.jpg)
Summary
The French CNIL introduced resources on the Data Privacy Framework and health data regulations, including hosting and access rules, with a focus on security against unauthorized foreign access. Meanwhile, the EDPB’s upcoming 2024 enforcement action targets the right of access, and new advancements like the Foundation Model Transparency Index aim to address governance gaps in AI models. Additionally, the U.S. OCR published resources on telehealth privacy, while notable breaches, such as at 23andMe, and regulatory updates, like Clearview AI’s successful appeal against a U.K. fine, highlight ongoing challenges in privacy enforcement and cybersecurity.
Regulations, Guidelines & Opinions
CNIL Launches Its FAQ On The Latest Data Privacy Framework
French CNIL has published its own FAQ (in french) regarding the latest Data Privacy Framework adopted by the European Commission on July 10th 2023. The FAQ goes over the main questions linked with this new framework such as :key components to the privacy framework, actions the receiving organization is not on the list of the U.S. Department of Commerce or the consequences of this decision for organizations wishing to transfer data to the United States.The link below redirects to the original text in French.
France CNIL Publishes MR007 and MR 008
The French data protection authority (CNIL) has adopted two new reference frameworks (MR-007 and MR-008) for accessing the National Health Data System (SNDS) data. The MRs prioritize data protection, allow research flexibility, ensure data stays within the EU, and streamline research on SNDS ( French national health Data repository) data by bypassing CNIL's authorizations. MR007 pertains to the public sector, while MR008 is relevant to the private sector. The link below redirects to the original text in French.
New Proposed Regulation For Health Data Hosting In France
The French government has proposed a law regarding the hosting of health data. The law has gone through several stages of review and amendment in the Senate and National Assembly. The current version of the law, Article 10 Bis A, requires that sensitive health data be stored with cloud providers who guarantee protection against unauthorized access by foreign authorities. There is debate over the need for a European sovereign cloud to protect against extraterritorial laws, versus the practicality of using French or European providers. The law has implications for both businesses and citizens in terms of data security and migration. The link below redirects to the original text in French.
EDPB Picks Topic For 2024 Coordinated Action
During its October plenary, the European Data Protection Board (EDPB) selected the topic for its third coordinated enforcement action, which will concern the implementation of the right of access by controllers. Further work will now be carried out to specify the details in the upcoming months and the action itself will be launched in 2024.
Biotech and Healthtech
Precision Medicine Startups Increase Focus on Data Access and Privacy
Low-cost genetic sequencing is fueling investments in bioinformatics, with companies like Sano Genetics facilitating patient-centric precision medicine research through a subscription model. AI and ML are revolutionizing disease classification by detecting patterns in health data, while the industry explores secure methods like blockchain for gathering and storing health data.
Biopharma’s Path to Value with Generative AI
A study from the Boston Consulting Group (BCG) highlights the European approach to AI, particularly in cross-border cases impacting individuals, and references ISO/IEC 22989:2022 for continuous AI training, addressing ambiguity in AI provider definitions. It discusses AI systems in administrative, law enforcement, and high-risk contexts, while expressing concerns about exceptions and exclusions, emphasizing the importance of clear rules and safeguards in AI regulation.
Artificial Intelligence
EDPS Final Recommendation on AI
European Data Protection Supervisor details its final recommendation on AI, particularly in cross-border cases affecting individuals and references ISO/IEC 22989:2022 for continuous training in AI. It also raises concerns about AI systems in administrative and law enforcement use, exceptions for high-risk AI systems, the scope of the AI Act, access to data and documentation, and emphasizes the importance of clarity and safeguards in AI regulation.
Memory Capacity in AI /LLMS: Llama2 vs GPT2
AI company Sarus, which focuses on developing solutions for differential privacy, highlights through a publication that Large Language Models (LLMs) have the capability to retain information from their training datasets, including outlier data that isn't pertinent to their training, underscoring the privacy risks linked to such models.
The Foundation Model Transparency Index
The rise of foundation models in AI has led to increased generative applications but also a decrease in transparency, reminiscent of issues seen with earlier digital technologies. To address this, the "Foundation Model Transparency Index 2023" has been introduced, assessing ten leading developers, including OpenAI, Google, and Meta, against 100 detailed indicators. The findings highlight a lack of substantial information on the broader impacts of their models, and the index aims to set a transparency benchmark to promote better governance and industry norms.
Data Breach & Cybersecurity
OCR Publishes Resources On Telehealth Privacy, Security Risks
On October 19, 2023, the US HHS Office for Civil Rights (OCR) released two resource documents aimed at assisting providers in communicating telehealth privacy and security risks to patients. These documents, titled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth” and “Telehealth Privacy and Security Tips for Patients,” are designed to explain risks in simple terms and guide patients on basic cyber hygiene practices.
23 and Me - Data Breach
A subset of 23andMe users' data was compromised. The company clarified that its systems were not breached, but attackers guessed login credentials and scraped data from the "DNA Relatives" feature. • Data Details and Sale: Hackers claimed the data contained 1 million data points about Ashkenazi Jews and many users of Chinese descent. The data, sold between $1 and $10 per account, includes display name, sex, birth year, and some genetic ancestry details but not raw genetic data.
Data Privacy Enforcement
EU General Court Denies Interim EU-US Data Privacy Framework Halt
The European Union General Court ruled against interim measures to pause the implementation of the EU-U.S. Data Privacy Framework. The decision came in response to French Member of European Parliament Philippe Latombe filing against the transfer agreement and subsequent adequacy decision. The court said Latombe cannot prove the individual or collective harm the agreement raises.
Clearview AI, Wins Appeal Against UK Privacy Sanction
Clearview AI, a US facial recognition company, successfully appealed against a £7.5 million (~$10 million) privacy sanction issued by the U.K.'s Information Commissioner’s Office (ICO) in 2022. The appeal was won on jurisdiction grounds, with the tribunal ruling that Clearview's activities fall outside the jurisdiction of U.K. data protection law due to an exemption related to foreign law enforcement.
Podcasts
EU-US Data Transfer Agreements: An Endless Disagreement? Discussion With Max Schrems
Interview featuring Max Schrems discussing the recent data transfer pacts. Schrems delves into the inception of NYOB and reviews the latest data privacy accord, noting that its essence remains akin to earlier versions due to the US authority's ability to access EU data. He further elaborates on the present data exchange between the EU and US under the DPF and attempts to reverse the framework.
Tackling Data Deletion
This week’s episode of ADCG’s Privacy & Cybersecurity Podcast features a discussion with Jeff Jockisch about his new company, Avantis Privacy, which specializes in data deletion services. Jeff is a renowned privacy researcher, the CEO of PrivacyPlan and CPO of Avantis Privacy. In this episode, they discuss the daunting prospect of managing one’s personal data, data brokers and what they do, and the process of requesting personal be deleted. Jeff discusses the approach taken by Avantis Privacy and offers thoughts on anonymization and what is driving this type of service.
OWKIN - An AI Biotech That Enables Doctors to Share Research To Cure Diseases
At AI biotech company Owkin, cofounder and CEO Thomas Clozel is rethinking cancer and disease research through an entirely new lens—and aiming to break down barriers in healthcare along the way. In this week’s Leaders in Innovation podcast, he shares how his company is bridging the gap between academic research and the pharmaceutical industry.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #23
Regulators in Europe and the UK advance AI governance, data protection, and cybersecurity, while healthtech innovations like Owkin and Apple reshape digital healthcare.
Newsletter #22
In this edition, we cover major regulatory shifts and AI advancements shaping healthcare and data security. The U.S. tightens HIPAA security rules, the EU rolls out the European Health Data Space (EHDS) for cross-border health data exchange, and new U.S. regulations restrict sensitive health data transfers to certain countries. Meanwhile, AI is revolutionizing healthcare, with Truveta’s 10M-volunteer Genome Project, Owkin’s AI-powered drug development, and AI-driven medical scribes making waves—though accuracy concerns remain. On the data privacy front, GDPR fines have soared to €5.88B, with Ireland leading at €3.5B, and the UK ICO reports 36K data complaints and £1.27M in fines, highlighting ongoing challenges in digital security.
Newsletter #21
Our latest newsletter highlights critical updates in data privacy and healthtech from 2024, including GDPR data sharing guidelines, AI advancements like Cleerly’s imaging solutions, and ongoing challenges in data security and environmental sustainability. As we look toward 2025, we’re excited to continue driving innovation and helping navigate the evolving landscape of regulations, AI, and healthcare data management.
