Regulations, Guidelines & Opinions
Call For An Evaluation Of The GDPR
After five years of application of the General Data Protection Regulation (GDPR), the Council of Ministers of the European Union is calling for an overarching and comprehensive evaluation of the GDPR. Notably, they ask for more clarity about adequacy decisions, the conditions under which personal data can be processed for research and archiving purposes, and to further elaborate the concepts of anonymisation and pseudonymisation.
Plans Of The European Commission For International Data Transfers
Didier Reynders, European Commissioner for Justice, discussed plans to enhance data flows between the EU and other states during the IAPP Europe Data Protection Congress 2023. He mentioned the possibility of an adequacy decision with the Californian State and the potential revision of the adequacy decision regarding the United Kingdom. Additionally, there is a proposal for a new type of adequacy decision to facilitate data transfers to international organizations.
Obligations For Cloud Providers Under The EU Cloud Scheme
A new draft of the European Cloud Services Scheme sheds some light on some questions providers could have about the regulation. The regulation classifies providers into four levels of assurance corresponding to the level of risk associated with the intended use of the product, service, or process: basic, substantial, high, and high+. Each level has its own obligations. As an example, high+ providers will be required to have at least one dedicated location in the EU.
UK GDPR Reforms Move Forward In UK Parliament
On November 29, the U.K. Data Protection and Digital Information Bill advanced towards becoming law. According to the U.K.'s Minister for Data and Digital Infrastructure, the objective of the bill is to modify the 2018 Data Protection Act to better leverage personal data for promoting growth and competition. This involves moving away from the generalized, top-down approach that was a characteristic of the inherited GDPR framework.
Biotech & Healthtech
Adoption of the European Health Data Space By European Committees
The Environment and Civil Liberties committees have adopted their position on creating a European Health Data Space (EHDS). In December, the European Parliament will vote on the proposal. The EHDS aims to achieve two goals: firstly, to enable citizens to access their health data, such as prescriptions, images, and lab tests, across borders, and secondly, to collect health data for public health purposes, including research, innovation, policy-making, education, patient safety, and regulatory activities.
The Use Of Wearables And Smartphones In Healthcare
The use of wearables and smartphones in decentralized healthcare is steadily rising. They are used to collect data almost in real time and provide a host of different types of data. However, this brings forth a multitude of concerns about data privacy and data security. To mitigate the risk of data misuse, strong and consistent standards need to be implemented and upheld. Additionally, alleviating such concerns could involve giving users clear authority over their personal health data.
Databases And The Purpose Of The Processing
Half a million citizens of the United Kingdom donated their sensitive data to the UK Biobank for medical research purposes. However, an investigation done by The Observer revealed that Biobank opened access to its biomedical database to insurance companies. Biological samples and medical history records, which were donated for research purposes, were accessed by insurance companies so that they could develop their own tools. UK Biobank indicated that they informed the volunteers and that they obtained their consent at the moment of collection.
Artificial Intelligence
Progress Made On The AI Act
The AI Act is currently undergoing changes in the final phase of the legislative process, with the aim of reaching an agreement by the 6th of December. One key point of contention revolves around the rules that should apply to foundation models. The issue of a code of conduct is central to the negotiations. Other points still under negotiation include governance, access to the source code, penalties, and AI literacy.
California, Privacy and AI
California's Privacy Protection Agency (CPPA) has released a draft regulation concerning automatic decision-making. This draft sets out guidelines for how AI can utilize data from individuals. The proposed regulations include provisions for opt-out rights, pre-use notice requirements, and access rights. These measures are designed to ensure that individuals are well-informed and can exercise their rights. The framework draws inspiration from the GDPR but aims to be more stringent, particularly in light of the practices employed by major tech companies. Additionally, it aligns with the European AI Act by adopting a risk-based approach.
Cybersecurity & Data Breaches
Data Breach By A Medical Secretary
A former NHS medical secretary accessed a total of 156 patient records without consent or a legitimate business need, viewing them over 1800 times within a three-month period in 2019. This discovery resulted from an investigation led by the Information Commissioner's Office (ICO). The investigation was initiated based on a complaint made by a patient. Subsequently, the former secretary appeared before Worcester Magistrates' Court and was ordered to pay a total fine of £648.
The Weak Link Of Cybersecurity: The Vendors
A data breach that occurred in early May this year was recently disclosed by Perry Johnson & Associates (PJ&A), a vendor that provides transcription services to healthcare organizations. This breach had an impact on healthcare organizations that relied on the vendor, affecting more than 1.2 million individuals. Personal data and sensitive categories of data, including names, addresses, social security numbers, and medical records, may have been accessed and stolen.
Data Privacy Enforcement
The Appointment Of The Member of the Data Protection Court
The EU-U.S. Data Privacy Framework established a two-layer redress mechanism. Firstly, EU individuals can file a complaint with the 'Civil Liberties Protection Officer' of the US intelligence community. Secondly, EU individuals have the right to appeal that decision to the Data Protection Review Court. The members of this Court were appointed on the 14th of November. The Court can now officially commence its functions and review the findings of the Officer regarding complaints from EU individuals concerning potential privacy violations associated with U.S. signals intelligence activities.
Podcasts
Use of Biological Samples Without Consent : The Havasupai Nation's Case
The Havasupai Nation's experience in the early 1990s serves as a key example of why it's crucial to have appropriate legal frameworks for data use and secondary applications. They provided blood samples to Arizona State University researchers to investigate the high prevalence of Type 2 Diabetes in their Grand Canyon community, but never received results. Later, they discovered their data was being repurposed for unrelated projects without their permission.
Privacy And Voice Recognition AI
In an interview, Justin Hendrix talks to AI researcher Wiebke Hutiri, specializing in Responsible AI, particularly in algorithmic fairness and bias. Hutiri's notable work includes her thesis and the creation of 'Fair Eva,' an open-source tool to help evaluate and reduce bias in voice recognition technology. The discussion explores the specific challenges of bias and fairness in speaker recognition technology, offering valuable insights.
IAPP Europe Data Protection Congress 2023: Key Takeaways
AI and Regulation: William Malcolm from Google emphasized the need for a balanced regulatory approach to AI. Essential controls are necessary, but overregulation could impede the development of AI services.
AI Officer Role: The rise of 'AI Officers' in organizations is expected, underscoring the importance for those in privacy roles to have more than basic AI knowledge. In-depth understanding of AI algorithms, data curation, datasets, and databases is crucial for effective oversight.
EU's Regulatory Environment: Companies operating in the EU face tighter regulations for data collection and processing, making the environment more challenging despite efforts to make data more accessible.
Guidance for Engineers: Engineers require clear, principle-based frameworks for guidance, rather than vague legal guidelines, to ensure precise and actionable direction.
Microsoft's Innovations: Microsoft introduced Purview and Copilot, significant advancements for companies in data management, marking a major step forward.
Privacy in ESG: Privacy issues are increasingly being integrated into Environmental, Social, and Governance (ESG) frameworks, with ongoing developments highlighted by a white paper from www.piccaso.org.
Data Transfers: The first evaluation of data transfers is set for July 2024, with over 2,500 companies, 70% being SMEs, already participating. The Data Privacy Framework (DPF) is seen as a potential solution to the challenges posed by Standard Contractual Clauses (SCCs).
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Newsletter #18
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.
Newsletter #17
August was a busy month for data protection in the life sciences—here's your summer recap!
