Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

On April 14, 2025, the National Institute of Standards and Technology (NIST), released a draft update to the NIST Privacy Framework. The NIST Privacy Framework was originally launched in January 2020 as “a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them[.]” Although the NIST Privacy Framework doesn’t carry the force of law, it serves as a significant benchmark for privacy compliance.

In the five years since the NIST Privacy Framework’s introduction, the data privacy and security landscape has changed in myriad ways. At the time of the initial version of the NIST Privacy Framework, the country’s first comprehensive privacy legislation, the California Consumer Privacy Act, had only just come into effect. Now, almost half of US states have similar legislation, with some of these laws expressly linking compliance to participation in the NIST Privacy Framework. The rapid adoption of sophisticated artificial intelligence applications and the evolution of advanced cybersecurity threats has further complicated the data privacy compliance landscape — with NIST responding to these changes through its publication of NIST AI Risk Management Framework and update to the NIST Cybersecurity Framework to complement the NIST Privacy Framework.

The proposed updates to the NIST Privacy Framework are intended to account for these changes. For example, the amendments seek to maintain alignment between the NIST Privacy Framework and last year’s updates to the NIST Cybersecurity Framework. Specifically, targeted changes to the NIST Privacy Framework core structure and content have been made to maintain alignment with the updated NIST Cybersecurity Framework, with a focus on the Govern and Protect functions. The updates also add a discussion in the NIST Privacy Framework outlining how AI and privacy risks relate to one another.

Organizations have until June 13, 2025 to submit comments to the draft updates.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.