The Data Chronicles
Welcome to The Data Chronicles, hosted by partner Scott Loughlin, Co-Lead of the Hogan Lovells Cadwalader global Data, Privacy and Cybersecurity practice. This multimedia series is dedicated to the ever-changing legal and regulatory developments in the world of data, privacy, and cybersecurity. Join us as we unravel and unpack various regulatory frameworks and legal developments around the globe.
Welcome to The Data Chronicles, hosted by partner Scott Loughlin, Co-Lead of the Hogan Lovells Cadwalader global Data, Privacy and Cybersecurity practice. This multimedia series is dedicated to the ever-changing legal and regulatory developments in the world of data, privacy, and cybersecurity. Join us as we unravel and unpack various regulatory frameworks and legal developments around the globe.
Episodes
Thursday Jun 11, 2026
The narrowing window for AI policy: Why bold action matters
Thursday Jun 11, 2026
Thursday Jun 11, 2026
AI regulation in the United States is at an inflection point. A new executive order, emerging legislation, and shifting political dynamics are rapidly reshaping the policy landscape for AI developers and adopters.
In this episode of The Data Chronicles, we examine the administration’s latest executive order on AI innovation and security, which introduces a voluntary framework for pre-release review of frontier AI models – an approach some compared to FDA-style oversight. We also explore how it differs from prior safety-focused directives and more aggressive regulatory models abroad.
The discussion highlights what this moment means for companies across the ecosystem, from major tech firms helping shape policy to startups navigating commercialization. At the core is a key tension: policymakers are unusually open to new ideas but the window to influence these frameworks may be narrower than it appears.
Monday Jun 01, 2026
2026 State legislative updates
Monday Jun 01, 2026
Monday Jun 01, 2026
State-level data regulation in the United States is accelerating, with a growing patchwork of laws reshaping how organizations approach privacy, artificial intelligence, and online safety.
In this episode of The Data Chronicles, we provide a 2026 legislative wrap-up, examining how new comprehensive privacy laws in states like Oklahoma and Alabama, alongside emerging frameworks in Louisiana, are reinforcing a largely harmonized – but still fragmented – compliance landscape.
The discussion explores how AI regulation is diverging more significantly, with states such as Colorado and Connecticut shifting toward targeted, risk-based approaches focused on automated decision-making and employment use cases, while broader concerns around AI chatbots and workforce integration continue to draw legislative attention. We also unpack the rapid evolution of online safety and children’s protections, including the expansion of age-appropriate design codes, age verification requirements, and ongoing constitutional challenges.
Across all three areas, the episode highlights the practical implications of increased regulatory overlap, evolving enforcement dynamics, and the growing need for organizations to monitor state-level developments closely – particularly as lawmakers continue to experiment with technology-driven solutions and push toward more granular oversight of data-driven systems.
Monday May 04, 2026
UK Data protection reform explained
Monday May 04, 2026
Monday May 04, 2026
Data protection in the United Kingdom is entering a new phase of post‑Brexit divergence, introducing targeted but impactful changes across regulatory governance, enforcement, and day‑to‑day compliance.
In this episode of The Data Chronicles, we examine how the Data (Use and Access) Act 2025 is reshaping UK data protection through reforms to the ICO’s structure, new approaches to cookies, automated decision‑making, international data transfers, and lawful bases for processing.
The discussion explores how increased flexibility in the United Kingdom is paired with heightened enforcement risk, why operating across United Kingdom and European Union regimes is becoming more complex for global organizations, and how data protection is increasingly being reframed as both a legal compliance and economic policy tool – demanding closer coordination between legal, product, and operational teams.
Thursday Apr 16, 2026
Cyber developments in the EU and UK
Thursday Apr 16, 2026
Thursday Apr 16, 2026
Cybersecurity regulation in Europe has entered a period of rapid expansion and fragmentation, moving well beyond traditional data protection into a complex framework governing enterprise security, product security, sector specific obligations, and supply chain risk.
In this episode of The Data Chronicles, we examine how evolving regimes such as NIS2, the Cyber Resilience Act, DORA, and proposed reforms to the EU Cybersecurity Act are reshaping legal and operational expectations for organizations operating across borders.
The discussion explores why global “one size fits all” security programs and reliance on baseline standards like ISO and NIST are no longer sufficient on their own, how post Brexit divergence between the EU and U.K. is creating material compliance challenges, and why cybersecurity has shifted from a best practice exercise to enforceable law – requiring tighter integration between legal, IT, and information security teams to execute compliance at scale.
Thursday Apr 02, 2026
AI disputes and enforcement in the U.S.
Thursday Apr 02, 2026
Thursday Apr 02, 2026
AI enforcement in the United States is emerging through legacy laws, creative pleading theories, and increasing regulatory scrutiny rather than a single statute or regulator.
In this episode of The Data Chronicles, we examine how AI-related risk materializes once it moves into litigation and enforcement — from copyright and privacy class actions to consumer protection claims, product liability, and employment disputes — and why unsettled standards of care, evolving case law, and regulator focus areas are driving uncertainty for companies deploying AI systems.
Thursday Mar 26, 2026
DOJ’s Cybersecurity Fraud Initiative
Thursday Mar 26, 2026
Thursday Mar 26, 2026
Cybersecurity enforcement is entering a new phase – one where technical failures are increasingly reframed as fraud risk.
This episode of The Data Chronicles explores how the U.S. Department of Justice is using the False Claims Act to pursue alleged misrepresentations about cybersecurity controls, compliance, and incident disclosure in government contracts and grants.
We examine emerging enforcement patterns, practical risk signals for contractors, and what organizations should be doing now to reduce exposure, with further insights available in our 2026 False Claims Act Guide.
Thursday Mar 05, 2026
The Data Chronicles | AI Enforcement – An International Overview
Thursday Mar 05, 2026
Thursday Mar 05, 2026
AI regulatory enforcement is accelerating – often under laws that were conceived well before the unstoppable emergence of AI. This episode of The Data Chronicles examines how regulators and courts across Europe and beyond are applying existing frameworks, from the GDPR to consumer and competition law, to AI development and deployment.
We explore emerging enforcement patterns, including scrutiny of AI training data, transparency obligations, data subject rights, and the growing use of urgent regulatory measures. The discussion also looks ahead to how enforcement may evolve as AI-specific regulation advances, and what these developments signal for organizations operating globally.
Thursday Jan 29, 2026
AI, IP, and enforcement – Fair use, DMCA shifts, and what comes next
Thursday Jan 29, 2026
Thursday Jan 29, 2026
AI and intellectual property are evolving fast – and creating real uncertainty for companies building with or around AI.
This episode of The Data Chronicles breaks down the key IP claims emerging today, from copyright and DMCA theories to right of publicity, trademark, and output based risks.
We look at how early court decisions are treating AI training and outputs, why plaintiffs are pivoting toward DMCA and misattribution claims, and where regulators like the FTC may (and may not) step in.
We close with a practical checklist for organizations using or developing AI, as the landscape continues to shift.
Thursday Jan 15, 2026
Data Brokers | State patchwork, federal pressure, and emerging risks
Thursday Jan 15, 2026
Thursday Jan 15, 2026
Data brokers sit at the center of a fast-shifting legal landscape.
This episode of The Data Chronicles breaks down the expanding patchwork of state data broker laws, from registration and public listings to how these obligations interact with broader privacy requirements. It also looks at the stigma tied to the “data broker” label, how regulators and plaintiffs’ lawyers are using registration data to target scrutiny, and the added federal pressure created by PADFA and the DOJ’s Data Security Program.
The discussion closes with a practical checklist for companies that license or share data, including how to identify if you may be a data broker, where exemptions could apply, and what steps help reduce registration and enforcement risk.
Thursday Dec 18, 2025
2025 wrapped and 2026 predictions
Thursday Dec 18, 2025
Thursday Dec 18, 2025
In our annual “Look Back, Look Forward” edition of The Data Chronicles, Scott Loughlin and Eduardo Ustaran, co-leads of Hogan Lovells’ Global Data, Privacy and Cybersecurity practice, reflect on the most important developments in privacy, cybersecurity, and data regulation in 2025 and share their outlook for 2026. It has become the most popular episode of the year, drawing strong interest from listeners across regions and sectors.
The conversation covers the global impact of artificial intelligence, evolving regulatory priorities in the UK, EU, and US, and the ongoing balance between innovation and regulation. Topics include potential GDPR reform, biometrics and age verification, geopolitics and data protection, international data transfers, and the growing focus on AI governance and children’s data.
Thursday Dec 11, 2025
A new FTC era | Evolving data enforcement and the road to 2026
Thursday Dec 11, 2025
Thursday Dec 11, 2025
What can businesses expect from the U.S. Federal Trade Commission on privacy and data enforcement as we move into 2026? In this episode of The Data Chronicles, host Scott Loughlin is joined by Cobun Zweifel-Keegan, Managing Director at the IAPP, for a practical year-end review of the FTC’s 2025 enforcement priorities and what they signal for the year ahead.
Together, Scott and Cobun break down how a change in administration reshaped the agency’s focus this year, with heightened attention on children’s and teens’ privacy, COPPA enforcement, cross-platform data collection, and growing concerns around the sale of Americans’ sensitive information to foreign adversary countries. They also discuss the FTC’s evolving view of privacy as both a consumer protection and national security issue.
The conversation also covers the operational and strategic impact of the FTC operating with only two sitting commissioners, and how today’s enforcement posture compares with the more aggressive approach under the prior administration.
Thursday Dec 04, 2025
India’s DPDPA brought into force
Thursday Dec 04, 2025
Thursday Dec 04, 2025
India has taken a major step in reshaping its digital future. After years of drafts and debate, the country has finalized the Digital Personal Data Protection Act (DPDPA) and issued detailed rules that bring the law fully to life. With implementation now scheduled over the next 18 months, organizations have clear timelines and a more definitive view of the significant compliance work ahead.
In this episode, host Scott Loughlin is joined by Stephen Mathias, partner and head of the Bangalore office at Kochhar & Company, and Hogan Lovells partner Charmian Aw, who leads the Hogan Lovells APAC Data, Privacy and Cybersecurity practice. Together, they discuss the core features of India’s new law, including its consent-based framework, extraterritorial reach, and parallels with the EU GDPR.
The conversation covers the key steps companies should be taking now, from redesigning data architecture and consent flows to assessing breach response readiness. The episode also explores global business implications, enforcement expectations, and how the DPDPA fits into the broader regional privacy landscape.
Whether you’re operating in India or serving customers there, this discussion offers practical insights on what’s changing, why it matters, and how to prepare.
Thursday Nov 20, 2025
Thursday Nov 20, 2025
The U.S. Department of Justice’s Data Security Program is reshaping how companies manage cross-border data activities. This episode of The Data Chronicles breaks down what the rule does, why it was created, and the types of transactions it restricts or prohibits—from data brokerage to vendor access to bulk genomic data.
Host Scott Loughlin is joined by Hogan Lovells partner James Denvil and associate Lorea Mendiguren to walk through the rule’s core elements and the open questions around implementation, risk, and compliance. They share practical insights from advising companies in e-commerce, health, and life sciences as they adjust to this new national-security-driven framework.
Thursday Nov 13, 2025
Checking in on APAC | Regulating for innovation
Thursday Nov 13, 2025
Thursday Nov 13, 2025
In this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells partners Eduardo Ustaran and Charmian Aw to examine how regulators are rethinking the relationship between AI, innovation, and privacy. They discuss why many regulators view data protection rules not as obstacles, but as guardrails that can support responsible AI development through tools like impact assessments, transparency, and data minimization.
Eduardo shares insights from the Global Privacy Assembly, which brought together more than 140 data protection authorities from over 90 countries for regulator-led discussions on AI in daily life, cross-border data transfers, children’s privacy, privacy-enhancing technologies, and other issues shaping global enforcement trends. Charmian, who leads the firm’s Asia-Pacific Data, Privacy and Cybersecurity team, adds an APAC perspective with takeaways from the Global Cross-Border Privacy Rules Forum and the region’s growing push for interoperability in data transfers and enforcement cooperation.
We also highlight the launch of our Asia Pacific Privacy Legislation Tracker, a new tool that compares privacy requirements across APAC jurisdictions designed to support companies in navigating the region’s evolving data protection landscape.
Tuesday Nov 04, 2025
How states are shaping AI legislation
Tuesday Nov 04, 2025
Tuesday Nov 04, 2025
How are U.S. states shaping the future of artificial intelligence? In this episode of The Data Chronicles, we unpack The State of State AI, the latest report from the Future of Privacy Forum (FPF) analyzing more than 200 AI-related bills introduced across 42 states.
Host Scott Loughlin is joined by Justine Gluck, a policy analyst at FPF, to discuss how lawmakers are shifting toward targeted, transparency-driven regulation, focusing on areas such as healthcare, chatbot use, liability frameworks, and innovation sandboxes, rather than pursuing a single sweeping national approach. Together, they explore how these trends signal where AI policymaking is headed and what it means for developers, deployers, and consumers.
Monday Oct 27, 2025
From runways to railways | The new frontiers of transportation cybersecurity
Monday Oct 27, 2025
Monday Oct 27, 2025
In this episode of The Data Chronicles, host Scott Loughlin welcomes Adam Smith, Regulatory Lead – Cybersecurity at Southwest Airlines, to explore the evolving landscape of cybersecurity in the transportation sector.
Together, they fly through the real-world stakes of protecting critical infrastructure – from airports and railways to the systems that underpin national security. The conversation unpacks the complexity of regulatory frameworks, the challenges of incident response, and the vital role of collaboration among regulators, operators, and vendors.
Thursday Oct 16, 2025
Age gating the internet | Can we really protect kids online?
Thursday Oct 16, 2025
Thursday Oct 16, 2025
Across the globe, governments are rethinking how to keep kids safe online. New laws in the UK and the U.S. are driving a wave of age verification and content regulation measures that could reshape how young people experience the internet and how platforms operate.
In this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells associates, Rob Fett and Georgia Crawford from London, and Sophie Bohm from Colorado, to unpack the UK’s Online Safety Act, the growing patchwork of U.S. state laws, and the complex balance between safety, privacy, and free expression. Together, they explore whether these new rules truly protect children or simply shift the burden to users and platforms.
Thursday Oct 09, 2025
Health data interoperability and CMS’s new tech initiative
Thursday Oct 09, 2025
Thursday Oct 09, 2025
Discover how the latest U.S. health tech initiative is transforming patient data access and interoperability. In this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells partner Melissa Bianchi to discuss the drive toward seamless digital health records, the rise of public-private partnerships, and the future of secure digital identity in healthcare. They explore what these developments mean for patients, providers, and technology innovators, and why now is the time to prepare for the next era of health information.
Thursday Sep 25, 2025
Thursday Sep 25, 2025
Like many others, you have been scammed. Is all hope lost? Maybe not.
On this episode of The Data Chronicles, host Scott Loughlin is joined by Hogan Lovells colleagues, Lauren Berkebile and Byron Phillips, to break down today’s most common online fraud schemes and what to do if your organization gets hit.
They trace the shift from the internet’s initial gift card scams to today’s highly targeted wire-fraud campaigns powered by deepfakes, polished phishing, and social engineering. You’ll hear how criminals stage fake transactions over Zoom, why C-suite leaders are targeted, and the first moves that can help you recover funds.
Whether you have been scammed before and are trying to heighten your defenses or you are planning for how to respond to a future scam, this episode will be a great resource.
Wednesday Sep 17, 2025
Consent is broken | How do we fix it?
Wednesday Sep 17, 2025
Wednesday Sep 17, 2025
Consent is one of the most misunderstood concepts in digital privacy.
Every click, swipe, and scroll can trigger a data transaction, yet today’s reliance on cookie banners and CMPs leaves companies exposed. As regulators grow more sophisticated and laws like CIPA and VPPA add new risks, it’s clear consent needs a serious rethink.
In this episode of The Data Chronicles, host Scott Loughlin is joined by Max Anderson, Co-founder and Head of Product Development at Ketch, a provider of consent and data privacy management solutions, to discuss why current mechanisms are failing, how opt-outs are evolving beyond a checkbox, and what it means to embed meaningful consent into the user journey while still enabling innovation.


