In this Newsletter
Regulations & Guidelines
Clarifying accountability: EDPB's opinion on controllers' responsibilities in managing processing chains
The Danish Supervisory Authority (DK SA) requested guidance from the European Data Protection Board (EDPB) regarding controllers’ accountability in managing processing chains and sub-processors. Key questions focused on the extent to which controllers must identify, verify, and document sub-processors’ compliance, particularly for data transfers and contracts, and whether these responsibilities vary with the processing risk level. The EDPB clarified that controllers hold ultimate responsibility for ensuring compliance across processing chains and that specific documentation and verification are essential, regardless of risk level, to maintain GDPR alignment.
Guidelines for using legitimate interests as a legal basis under GDPR Article 6(1)(f)
The European Data Protection Board’s (EDPB) Guidelines, currently under public consultation, clarify when controllers can legally process personal data based on "legitimate interests" per Article 6(1)(f) of the GDPR. The Guidelines outline a three-step framework for assessing legitimate interest, necessity, and balancing against data subject rights, emphasizing transparency, accountability, and higher scrutiny in contexts like children’s data and direct marketing.
UK Data Bill 2024: simplifying privacy, boosting growth
The Data (Use and Access) Bill, introduced to UK Parliament on October 3, 2024, seeks to reform the UK's data protection framework by defining legitimate interests for data processing, establishing conditions for secondary processing, and updating rules for data subject access, cookie consent, and automated decisions. It introduces a test for international data transfers to ensure adequate protection levels, with the ICO and DSIT supporting the bill's goals to bolster the economy, enhance public services, and simplify daily life.
Traunstein ruling highlights growing support for risk-based data transfer approach in the EU
The Traunstein decision is the latest in a series of EU member state court rulings challenging the "zero-risk" approach. Instead, these courts are opting for a more flexible interpretation of GDPR Chapter V, considering factors like data type, existing protections, risk severity, and the probability of unauthorized access by authorities in countries without adequate protections.
ICO New Data protection audit framework
The UK Information Commissioner's Office (ICO) has published a new audit framework to help organizations assess their compliance with key requirements under data protection law.
GDPR compliance made clear: EUCROF's Code for clinical research service providers
The EUCROF GDPR Code of Conduct provides a compliance framework for Contract Research Organizations (CROs) working under GDPR, outlining data protection responsibilities, pseudonymisation standards, and data management protocols. A Supervisory Committee ensures adherence, with CROs receiving Compliance Marks for verified GDPR compliance.
EU-US Data Privacy Framework report: high SME participation, few compliance issues, calls for more guidance
The European Commission's first review of the EU-US Data Privacy Framework (DPF) highlights that 70% of participants are SMEs, primarily in the ICT sector, with certifications mainly for non-HR data. The U.S. Department of Commerce rejected 33 applications due to non-compliance, while the Commission suggests enhanced guidance for HR data handling, onward transfers, and sector-specific applications, aiming for better alignment between FTC and EU privacy enforcement.
FDA calls for coordinated AI regulations across health and global industries"
The FDA emphasizes the need for coordinated AI regulation across health, industry, and international agencies, proposing flexible, lifecycle-based oversight to manage AI’s rapid evolution in healthcare. Special attention is recommended for large language models and AI-driven medical devices to ensure ongoing safety and effectiveness in diagnosis and treatment applications.
Data Privacy Enforcement
250K HIPAA settlement: Cascade eye and skin centers to strengthen data security after ransomware breach
Cascade Eye and Skin Centers agreed to a $250,000 settlement with the U.S. Department of Health and Human Services' Office for Civil Rights for HIPAA Security Rule violations following a 2017 ransomware attack that compromised 291,000 health records. The settlement mandates a corrective action plan requiring Cascade to conduct a risk analysis, implement a risk management strategy, and establish HIPAA-compliant policies and procedures.
Techbio & Artificial Intelligence
Enhancing data privacy in retrieval augmented generation: A differentially private approach
Leveraging advances in Differentially Private In-Context Learning (DP-ICL), this research developed an algorithm that integrates Differential Privacy (DP) within Retrieval Augmented Generation (RAG). By aggregating multiple generations based on document retrieval, DP-RAG achieves comparable performance to standard RAG while ensuring privacy protections, making it a feasible alternative to costly DP-finetuning for securely handling sensitive data.
EU's AI Act compliance checker launched for generative AI models
Leveraging advances in Differentially Private In-Context Learning (DP-ICL), this research developed an algorithm that integrates Differential Privacy (DP) within Retrieval Augmented Generation (RAG). By aggregating multiple generations based on document retrieval, DP-RAG achieves comparable performance to standard RAG while ensuring privacy protections, making it a feasible alternative to costly DP-finetuning for securely handling sensitive data.
Nvidia and Microsoft power up AI health startups with major resource boosts
Nvidia and Microsoft are combining their startup programs to offer AI health startups significant resources, including $350,000 in Azure credits and access to Nvidia's AI infrastructure for developing healthcare applications. The collaboration aims to support innovative solutions in medical devices and clinical efficiency, with startups like Pangaea Data and Artisight already leveraging this technology.
Zoom integrates AI-powered notes to streamline telehealth documentation
Zoom has partnered with Suki AI to integrate automatic clinical note generation into its telehealth platform, aiming to reduce administrative burdens for healthcare providers. The collaboration will enable clinicians to focus more on patient care by automating documentation for both telehealth and in-person visits.
Data Breach & Cybersecurity
Change Healthcare ransomware fallout: expanded impact and Federal actions
In February 2024, a ransomware attack on Change Healthcare exposed the private health information of over 100 million individuals, leading to extensive outages and disruptions across the U.S. healthcare sector. UnitedHealth Group (UHG), which owns Change Healthcare, has now confirmed the scope of affected individuals, previously anticipating the breach to impact a significant portion of Americans. The U.S. Department of Health and Human Services reported this updated figure on its data breach portal.
The biggest data breaches in 2024
In 2024, over 1 billion personal records have been exposed due to extensive data breaches, with a significant portion involving sensitive health data. Major incidents include breaches at Change Healthcare and Synnovis, impacting healthcare services across the U.S. and U.K. and exposing the medical information of millions, highlighting vulnerabilities in health data security.
Food For Thought
The digital afterlife of health data: Ownership and ethical challenges
With increasing digital health data from technologies like fitness trackers and genetic tests, questions arise about the ownership and handling of health data after death. Current frameworks rarely allow individuals to control their posthumous health data, prompting ethical concerns and calls for new regulations to balance privacy, prevent commercial exploitation, and promote scientific value.
Podcasts
iliomad's News
In October, our co-founder Seamus was honored to join a discussion panel hosted by anonymization leader Nijta, focusing on the balance between innovation and regulation.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #20
🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Newsletter #18
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.