Summary
This month’s regulatory updates include the EU’s proposal to ease GDPR duties for small mid-cap companies, and new guidance on cybersecurity and data breach handling from the UK and Denmark. In the U.S., California has scaled back CCPA AI compliance mandates, while the UK overhauled clinical trial rules to streamline innovation. On the AI front, the FDA, ASCO, and Owkin unveiled tools for drug approval and cancer care, and Regeneron’s acquisition of 23andMe raises new ethical considerations as regulators continue to enforce strict data privacy standards across Europe and the U.S.
Regulations & Guidelines
Unraveling the GDPR? Not Quite Yet
The EU is proposing to extend certain regulatory simplifications—such as reduced record-keeping and streamlined reporting—to small mid-cap companies, aiming to boost competitiveness in key sectors like life sciences and advanced manufacturing. However, the changes offer only modest adjustments to GDPR obligations and stop short of a full reform, with most provisions taking effect shortly and some deferred until March 2026.
CCPA Rule Revamp: CPPA Scales Back AI and Audit Mandates to Cut Costs
The California Privacy Protection Agency has released revised 2025 CCPA draft regulations, easing requirements around AI, Automated Decision-Making Technology, cybersecurity audits, and risk assessments—moves projected to save businesses over $2.25 billion in the first year. Key rollbacks include narrowing ADMT definitions, dropping AI-specific provisions, and delaying audit timelines, as the agency seeks a constitutionally sound and practical framework ahead of its rulemaking deadline.
ICO Launches Cybersecurity Training for All: Simple Steps, Stronger Defense
On May 19, 2025, the UK Information Commissioner’s Office released new guidance to help organizations make cybersecurity training relevant and accessible to all staff. The training emphasizes basic yet critical defenses—like strong passwords, phishing awareness, and device security—to build a culture of everyday cyber resilience.
UK Revamps Clinical Trial Framework for Safety and Speed
The UK has announced new clinical trial regulations designed to strengthen participant safety, simplify approval processes, and encourage innovation, with full implementation set for April 2026. The reforms aim to cut red tape and reinforce the UK’s position as a global hub for medical research and international trials.
Denmark Updates Data Breach Guidance: Clearer Rules, Sharper Examples
On May 20, 2025, Denmark’s data protection authority, Datatilsynet, released updated guidance on managing personal data breaches, focusing on when and how to notify both the authority and affected individuals. The revision also refreshes examples and references to offer clearer, more practical support for compliance
AI and Techbio
FDA and OpenAI Test AI Tools to Fast-Track Drug Approvals
The FDA has partnered with OpenAI and government efficiency teams to explore how AI—via projects like cderGPT—can accelerate drug evaluation, recently completing its first AI-assisted scientific review. While this could streamline the year-long approval process, experts stress the need for safeguards, training, and acknowledge that most drug candidates still fail long before reaching FDA review.
ASCO and Google Cloud Launch AI Tool for Smarter Cancer Care
ASCO has teamed up with Google Cloud to release the ASCO Guidelines Assistant, an AI-powered tool that gives oncologists instant access to expert-vetted clinical guidelines. Unlike general-purpose AIs, this “walled garden” system relies solely on ASCO’s trusted content to support faster, more accurate decisions in oncology practice and exam preparation.
Owkin’s K Navigator Brings AI to Biomedical Research with Spatial Omics Access
Owkin has launched K Navigator, an AI research assistant aimed at supporting biomedical scientists in analyzing patient data and testing hypotheses more efficiently. Offering access to MOSAIC Window—a curated subset of a major spatial omics dataset—it combines natural language interaction with domain-specific tools and claims stronger performance than general-purpose LLMs in oncology-related tasks.
BioTech, Healthtech and Healthcare
Regeneron, A Leading U.S. Biotechnology Company, to Acquire 23andMe in Court-Supervised Sale
Regeneron is acquiring the core assets of 23andMe for $256 million during its Chapter 11 bankruptcy process, gaining access to a massive dataset of over 15 million consumer genomes linked to surveys, user profiles, family networks, and contact details—80% of which are research-consented. This acquisition, amounting to roughly $21 per research-ready genome, surpasses the scale of Amgen’s deCODE and raises both opportunity and ethical questions, particularly around consent revocation, GDPR compliance, and the use of rich, non-clinical data for metabolic and drug discovery research.
Data Privacy Enforcement
Conflicted and Fined: EU Tightens the Reins on DPO Independence
European regulators, including Austria’s DPA, are penalizing companies for appointing executives like managing directors as Data Protection Officers due to conflicts of interest, with recent fines and enforcement actions highlighting the issue. To ensure compliance, the article stresses the need for DPO independence—such as separate budgets and reporting lines—and recommends external appointments to avoid regulatory risk.
HIPAA Breach Costs Vision Upright MRI $5,000 and Two Years of Federal Oversight
The U.S. Department of Health and Human Services reached a $5,000 settlement with Vision Upright MRI LLC for HIPAA violations related to a breach of electronic protected health information. Vision Upright MRI failed to conduct a HIPAA risk analysis and notify affected individuals within 60 days of the breach. The resolution agreement requires Vision Upright MRI to implement a corrective action plan monitored by the OCR for two years, including breach notifications, risk management, policy development, and workforce training on HIPAA compliance.
Data Privacy Enforcement
EU Launches Public Vulnerability Database to Strengthen Cyber Resilience
The EU has introduced the European Union Vulnerability Database (EUVD), a public platform offering centralized access to critical and exploited cybersecurity vulnerabilities, complete with severity ratings, affected products, and mitigation guidance. With future reporting obligations under the Cyber Resilience Act and ongoing updates from ENISA, the EUVD marks a major move toward more transparent and coordinated vulnerability management across Europe.
Podcasts
iliomad's News
iliomad Health Data Awarded CIR Accreditation for Excellence in R&D
iliomad Health Data is proud to announce that we have been officially awarded the Crédit Impôt Recherche (CIR) agrément by the French Ministry of Higher Education and Research. This recognition confirms the scientific quality of our R&D work and allows our partners to benefit from tax advantages when collaborating with us on eligible innovation projects.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #26
This month’s highlights span AI in health, new U.S. and EU privacy rules, and evolving data and cybersecurity regulations.
Newsletter #25
This month, we cover how regulatory shifts, AI advancements, and major initiatives like Bridge2AI-Voice, India’s Genome Project, and the EU Cybersecurity Action Plan are driving transformation across healthcare, data protection, and precision medicine.
Newsletter #24
April brought major updates in data transfer, AI regulation, and healthtech innovation—including EU adequacy extensions, new AI tools, and iliomad’s Advisory Board launch.
