Regulations & Guidelines
Strengthening GDPR Compliance: EDPB Guidelines and European Data Protection Seal Updates
The EDPB released guidelines on Article 48 GDPR, emphasizing the need for proper legal bases and safeguards when transferring data to third-country authorities, with public consultation open until January 27, 2025. Additionally, the approval of Brand Compliance as a European Data Protection Seal enhances organizations’ ability to demonstrate GDPR compliance, while international agreements offer dual legal and transfer grounds under GDPR provisions.
EU Digital Services Act: Key Compliance Framework
Effective February 2024, the EU Digital Services Act (DSA) introduces a unified regulatory regime for digital service providers, focusing on safe harbor principles, content moderation, and transparency requirements. The DSA applies tiered obligations based on service type, with stricter rules for very large platforms and search engines, requiring compliance measures such as transparency reporting and the appointment of an EU legal representative for non-EU entities.
DOJ Proposes Rule on Cross-Border Data Transfers
The U.S. Department of Justice (DOJ) has proposed significant restrictions on cross-border transfers of sensitive personal data, including health data, to “countries of concern” such as China and Russia, aiming to mitigate national security risks. If finalized, the rule will require companies to implement rigorous compliance programs, restrict transactions involving sensitive health-related data like genomic information, and adhere to strict guidelines to prevent misuse.
EDPB Statement on GDPR and AI Data Processing
The European Data Protection Board (EDPB) emphasizes responsible AI innovation under GDPR, addressing issues like non-anonymity in AI models trained on personal data and the legitimacy of processing data under legitimate interests. It highlights the risks of developing AI with unlawfully processed data and advocates for a case-by-case evaluation approach, emphasizing robust anonymization and protective measures.
ANPD Issues Guidelines on Data Protection Officers
On December 19, 2024, the Brazilian data protection authority (ANPD) released guidelines clarifying the role of Data Protection Officers (DPOs) under the LGPD. The guidelines outline DPO appointment requirements, exemptions, and responsibilities, emphasizing the importance of selecting qualified individuals with expertise in data protection and multidisciplinary knowledge, while addressing potential conflicts of interest in their roles.
Chile’s New Personal Data Protection Law
Chile’s Law No. 21.719, published on December 13, 2024, establishes a personal data protection agency and regulates data processing by entities inside and outside Chile that target or monitor Chileans. The law, effective in 24 months, grants data subjects rights such as access, rectification, and deletion while emphasizing principles of legality, fairness, and transparency, with specific exemptions for personal activities and opinion expression.
Data Privacy Enforcement
Gene by Gene Faces Genetic Privacy Lawsuit
Gene by Gene Ltd., operating as FamilyTreeDNA, faces a proposed class action for allegedly sharing over 10,000 customers’ genetic data with Alphabet and Meta without consent. The complaint, filed in Illinois, claims the use of tracking tools on its website violated the Illinois Genetic Information Privacy Act by disclosing sensitive ancestry and health information to third parties.
HHS Penalizes Florida Practice for HIPAA Violations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights fined a Florida pain management practice $1.19 million for failing to terminate former employees’ access to electronic protected health information (ePHI) and other violations of the HIPAA Security Rule.
AI & Techbio
AI in Biology: Augmented Intelligence
While advancements like AlphaFold have transformed protein structure prediction, biology’s complexity requires rich, real-world data often unavailable. Startups like Fauna Bio and Enveda demonstrate that AI success hinges on generating proprietary datasets and leveraging “augmented intelligence,” where simpler models efficiently guide experiments to solve specific biological challenges.
Cleerly’s AI-Powered Cardiovascular Imaging
Cleerly, an AI-driven cardiovascular imaging startup, focuses on early detection of coronary artery disease through CT scans, aiming to screen large populations akin to cancer detection programs. The company recently secured $106M in funding, achieved Medicare coverage for its plaque analysis test, and is conducting large-scale clinical trials, positioning itself strongly in a competitive yet expansive market alongside players like HeartFlow and Elucid.
Addressing AI Hallucinations Under GDPR
AI hallucinations in general-purpose systems challenge GDPR compliance, particularly around accuracy and data subject rights, as seen in complaints against platforms like ChatGPT. Regulators like the Hamburg DPA and UK ICO suggest focusing on system outputs rather than internal workings, while companies implement guardrails, filters, and transparency features to reduce inaccuracies. A balanced regulatory approach and collaboration between stakeholders are crucial to protect individual rights while enabling innovation in AI.
Food For Thought
French Health Data and Sovereignty Challenges
The debate over hosting French health data with Microsoft Azure continues, now involving the EMC2 data warehouse managed by the Health Data Hub for the European Medicines Agency. Critics highlight risks of U.S. data access and limitations of pseudonymization, underscoring broader concerns about technological sovereignty as France plans to transition to a sovereign cloud solution by 2025 amid dominance by U.S. cloud providers.
Podcasts
2025 here we come !
Looking forward to 2025 !
The entire iliomad team wishes you an incredible year ahead! As for us, we’re stepping into 2025 with great ambition—expanding our team, launching new services, and pursuing exciting growth opportunities on our roadmap. Here’s to a successful year for all! 🎉
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #21
Our latest newsletter highlights critical updates in data privacy and healthtech from 2024, including GDPR data sharing guidelines, AI advancements like Cleerly’s imaging solutions, and ongoing challenges in data security and environmental sustainability. As we look toward 2025, we’re excited to continue driving innovation and helping navigate the evolving landscape of regulations, AI, and healthcare data management.
Newsletter #20
🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
