the future of medical devices, but innovation brings complexity.   In this episode of AI Issue Spotting, Scott Loughlin is joined by fellow Hogan Lovells Medical Device and Technology partners Michael Heyl and Jodi Scott to explore the challenges companies face as AI begins to monitor medical device performance, diagnose conditions, and even deliver patient care. From regulatory hurdles to liability risks, they discuss how medical device manufacturers can navigate this rapidly evolving space.   With AI blurring the lines between traditional medical devices and new digital solutions, the discussion highlights what medical device businesses need to know to stay compliant and innovative.

Geopolitics is radically shaping the world of data, privacy, and digital regulation. In this special episode of The Data Chronicles, recorded live at the IAPP Global Privacy Summit 2025, Scott Loughlin and Eduardo Ustaran, global co-heads of Hogan Lovells’ Data, Privacy and Cybersecurity practice unpack the most pressing conversations from the first quarter of 2025, where shifting political tides are reshaping the global data and privacy landscape. From regulatory upheavals to cross-border data tensions, Scott and Eduardo offer sharp insights into how today’s geopolitical currents are redefining the future of digital regulation.