In this Newsletter
Regulations
Artificial Intelligence Act: Deal on Comprehensive Rules for Trustworthy AI
European Parliament and Council negotiators have reached a provisional agreement on the Artificial Intelligence Act, focusing on safe and ethical AI while promoting innovation. The Act bans high-risk AI applications that threaten fundamental rights and sets strict obligations for law enforcement and high-risk AI systems. It also supports innovation and SMEs through regulatory sandboxes and imposes substantial fines for non-compliance, positioning Europe as a leader in responsible AI development.
European Commission's AI Act: Explained in a Comprehensive Q&A
The European Commission has developed a comprehensive Q&A resource to explain the EU AI Act, providing clear and accessible information about the legislation's purpose, scope, and implications. This Q&A aims to enhance understanding of the Act's key elements, such as the risk-based classification of AI systems, and the responsibilities and obligations it imposes on AI providers and users. It also elucidates the enforcement mechanisms and penalties for non-compliance, thereby aiding stakeholders in navigating and adhering to the Act's provisions.
EU Parliament Revises European Health Data Space Framework
The European Parliament has adopted an amended proposal in Plenary as the negotiating foundation with the Council on the framework of the European Health Data Space (EHDS). Negotiations are underway based on this proposal. Key points include: Enhancing patient rights to data access,compliance assessment procedures for EHR systems and discussions on the secondary use of health data.
Proposed Revisions to CCPA
The California Privacy Protection Agency has released proposed amendments to the current California Consumer Privacy Act. These updates aim to expand the scope and penalties of the act, and include modifications regarding dark patterns and responsibilities pertaining to the rights of data subjects.
EDPB: GDPR Implementation Successful, Future Challenges Require More Resources
At its latest plenary, the European Data Protection Board (EDPB) acknowledged the successful application of the GDPR over its first 5.5 years, deeming it premature to revise it at this stage. The EDPB emphasized the need for adequate resources for Data Protection Authorities (DPAs) and itself to meet future challenges, especially given the evolving technological landscape and new digital economy legislation. Additionally, the EDPB is focusing on enhancing international data transfer agreements and developing cooperation with third countries, while also planning to issue guidelines on the 'pay or ok' model.
China's First Personal Information Certification For Cross-Border Data Transfer
On December 25th, China's Cybersecurity Review Technology and Certification Centre (CCRC) issued the first personal information certification for cross-border data transfer to the University of Macau, marking a significant advancement in China's personal information protection and governance. This certification, which encompasses a comprehensive technological framework for data lifecycle management, is an alternative to the security assessment and China SCC under the PIPL, and extends beyond cross-border data transfer applications. Following this, on December 26th, the CRCC awarded personal information protection certification to five additional companies, indicating a growing importance of personal information certification in China's data protection landscape and suggesting a busy year ahead for privacy professionals with the introduction of new regulations in 2024.
PETs - Privacy Enhancing Technologies
Breaking Down Privacy Risks: How 'Anonymous' Synthetic Data Can Be Exposed
The study titled "On the Inadequacy of Similarity-based Privacy Metrics: Reconstruction Attacks against Truly Anonymous Synthetic Data'" uncovers critical flaws in the use of empirical evaluations to ensure privacy in synthetic data. It introduces ReconSyn, an attack that exploits these weaknesses, demonstrating its effectiveness by reconstructing sensitive training data from synthetic datasets that were deemed private. This work challenges the reliability of current privacy metrics and emphasizes the need for rigorous privacy-preserving methods in the creation of synthetic data.
Healthcare
A French Comprehensive Cancer Center's Data Strategy and Implementation Experience
In a comprehensive cancer center, effective data strategies are crucial for evaluating practices, understanding cancer, and developing better treatments. The Center Léon Bérard (CLB) employs a variety of data collection methods, including EMRs, clinical trials, and research projects, utilizing techniques like natural language processing for in-depth analysis. To enhance cancer research and patient outcomes, CLB emphasizes the importance of secure, regulated data sharing, leveraging real-world data and standardizing data formats for collaboration and improved patient-centered research.
Artificial Intelligence
Towards a Standard for Identifying and Managing Bias in Artificial Intelligence
The National Institute of Standards and Technology (NIST) has released a document titled "Towards a Standard for Identifying and Managing Bias in Artificial Intelligence," addressing the critical issue of AI bias. It categorizes AI bias into systemic, statistical, and human types and discusses the challenges in mitigating these biases, emphasizing the need for a comprehensive approach involving datasets, testing, evaluation, validation, verification, and human factors. Additionally, the document promotes a socio-technical systems approach, integrating societal values and impacts into AI development, and provides guidance and recommendations for addressing a broader spectrum of biases and their societal implications.
Adaptive Machine Unlearning
Back in 2021 NeurIPS paper "Adaptive Machine Unlearning" introduced a novel approach for efficient data deletion in machine learning, challenging previous methods with poor guarantees against adaptive deletion sequences. It proposes a robust, model-agnostic framework combining differential privacy and max-information techniques, proven effective in experiments with datasets like CIFAR-10 and MNIST. The paper's insights into vulnerabilities of algorithms and practical applications for enhancing data privacy marked significant advancements in the field.
Google Launches MedLM Generative AI Models For The Healthcare Industry
Google is advancing its AI capabilities with MedLM, a healthcare-dedicated AI available on its Vertex AI platform for U.S. Cloud customers, and in preview in select markets abroad. The MedLM suite, which includes models based on the medically adept Med-PaLM 2, offers tools for diverse tasks ranging from complex analytics to scalable operations. These innovations are being adopted across the healthcare sector for applications like enhancing patient care, accelerating drug development, and improving medical documentation efficiency.
A Quality Standard and Certification for AI
New ISO/IEC 42001 International Standard for AI : This novel certification outlines the criteria for organizations to develop, implement, maintain, and enhance an Artificial Intelligence Management System (AIMS). It targets providers and users of AI-based solutions, promoting ethical creation and application of AI technologies.
Cybersecurity
23andMe Data Breach Impacts 6.9M Users
Genetic testing company 23andMe revealed a data breach impacting 0.1% of its customers, about 14,000 individuals, and potentially a significant number of other users linked through ancestry profiles. Further details indicated that around 5.5 million people using the DNA Relatives feature and 1.4 million with Family Tree profiles had their personal information accessed. This breach, initially disclosed in October and attributed to password reuse by customers, ended up affecting nearly half of 23andMe's 14 million customers, with hackers gaining access to sensitive DNA and personal data.
Integris Health Patients Get Extortion Emails After Cyberattack
Integris Health experienced unauthorized system access on November 28, 2023, leading to potential data breaches. Hackers extorted patients on December 24th, claiming to have stolen personal data of over 2 million individuals, including sensitive information like Social Security Numbers. The attackers have set up a dark web site for selling or deleting this data, with Integris Health advising patients against responding to these extortion emails, highlighting the risks of further exploitation and the uncertainty of data deletion even after paying ransoms.
Data Privacy Enforcement
USA: HHS Announces $480,000 Settlement with Lafourche Medical Group Over HIPAA Violations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Lafourche Medical Group following a phishing attack that compromised the health information of about 34,862 individuals. This marks OCR's first settlement involving a phishing attack under HIPAA, highlighting the growing concern over cyberattacks in healthcare. As part of the settlement, Lafourche Medical Group will pay $480,000 and implement a corrective action plan, including enhanced security measures and staff training on HIPAA compliance and cybersecurity.
Imposing Administrative Fines: The Criteria of Wrongful GDPR Infringement
The Court of Justice has defined the criteria for national supervisory bodies to levy administrative fines on one or more data controllers for breaching the General Data Protection Regulation (GDPR). It emphasizes that for a fine to be imposed, there must be evidence of wrongful behavior, meaning the infringement was either intentional or due to negligence. Additionally, when the entity facing the fine is part of a corporate group, the fine's calculation should consider the group's total turnover.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #20
🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Newsletter #18
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.