Newsletter #10

In this Newsletter
Summary
Recent developments in privacy and cybersecurity regulations reflect a growing emphasis on compliance and technological advancements. The EDPB’s reports highlight enforcement trends under GDPR and the need to enhance the role of Data Protection Officers (DPOs), while France’s CNIL issued guidance on cloud encryption and security. Key cybersecurity concerns, including 23andMe’s data breach and increased threats to cloud infrastructure, underscore the importance of robust identity management. Additionally, advancements in AI governance, such as the EU AI Act draft and biotech-focused AI models like Owkin’s Bioptimus, showcase the intersection of technology and regulation in shaping the future of data privacy and security.
Regulations & Guidelines
EDPB Publishes Case Digest on Security of Processing and Data Breach Notification

The EDPB commissioned a report that analyzes 90 final decisions made under the GDPR's One Stop Shop mechanism, specifically focusing on Articles 32, 33, and 34 related to personal data security and breaches. The decisions, adopted between January 2019 and June 2023 and extracted from the EDPB's online register, offer insights into how Supervisory Authorities interpret and apply these articles in various cases.
EDPB Highlights Ways to Enhance DPO Role and Recognition

At its latest plenary, the EDPB adopted a report on the role of Data Protection Officers (DPOs), highlighting the challenges they face and offering recommendations for improvement. The report, based on an EU-wide investigation involving 25 DPAs, analyzed over 17,000 responses, revealing both positive aspects and areas where DPOs struggle, such as lack of resources and independence.
CNIL Releases Cloud Computing Practical Sheets

France's data protection authority, the Commission nationale de l'informatique et des libertés, published two practical sheets on data encryption and security in cloud computing. The practical sheets provide an analysis on data encryption methods including end-to-end encryption, and the importance of securing data in the cloud.
EDPB Launches Website Auditing Tool

The EDPB has introduced a new, user-friendly website auditing tool, available as Free and Open Source Software, to help assess website compliance with the law. Designed for use by both data protection authorities and private entities, this tool simplifies auditing processes, supports other tools, and can generate reports, enhancing enforcement and compliance efforts.
Biden Signs Short-Term FISA Extension

Legislators have come to a consensus on a short-term extension of the Foreign Intelligence Surveillance Act, according to information from three independent sources. This step is intended to ensure the intelligence community retains an essential tool, which was set to expire at the end of the 2023.
Privacy Enhancing Technology
Federated Distillation Vs Federated Learning

Federated distillation (FD) is presented as an alternative to federated learning (FL) for collaborative learning, offering solutions to FL's vulnerability to privacy attacks, high communication costs, and difficulties with heterogeneous models. However, FD faces challenges with varying local data distributions and lack of a reliable teacher model, leading to ineffective knowledge sharing; to address this, a recent paper introduces a selective knowledge sharing mechanism, Selective-FD, which improves FD's generalization capabilities and outperforms baseline methods, paving the way for a more privacy-preserving, communication-efficient, and adaptable federated training framework.
Data Privacy Enforcement
ICO Reprimands Hospital After Data Breach

The U.K. Information Commissioner's Office reprimanded South Tees Hospitals NHS Foundation Trust after a data breach exposed a patient's appointment information. The ICO said South Tees Hospitals NHS Foundation Trust should "implement new standard operating procedures and provide further staff training to ensure data is protected and reduce possibility of future disclosures in error.
Artificial Intelligence
EU AI Act: Draft Consolidated Published

On January 22nd 2024, two unofficial consolidated drafts of the proposed EU Artificial Intelligence Act appeared online, signaling that work on this significant legislation is advancing seriously. With the availability of these unofficial texts, it's now feasible to extract important insights for those tracking the progress of the AI Act.
BioTech & Healthtech
Owkin Initiates Biotechnology-Focused Large-Language Model Venture

Executives from the French AI drug discovery company Owkin are launching Bioptimus, a startup aimed at developing a large-language model (LLM) specifically for biotechnology.The company plans to use LLMs to simplify complex biomedical data, enhancing AI models in pharmaceuticals and potentially other industries, leveraging Owkin's extensive patient data and partnerships with major pharmaceutical companies.
Data Breach & Cybersecurity
23andMe Shifting Blame On Victims

23andMe, facing over 30 lawsuits due to a significant data breach affecting 6.9 million users, is shifting blame onto the victims, suggesting their negligence in password security led to the breach. The company's stance, as outlined in a letter to victims, has been criticized by lawyers representing them, arguing that 23andMe should have implemented stronger safeguards against such breaches, especially given the sensitive nature of the data involved.
2024's Top Cloud Security Threat: Exposed Credentials

Hackers are increasingly targeting business applications and cloud infrastructure, with a security operations center (SOC) reporting a 144% increase in 'identity threats' and a 72% rise in cloud infrastructure incidents in the past year. The majority of these attacks involve stolen or leaked credentials, with Expel noting a trend in attackers using more proxies and VPNs, emphasizing the importance of strong identity management practices like multi-factor authentication (MFA) and regular monitoring of internet-facing assets.
Data Governance
France Health Data Hosting Obligations Evolves

New French health data hosting obligations now mandates that French health data must be physically hosted within the territory of a country in the European Economic Area (EEA), which includes the European Union plus Norway, Iceland, and Liechtenstein, a requirement not previously necessary in the Health Data Hosting (HDS) certification framework. Exigences 29 and 30 state that if health data is accessed remotely from a non-EU country by the host or its subcontractors, or if they are subject to non-European legislation that does not provide adequate protection per Article 45 of the GDPR, the host must inform its clients of this in the contract, outlining the associated risks and measures taken to mitigate them. Disclaimer : article is in French.
Belgium's Newly Established Data Agency

On January 17, the Federal Health Data Agency (ADS) held its official inaugural session with Minister Frank Vandenbroucke. The agency, established by law nearly a year ago, aims to facilitate access to and secondary use of health data. This systematic, though strictly regulated use of health data is intended to improve and provide objective analysis of the healthcare system, contribute to innovation, research, product development, and policy formulation.
GDPR-Minded Microsoft Offers Cloud Customers EU-based Personal Data Storage

Microsoft's announcement positions it as one of the first major cloud provider to offer a solution that addresses concerns about complying with the EU’s General Data Protection Regulation (GDPR), enhancing data residency for European customers. This action, encompassing services such as Azure and Microsoft 365, exceeds current compliance standards.
Podcasts
The Growing Ransomware Threat

In the latest episode of the This Week in Startups podcast, host Jason Calacanis discusses the increasing threat of ransomware with guest Jon Miller, CEO and founder of Halcyon. The conversation provides in-depth understanding of ransomware mechanics, tactics used by attackers to evade capture, and the escalating involvement of AI in these cyberattacks.
E-consent: What, How & Why ?

Discover how digitalization streamlines the patient journey through the concept of e-consent in healthcare, as explained by expert Louise Eggrickx, Health Product Manager at Docaposte. This episode covers the basics, types, functioning, and benefits of e-consent. Disclaimer - the podcast is in French !
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.

Newsletter #24
April brought major updates in data transfer, AI regulation, and healthtech innovation—including EU adequacy extensions, new AI tools, and iliomad’s Advisory Board launch.

Newsletter #23
Regulators in Europe and the UK advance AI governance, data protection, and cybersecurity, while healthtech innovations like Owkin and Apple reshape digital healthcare.

Newsletter #22
In this edition, we cover major regulatory shifts and AI advancements shaping healthcare and data security. The U.S. tightens HIPAA security rules, the EU rolls out the European Health Data Space (EHDS) for cross-border health data exchange, and new U.S. regulations restrict sensitive health data transfers to certain countries. Meanwhile, AI is revolutionizing healthcare, with Truveta’s 10M-volunteer Genome Project, Owkin’s AI-powered drug development, and AI-driven medical scribes making waves—though accuracy concerns remain. On the data privacy front, GDPR fines have soared to €5.88B, with Ireland leading at €3.5B, and the UK ICO reports 36K data complaints and £1.27M in fines, highlighting ongoing challenges in digital security.