Regulations & Guidelines

­­

Clarifying accountability: EDPB's opinion on controllers' responsibilities in managing processing chains

­The Danish Supervisory Authority (DK SA) requested guidance from the European Data Protection Board (EDPB) regarding controllers’ accountability in managing processing chains and sub-processors. Key questions focused on the extent to which controllers must identify, verify, and document sub-processors’ compliance, particularly for data transfers and contracts, and whether these responsibilities vary with the processing risk level. The EDPB clarified that controllers hold ultimate responsibility for ensuring compliance across processing chains and that specific documentation and verification are essential, regardless of risk level, to maintain GDPR alignment.

­ Click to read more­

Guidelines for using legitimate interests as a legal basis under GDPR Article 6(1)(f)

­The European Data Protection Board’s (EDPB) Guidelines, currently under public consultation, clarify when controllers can legally process personal data based on "legitimate interests" per Article 6(1)(f) of the GDPR. The Guidelines outline a three-step framework for assessing legitimate interest, necessity, and balancing against data subject rights, emphasizing transparency, accountability, and higher scrutiny in contexts like children’s data and direct marketing.

­ Click to read more­

UK Data Bill 2024: simplifying privacy, boosting growth

­The Data (Use and Access) Bill, introduced to UK Parliament on October 3, 2024, seeks to reform the UK's data protection framework by defining legitimate interests for data processing, establishing conditions for secondary processing, and updating rules for data subject access, cookie consent, and automated decisions. It introduces a test for international data transfers to ensure adequate protection levels, with the ICO and DSIT supporting the bill's goals to bolster the economy, enhance public services, and simplify daily life.

­ Click to read more­

Traunstein ruling highlights growing support for risk-based data transfer approach in the  EU

­The Traunstein decision is the latest in a series of EU member state court rulings challenging the "zero-risk" approach. Instead, these courts are opting for a more flexible interpretation of GDPR Chapter V, considering factors like data type, existing protections, risk severity, and the probability of unauthorized access by authorities in countries without adequate protections.

­ Click to read more­

ICO New Data protection audit framework

­The UK Information Commissioner's Office (ICO) has published a new audit framework to help organizations assess their compliance with key requirements under data protection law.

­ Click to read more­

GDPR compliance made clear: EUCROF's Code for clinical research service providers

­The EUCROF GDPR Code of Conduct provides a compliance framework for Contract Research Organizations (CROs) working under GDPR, outlining data protection responsibilities, pseudonymisation standards, and data management protocols. A Supervisory Committee ensures adherence, with CROs receiving Compliance Marks for verified GDPR compliance.

­ Click to read more ­

EU-US Data Privacy Framework report: high SME participation, few compliance issues, calls for more guidance

­The European Commission's first review of the EU-US Data Privacy Framework (DPF) highlights that 70% of participants are SMEs, primarily in the ICT sector, with certifications mainly for non-HR data. The U.S. Department of Commerce rejected 33 applications due to non-compliance, while the Commission suggests enhanced guidance for HR data handling, onward transfers, and sector-specific applications, aiming for better alignment between FTC and EU privacy enforcement.

­ Click to read more ­

FDA calls for coordinated AI regulations across health and global industries"

­The FDA emphasizes the need for coordinated AI regulation across health, industry, and international agencies, proposing flexible, lifecycle-based oversight to manage AI’s rapid evolution in healthcare. Special attention is recommended for large language models and AI-driven medical devices to ensure ongoing safety and effectiveness in diagnosis and treatment applications.

­ Click to read more­

Data Privacy Enforcement

­­

250K HIPAA settlement: Cascade eye and skin centers to strengthen data security after ransomware breach

­Cascade Eye and Skin Centers agreed to a $250,000 settlement with the U.S. Department of Health and Human Services' Office for Civil Rights for HIPAA Security Rule violations following a 2017 ransomware attack that compromised 291,000 health records. The settlement mandates a corrective action plan requiring Cascade to conduct a risk analysis, implement a risk management strategy, and establish HIPAA-compliant policies and procedures.

­ Click to read more­

Techbio & Artificial Intelligence

­­

Enhancing data privacy in retrieval augmented generation: A differentially private approach

­Leveraging advances in Differentially Private In-Context Learning (DP-ICL), this research developed an algorithm that integrates Differential Privacy (DP) within Retrieval Augmented Generation (RAG). By aggregating multiple generations based on document retrieval, DP-RAG achieves comparable performance to standard RAG while ensuring privacy protections, making it a feasible alternative to costly DP-finetuning for securely handling sensitive data.

­ Click to read more ­

EU's AI Act compliance checker launched for generative AI models

­Leveraging advances in Differentially Private In-Context Learning (DP-ICL), this research developed an algorithm that integrates Differential Privacy (DP) within Retrieval Augmented Generation (RAG). By aggregating multiple generations based on document retrieval, DP-RAG achieves comparable performance to standard RAG while ensuring privacy protections, making it a feasible alternative to costly DP-finetuning for securely handling sensitive data.

­ Click to read more ­

Nvidia and Microsoft power up AI health startups with major resource boosts

­Nvidia and Microsoft are combining their startup programs to offer AI health startups significant resources, including $350,000 in Azure credits and access to Nvidia's AI infrastructure for developing healthcare applications. The collaboration aims to support innovative solutions in medical devices and clinical efficiency, with startups like Pangaea Data and Artisight already leveraging this technology.

­ Click to read more ­

Zoom integrates AI-powered notes to streamline telehealth documentation

­Zoom has partnered with Suki AI to integrate automatic clinical note generation into its telehealth platform, aiming to reduce administrative burdens for healthcare providers. The collaboration will enable clinicians to focus more on patient care by automating documentation for both telehealth and in-person visits.

­ Click to read more­

Data Breach & Cybersecurity

­­

Change Healthcare ransomware fallout: expanded impact and Federal actions

­In February 2024, a ransomware attack on Change Healthcare exposed the private health information of over 100 million individuals, leading to extensive outages and disruptions across the U.S. healthcare sector. UnitedHealth Group (UHG), which owns Change Healthcare, has now confirmed the scope of affected individuals, previously anticipating the breach to impact a significant portion of Americans. The U.S. Department of Health and Human Services reported this updated figure on its data breach portal.

­ Click to read more ­

The biggest data breaches in 2024

­In 2024, over 1 billion personal records have been exposed due to extensive data breaches, with a significant portion involving sensitive health data. Major incidents include breaches at Change Healthcare and Synnovis, impacting healthcare services across the U.S. and U.K. and exposing the medical information of millions, highlighting vulnerabilities in health data security.

­ Click to read more­

Food For Thought

­­

The digital afterlife of health data: Ownership and ethical challenges

­With increasing digital health data from technologies like fitness trackers and genetic tests, questions arise about the ownership and handling of health data after death. Current frameworks rarely allow individuals to control their posthumous health data, prompting ethical concerns and calls for new regulations to balance privacy, prevent commercial exploitation, and promote scientific value.

­ Click to read more ­

Podcasts 

­

iliomad's News

­

In October, our co-founder Seamus was honored to join a discussion panel hosted by anonymization leader Nijta, focusing on the balance between innovation and regulation.

  

­ Click to view

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Home

Discover our latest newsletter

View All Newsletters
Dec 2024
Regulations & Guidelines
Biotech & Healthtech
AI
Data Governance
Data Privacy Enforcement

Newsletter #20

🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.

Nov 2024
Regulations & Guidelines
Podcasts
AI
Data Breach & Cybersecurity
Data Privacy Enforcement

Newsletter #19

In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.

Oct 2024
Data Privacy Enforcement
Healthcare
Regulations & Guidelines
AI
Biotech & Healthtech

Newsletter #18

Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.