Key developments
Seventh Circuit makes BIPA damages cap retroactive
On April 1, the Seventh Circuit held that Illinois' 2024 BIPA damages amendment applies retroactively to cases already pending when it took effect. The court treated the change as remedial, not substantive, because it limits recoverable damages without changing the underlying right to sue. Plaintiffs can no longer seek per-scan damages for repeated biometric captures involving the same person and method, narrowing exposure in ongoing class actions.
Why it matters
The ruling materially reduces damages leverage in pending biometric privacy class actions and could lower settlement values.
Sources & driving stories
BIOMETRICUPDATE.COM
BiometricUpdate.com coverageJD SUPRA · Maggie Amen
JD Supra coverageIreland drafts spyware bill for police surveillance
Ireland is considering a bill that would give Garda Síochána a legal basis to use spyware and other covert tools, including products from NSO Group, Intellexa, and Paragon Solutions, plus Cellebrite tools and IMSI-catchers. The draft would require judicial authorization and necessity/proportionality tests for serious crime or national-security cases, and officials say the General Scheme will be published in 2026. Rights groups and cybersecurity experts warn that vague oversight and national-security language could normalize abuse and weaken encryption protections.
Why it matters
If enacted, the proposal would significantly expand lawful spyware use and could set a precedent for broader police access across Europe.
Sources & driving stories
TECH POLICY PRESS
Tech Policy Press coverageEurail breach exposes 308,777 travelers' records
Eurail B.V. disclosed that a December 26, 2025 breach affected 308,777 people after attackers accessed its customer database and removed files from the network. The company said it sent notification letters on March 27 and later confirmed exposure of full names, passport details, ID numbers, bank IBANs, health information, email addresses, and phone numbers. Eurail said attackers posted a sample on Telegram, attempted to sell the data on the dark web, and filed the breach with the Oregon Attorney General's office.
Why it matters
The incident involves highly sensitive identity and travel data that can be used for fraud, phishing, and document abuse.
Sources & driving stories
BLEEPINGCOMPUTER · Sergiu Gatlan
BleepingComputer coverageWorth noting
WORTH NOTING
FTC probes surveillance pricing data
It shows regulators are escalating scrutiny of personalized pricing practices that rely on consumer data inputs.
WORTH NOTING
Chrome adds device-bound session protection
Google is rolling out hardware-linked session credentials in Chrome 146 to make stolen cookies harder for infostealers to reuse.
Still unclear
OPEN QUESTION
Will BIPA settlements reset downward?
The retroactive damages cap could materially change settlement math in pending biometric privacy litigation.
OPEN QUESTION
Can Ireland preserve encryption here?
The draft spyware bill tests whether lawful-access powers can be added without undermining end-to-end security.