On January 17th, 2026, the Biodiversity Beyond National Jurisdiction (“BBNJ”) Agreement, also known as the “High Seas Treaty”, entered into force.  For the first time, companies that use marine genetic resources (“MGRs”) and digital sequence information (“DSI”) originating from areas beyond national jurisdiction may be required to share monetary and non-monetary benefits at a global level.

This marks a significant expansion of access and benefit-sharing (“ABS”) obligations for companies.  Until now, under the Convention on Biological Diversity (“CBD”) and its Nagoya Protocol, ABS obligations applied only to genetic resources originating within national jurisdictions.  The BBNJ Agreement fundamentally changes this landscape: companies in pharmaceuticals, biotechnology, cosmetics, food and feed that rely on marine-derived compounds, microorganisms or genetic data may now face new reporting and annual payment obligations.

Companies should not assume a long transition period.  Implementation is already advancing.  The European Commission has published a draft Directive (“draft EU Directive”), and the United Kingdom adopted the Biodiversity Beyond National Jurisdiction Act 2026 (“UK Act”) on February 12th, 2026. Companies should therefore assess now whether their R&D pipelines, data use practices, or product portfolios fall within scope.

In this blog, we examine how the BBNJ Agreement and its EU and UK implementation could affect companies using MGRs and DSI, and identify the key compliance risks and strategic questions for in-house counsel and senior management.Continue Reading Navigating the new UN High Seas Treaty: Key Compliance Risks for Life Sciences Companies

On 10 February 2026, the EU released the agreed compromise text of the new Regulation on the screening of foreign investments in the EU (the “New FIR Regulation”).  The three EU institutions (Commission, Parliament and Council) reached the compromise on the text in December 2025 (see our blog) following several months of trilogues (see our blog).  The text, while not yet officially published, is expected to remain unchanged.  The New FIR Regulation will repeal and replace the current FDI Screening Regulation (EU) 2019/452 (the “2019 FDI Regulation”).  The New FIR Regulation further integrates the EU’s investment screening framework into the EU’s economic security strategy.

Against the backdrop of rising geopolitical friction, the New FIR Regulation aims to address the risk that investors structure transactions to get access to the EU market by anchoring their investments in Member States with lighter FIR controls.  To do so, the New FIR Regulation establishes a unified minimum screening framework across the Member States (e.g., through mandatory national screening mechanisms, harmonised review timelines, and strengthened cooperation obligations), whilst preserving Member States’ ultimate sovereignty on matters of national security.  This will be a major evolution from the 2019 FDI Regulation, which was limited to establishing an information-sharing mechanism while leaving Member States wide discretion as to whether and how to screen foreign investments.

This post discusses the five major areas of change for prospective investors, before offering a few forward-looking considerations.Continue Reading New Foreign Investment Screening Regulation – Key Takeaways from the Agreed Compromise Text

On February 20, the U.S. Supreme Court released its decision in Learning Resources, Inc. v. Trump, the case challenging the legality of the Trump Administration’s tariffs imposed under the International Emergency Economic Powers Act (“IEEPA”). By a 6-3 majority, the Court held that IEEPA does not authorize the President

Continue Reading IEEPA Tariffs Terminated, Replacement Section 122 Tariffs Take Effect

On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.

The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)Continue Reading UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data Security

Congressional investigations are now a common reality across corporate America, and companies large and small are therefore more focused than ever on the potential effects of congressional inquiries into business activities, goals, and strategies. In this new reality, the most sophisticated companies, private equity firms, and other corporate players are

Continue Reading A Potentially Overlooked Risk Area: Incorporating Congressional Investigations into Transactional Due Diligence

On February 26, 2026, the European Union published Directive (EU) 2026/470 on the simplification of the Corporate Sustainability Due Diligence Directive (“CSDDD”) and the Corporate Sustainability Reporting Directive (“CSRD”) in its Official Journal, clearing the final step in the Omnibus I legislative process.

This blog post: (i) summarizes the substance

Continue Reading EU CSDDD/CSRD Omnibus Published in Official Journal: Transposition, Delegated Acts, and Guidelines Are Next

The Connecticut Office of the Attorney General (“OAG”) issued an updated Enforcement Report (“Enforcement Report”) under the Connecticut Data Privacy Act (“CTDPA”). The Enforcement Report discusses the OAG’s enforcement actions in 2025 and suggests some areas of focus from the regulator, summarized below.Continue Reading Connecticut Attorney General Releases 2025 CTDPA Enforcement Report

On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the Report). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.

The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)Continue Reading EDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation

In a recent addition to the EU’s evolving digital rulebook, the European Commission has published a set of Guidelines under the European Media Freedom Act (“EMFA”). The Guidelines advise very large online platforms, as defined under the Digital Services Act (“DSA”), on how to set up a functionality that lets media organisations identify themselves—and, in doing so, unlock a set of procedural protections when it comes to content moderation.Continue Reading European Commission Issues Guidelines on Article 18 of the European Media Freedom Act

In June 2025, the European Parliament (“EP”) published its draft report on “Copyright and generative artificial intelligence – opportunities and challenges” (available here). The draft report calls on the European Commission to make a series of changes to the way that copyright is protected in the age of generative AI (“GenAI”). The EP notes the challenges in finding a balance between respecting existing laws and protecting the rights of content creators on the one hand, while not hindering the development of AI technologies in the European Union on the other. In its report, the EP focuses on the perceived copyright-related risks posed at the GenAI training stage and the GenAI output stage.Continue Reading European Parliament Proposes Changes to Copyright Protection in the Age of Generative AI