Summary
Regulators across Europe and the UK advanced data protection and AI governance. CNIL issued GDPR compliance recommendations for AI, stressing transparency, pseudonymization, and data minimization, while the UK’s Data Bill clarified legitimate interests, secondary processing, and DSAR rules. Switzerland’s FDPIC released guidelines on data breach notifications, and the CJEU ruled that GDPR fines must be based on global revenue. Meanwhile, the EU Commission withdrew the AI Liability Directive, though Parliament is pushing for continued work.
In healthtech and AI, Owkin’s ATLANTIS is breaking healthcare data silos, Apple’s Health Study explores AI-driven health insights, and Google’s Pixel Watch 3 gained FDA approval for pulse detection. Cybersecurity risks persist, with VectraRx facing lawsuits over a data breach and 23andMe’s CEO bidding to take the company private after financial and security issues. As AI and digital health evolve, regulators continue balancing innovation, compliance, and data protection.
Regulations & Guidelines
CNIL’s AI & GDPR Compliance Recommendations
On February 7, 2025, the CNIL issued two key recommendations to align AI practices with GDPR. The first stresses transparency in AI data processing, particularly for indirect data collection like web scraping, while the second focuses on facilitating individuals’ rights, proposing pseudonymization and data minimization to balance privacy and AI innovation.
UK Data (Use and Access) Bill Advances in Parliament
On February 6, 2025, the Data (Use and Access) Bill passed its first reading in the House of Commons, with a second reading scheduled for February 12, 2025. The bill proposes amendments to the UK data protection framework, including recognized legitimate interests for processing, secondary processing conditions, revised data subject access request rules, cookie consent changes, and automated decision-making provisions.
Switzerland’s FDPIC Issues Data Breach Notification Guide
The UK's Data Protection and Digital Information Bill, aiming to replace the GDPR, has raised concerns about weakening data protections for EU citizens and risking the EU-UK data adequacy agreement, essential for smooth data transfers. Criticisms include potential breaches of the European Convention on Human Rights, specifically regarding biometric data, and questions about the bill's impact on law enforcement cooperation under frameworks like Prüm II, along with its compatibility with EU data protection standards.
AG Opinion: Pseudonymized Data May Not Be Personal Under GDPR
A recent European High Court AG opinion in the EDPS v. SRB case suggests that pseudonymized data is not personal if the recipient lacks “reasonable means” to re-identify individuals. While not binding, it aligns with past CJEU rulings and could influence GDPR interpretation. Meanwhile, the U.S. DOJ takes a stricter stance, dismissing pseudonymization as a valid risk mitigation measure.
EU Commission Drops AI Liability Directive Amid Stalled Talks
The European Commission has removed the AI Liability Directive from its 2025 work program due to stalled negotiations, though the Parliament’s IMCO Committee voted to continue work on it. While some lawmakers oppose the withdrawal, others favor delaying the rules. The tech industry argues that the Product Liability Directive (PLD) already covers AI liability, but consumer groups and Parliament research highlight gaps, particularly for large language models like ChatGPT.
AI and Techbio
Owkin Launches ATLANTIS to Advance AI-Driven Medical Research
Owkin has introduced ATLANTIS, a multimodal patient data discovery program aimed at breaking data silos and accelerating AI-powered medical research. Spanning 11 therapeutic areas across 20 global healthcare institutions, the initiative will enhance data harmonization to drive faster discoveries and improve patient outcomes. Set to conclude by May 2025, ATLANTIS will fuel Owkin K, the company’s AI platform for biomedical breakthroughs.
AI/ML Patent Disclosure in Life Sciences: Striking the Right Balance
As AI/ML technologies continue to drive innovation in life sciences, patent applicants face challenges in determining how much technical detail to disclose. While detailed patents strengthen intellectual property protection, they may expose proprietary methods, whereas minimal disclosure risks patent invalidation. The recent rise in AI-enabled medical devices and drug discovery tools highlights the need for clear legal standards, balancing innovation, regulatory compliance, and competitive advantage in the TechBio sector.
BioTech, Healthtech and Healthcare
Apple Launches Five-Year Apple Health Study with Brigham and Women’s Hospital
Apple has introduced the Apple Health Study, a five-year longitudinal research project enabling users to voluntarily share health data via the Apple Research app. The study will analyze cardiovascular, metabolic, mental health, sleep, and cognition metrics using data from iPhones, Apple Watches, and AirPods, aiming to enhance health tracking and product development.
The Evolution of Blood Pressure Monitoring: From 16th Century to Smart Wearables
Blood pressure monitoring has advanced significantly from 16th-century experiments to smartphone-connected devices that allow patients to track and share readings with doctors. Companies like iHealth, Withings, and Viatom have integrated heart rate and ECG monitoring, while photoplethysmography (PPG) technology enables real-time, continuous BP tracking, paving the way for wearables to monitor BP as commonly as heart rate.
Google Pixel Watch 3 Gets FDA Clearance for Loss of Pulse Detection
Google’s Pixel Watch 3 has received FDA clearance for its loss of pulse detection feature, which can automatically call emergency services if no pulse is detected. Using infrared sensors, motion detection, and AI analysis, the watch confirms pulse loss and shares the user’s location with responders. Initially launched at Google’s Made by Google event, the feature is available in 14 countries and will roll out in the U.S. by March, addressing a critical need for faster emergency response.
Data Breach & Cybersecurity
VectraRx Faces Class Actions Over December 2024 Data Breach
Online pharmacy VectraRx Mail Pharmacy Services is facing seven federal class action lawsuits after a December 2024 data breach exposed sensitive consumer information, including Social Security numbers, prescription details, and contact information. Plaintiffs allege negligence and failure to implement adequate security measures, citing common law, contract law, FTC Act, and HIPAA violations.
23andMe CEO Submits New Bid to Take Company Private
Anne Wojcicki, CEO of 23andMe, has partnered with New Mountain Capital to submit a higher bid to take the company private, after a previous offer was rejected. Facing financial struggles, including a 40% workforce reduction, the new $74.7 million proposal aims to enable long-term value creation outside the public market.
Podcasts
iliomad's News
EUCROF 2025 - Copenhagen
We were delighted to take part in the 2025 EUCROF Annual Gathering in Copenhagen. The event provided valuable insights on key topics, from emerging clinical trial trends and CTIS updates to real-world applications of AI in clinical research.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #23
Regulators in Europe and the UK advance AI governance, data protection, and cybersecurity, while healthtech innovations like Owkin and Apple reshape digital healthcare.
Newsletter #22
In this edition, we cover major regulatory shifts and AI advancements shaping healthcare and data security. The U.S. tightens HIPAA security rules, the EU rolls out the European Health Data Space (EHDS) for cross-border health data exchange, and new U.S. regulations restrict sensitive health data transfers to certain countries. Meanwhile, AI is revolutionizing healthcare, with Truveta’s 10M-volunteer Genome Project, Owkin’s AI-powered drug development, and AI-driven medical scribes making waves—though accuracy concerns remain. On the data privacy front, GDPR fines have soared to €5.88B, with Ireland leading at €3.5B, and the UK ICO reports 36K data complaints and £1.27M in fines, highlighting ongoing challenges in digital security.
Newsletter #21
Our latest newsletter highlights critical updates in data privacy and healthtech from 2024, including GDPR data sharing guidelines, AI advancements like Cleerly’s imaging solutions, and ongoing challenges in data security and environmental sustainability. As we look toward 2025, we’re excited to continue driving innovation and helping navigate the evolving landscape of regulations, AI, and healthcare data management.
