• |

    Feb. 18, 2026

How the CJEU’s Russmedia Decision Resets GDPR Obligations for Online Marketplaces

The recent decision of the Court of Justice of the European Union (CJEU) in the Russmedia Digital case upended the traditional understanding of the measures required of online marketplaces to comply with their data protection duties under the GDPR. The new obligations that the CJEU introduced around policing illegal content will likely be both costly and difficult to implement. At the same time, the decision also eliminated an exemption from liability for companies that breach their obligations to protect sensitive data posted on their websites. This article examines the decision and offers practical compliance measures that companies can take in response, with insights from Europe-based partners at Bird & Bird, Ropes & Gray, Steptoe and Van Bael & Bellis. See “New Duties Around Pseudonymized Data After E.U. Court Decision” (Oct. 15, 2025).

Contracting With Vendors to Mitigate Third-Party AI Risk

When companies and law firms purchase an AI tool from a vendor, they need to consider the risks and controls they can put in place to mitigate them. They will have no control over associated risks unless their contracts with those vendors provide such rights. “Your AI governance program cannot work unless the vendor agreement gives the rights needed to enforce that governance,” William Galkin, partner and founder of Galkin Law, LLC, said during a recent Strafford program. This article synthesizes insights from Galkin and technology executives at BillingNav and morriganAI regarding risks from use of third-party AI tools and considerations for approaching contracting with vendors. It also offers practical advice on six key AI vendor contract clauses to help companies transform an AI governance program from just policy statements into enforceable operational safeguards. See our two-part series on how to manage AI procurement: “Leadership and Preparation” (Sep. 18, 2024), and “Five Steps” (Oct. 2, 2024).

Understanding Human Behavior to Design Better Crisis Management Protocols

A company’s operations unfold differently in everyday situations than in a crisis. Resilient crisis management protocols (CMPs) take this reality into account by establishing a set of expectations and touchpoints that shape how people communicate, make decisions and escalate issues as conditions change. In this guest article, Michelle DiMartino and Nitish Upadhyaya of Ropes & Gray’s R&G Insights Lab highlight three issues that often arise in the midst of crisis, analyze the human and behavioral mechanisms that give rise to these issues, and offer suggestions for how to assess and design CMPs in light of those patterns. See “Cyber Crisis Communications – ‘No Comment’ Is Not an Option” (Sep. 7, 2022).

Norton Rose Fulbright Adds Data Privacy, AI and Cybersecurity Partner in San Francisco

Norton Rose Fulbright has welcomed Helen Christakos to the firm’s San Francisco office as a partner in the privacy and cybersecurity group. She arrives from A&O Shearman. For insights from Norton Rose Fulbright, see “Guidance From NYDFS in Industry Letter Stressing Vendor Risk Management and Oversight” (Dec. 10, 2025); and “Strengthening Cyber Defenses in an Ever-Evolving Threat Landscape” (Jun. 4, 2025).

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.