In this Newsletter
Regulations & Guidelines
The CNIL emphasizes security and privacy measures for accessing electronic patient records
The CNIL has formally notified several healthcare institutions to implement measures ensuring the security of Electronic Health Records, emphasizing that patient data should only be accessible to individuals with a legitimate need to know.
UK's new data protection bill raises concerns
The UK's Data Protection and Digital Information Bill, aiming to replace the GDPR, has raised concerns about weakening data protections for EU citizens and risking the EU-UK data adequacy agreement, essential for smooth data transfers. Criticisms include potential breaches of the European Convention on Human Rights, specifically regarding biometric data, and questions about the bill's impact on law enforcement cooperation under frameworks like Prüm II, along with its compatibility with EU data protection standards.
ICO urges all app developers to prioritise privacy
The Information Commissioner's Office (ICO) is issuing a reminder to all application developers about the necessity of safeguarding user privacy. This comes after the regulatory body conducted an examination of period and fertility tracking apps. In the previous year, the ICO meticulously evaluated these apps to scrutinize their personal data handling processes and to determine any potential adverse effects on users. During this evaluation, the ICO reached out to various app developers to inquire about their privacy policies and also interacted with users to gain insights into their experiences.
Shanghai to relax international data transfer rules
According to Reuters, the Shanghai government in China intends to expedite the process for approving international data transfers in an effort to boost economic development. This accelerated approval process is targeted at specific multinational corporations, facilitating the transfer of their data out of China. Reportedly, this expedited system will be unique to Shanghai, whereas companies located elsewhere in China will adhere to the data transfer regulations imposed by the Cyberspace Administration of China.
EU CTR / CTIS January 2024 Updates
In January 2024, the EUCTR/CTIS published an updated version (1.4, dated 31 January 2024) of its Q&A on protecting Commercially Confidential Information and Personal Data, introducing new guidelines on the disclosure of patient-facing documents. Specifically, it allows sponsors, under certain conditions, to provide justification for not publicly disclosing such documents, while ensuring full content is available for Member State assessment. Additionally, 31 January 2024 marked the two-year anniversary of the Clinical Trials Regulation (CTR) application and the Clinical Trials Information System (CTIS) launch, with a reminder that the three-year transition period ends on 30 January 2025, urging sponsors to transition ongoing trials from the Clinical Trials Directive to the CTR to avoid non-compliance risks due to Member State decision timelines.
EUCROF’s draft Code of Conduct has been submitted to the EDPB
The clinical research service providers' GDPR code of conduct, developed by the EUCROF (European CRO Federation), reached a significant milestone towards its adoption across the 27 EU member states on January 25, 2024: the CNIL (National Commission on Informatics and Liberty) decided to formally submit it to the European Data Protection Board. "After six years of hard work, we are now entering the formal phase of adopting the code," stated Yoani Matsakis, a member of the AFCROs Steering Committee and chair of the international working group responsible for drafting the Code.
Data Privacy Enforcement
End-to-end encryption without backdoors is indeed a fundamental right
Russia was condemned by the European Court of Human Rights for its 2016 law that requires electronic messaging service providers to store all exchanged messages for six months and to provide the Federal Security Service (FSB) with the means to decrypt them upon request. Telegram, risking its global reputation, had refused to comply with this requirement, and a user took the case to the ECHR to defend their right not to have their communications spied upon.
Montefiore Medical Center pays $4.8M after OIG investigation of insider data breach
Montefiore Medical Center has agreed to a $4.75 million settlement with HHS and OCR due to data security breaches involving a former employee selling 12,517 patients' data, necessitating a corrective action plan and two years of oversight to address security flaws. The agreement follows investigations prompted by a 2015 police tip and aims to enhance Montefiore's data protection efforts, highlighting the critical need for strong cybersecurity in healthcare.
Record-breaking ransomware profits surpassed $1B in 2023
Ransomware attackers have escalated their tactics, launching more sophisticated assaults and achieving over $1 billion in annual profits, marking a significant resurgence and complexity increase in their operations, especially in 2023. Despite a notable decline in ransomware profits in 2022 attributed to concerted efforts to disrupt these cybercriminal activities, the trend reversed dramatically in 2023 with high-profile institutions and critical infrastructure being targeted, leading to a record number of ransom payments, many exceeding $1 million.
Data privacy fines: where does the money go?
Non-compliance with privacy laws leads to administrative fines, guided by frameworks like the GDPR's, designed to be effective, proportional, and dissuasive. The allocation of these fines varies globally, with some EU countries allowing Data Protection Authorities to retain fines, while in the U.S., fines often support privacy enforcement activities or feed into the Treasury for consumer protection purposes.
Artificial Intelligence
Tools for navigating the EU AI Act : final text with interactive table of contents
The most recent iterations of the AI Act were released in February 2024 and are currently pending formal ratification by the EU Parliament. Concurrently, an interactive tool has been launched to facilitate navigation through the extensive document, enhancing users' comprehension of the stipulations outlined in the proposed act.
Highlighting AI integration for regulatory compliance in the pharmaceutical industry: a conversation with Uwe Trinks from IQVIA
During a conversation with Uwe Trinks from IQVIA, the importance of integrating AI into the pharmaceutical industry for regulatory compliance was highlighted, revealing its underestimated role beyond just clinical research applications like protein selection and patient enrollment. Trinks pointed out the critical contributions of Machine Learning and Natural Language Processing in assessing risks, auditing data for compliance breaches, monitoring regulatory changes, and indirectly aiding in GDPR compliance related to sensitive health data management.
US Justice Department names first AI officer
The U.S. Justice Department appointed its inaugural official dedicated to artificial intelligence, addressing the significant impact AI could have on federal law enforcement and the criminal justice system. Jonathan Mayer, a Princeton University professor with expertise in technology and law, has been named as the chief science and technology adviser and chief AI officer, according to the department.
Data Governance
French government's rejection of pro-sovereign cloud amendments causes confusion
In their effort to streamline a bill aimed at regulating the involvement of consulting firms in public policymaking, Renaissance MPs inadvertently voted against amendments that were aligned with their own cloud security strategy, leading to questions about the consistency of their support for the 'cloud to the centre' policy. Despite the government's attempts to water down the bill in response to the 'McKinseygate' controversy and ensure the protection of sensitive public data, the rejection of amendments intended to enhance cloud security for data handled by consulting firms suggests a disconnect in the government's approach to regulating digital and consulting sectors.
A history of judicial data requests at Amazon and AWS
In response to legal and public scrutiny, Amazon publishes semi-annual statistics detailing law enforcement requests for data, a practice initiated in the first half of 2015. These reports, which have evolved in format since 2020, provide insights into the types and origins of judicial requisitions Amazon and AWS face, highlighting the predominance of U.S. requests and revealing significant international interest. Despite a lack of specific numbers for National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) requests due to legal constraints, Amazon maintains that no enterprise content data located outside the United States has been disclosed to the U.S. government, amidst ongoing debates about data sovereignty and the legal reach of U.S. authorities.
BioTech & Healthtech
Bioptimus raises 35 Million to build LLM Biotech
AI startup Bioptimus has successfully secured a $35 million seed investment to develop a Large Language Model (LLM) for the biotechnology sector, validating earlier reports by Sifted. Founded by leading figures from Owkin, a French unicorn leveraging AI to analyze and enhance drug and treatment efficacy across diverse patient demographics, Bioptimus aims to create a foundational model trained on vast biological datasets. This initiative is designed to unravel and understand the complex principles of biology that, as founder Jean-Philippe Vert states, have so far been too intricate to fully comprehend.
How 23andMe went from $6B valuation to penny stock
DNA-testing company 23AndMe and its founder, Anne Wojcicki, aimed to revolutionize healthcare, bringing genetic tests to homes with just a tube of spit. But challenges with its business model and continued data privacy concerns for consumers have brought the company once valued at $6 billion to a valuation of nearly $0, with Nasdaq threatening to delist it
Phesi's huge repository of data in its Trial Accelerator platform reaches 100 million milestone
The company, a leader in patient-centric data analytics, announced on February 6 that its extensive data repository will enable sponsors to access information on patients across more than 4,000 medical conditions. This initiative aims to design more effective clinical trials and enhance clinical development with high precision. Leveraging its Trial Accelerator, the company has released the second edition of its Digital Patient Profile (DPP) catalog, offering detailed statistical insights into patient characteristics to refine protocol design and encourage the adoption of digital trial methodologies.
Podcasts
Building tomorrow’s biotech
An engaging interview replay with OWKIN's CEO, Thomas Clozel, dives into the core principles of AI and health data. Covering topics from federated learning and data hosting to investment, the interview candidly explores the latest trends in the emerging field of biotech.
Supporting developer accountability for privacy
"Developer Focus on Data Regulations" - Jake Gard, co-founder of Data Protocol, delves into strategies for narrowing the divide between developers and privacy laws, as well as between privacy professionals and privacy obligations. In an increasingly tech-centric world, this discussion provides crucial perspectives on creating apps that comply with privacy standards and sheds light on potential challenges developers may face regarding privacy issues.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Newsletter #18
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.
Newsletter #17
August was a busy month for data protection in the life sciences—here's your summer recap!