Newsletter #21
Regulations & Guidelines
Strengthening GDPR Compliance: EDPB Guidelines and European Data Protection Seal Updates
The EDPB released guidelines on Article 48 GDPR, emphasizing the need for proper legal bases and safeguards when transferring data to third-country authorities, with public consultation open until January 27, 2025. Additionally, the approval of Brand Compliance as a European Data Protection Seal enhances organizations’ ability to demonstrate GDPR compliance, while international agreements offer dual legal and transfer grounds under GDPR provisions.
EU Digital Services Act: Key Compliance Framework
Effective February 2024, the EU Digital Services Act (DSA) introduces a unified regulatory regime for digital service providers, focusing on safe harbor principles, content moderation, and transparency requirements. The DSA applies tiered obligations based on service type, with stricter rules for very large platforms and search engines, requiring compliance measures such as transparency reporting and the appointment of an EU legal representative for non-EU entities.
?DOJ Proposes Rule on Cross-Border Data Transfers
The U.S. Department of Justice (DOJ) has proposed restrictions on cross-border transfers of sensitive personal data to “countries of concern,” targeting high-risk transactions like data brokerage and requiring robust compliance measures. If finalized, this rule will mandate companies to assess transactions, implement risk-based compliance programs, and adhere to stringent guidelines to mitigate national security risks and avoid severe penalties.
EDPB Statement on GDPR and AI Data Processing
The European Data Protection Board (EDPB) emphasizes responsible AI innovation under GDPR, addressing issues like non-anonymity in AI models trained on personal data and the legitimacy of processing data under legitimate interests. It highlights the risks of developing AI with unlawfully processed data and advocates for a case-by-case evaluation approach, emphasizing robust anonymization and protective measures.
ANPD Issues Guidelines on Data Protection Officers
On December 19, 2024, the Brazilian data protection authority (ANPD) released guidelines clarifying the role of Data Protection Officers (DPOs) under the LGPD. The guidelines outline DPO appointment requirements, exemptions, and responsibilities, emphasizing the importance of selecting qualified individuals with expertise in data protection and multidisciplinary knowledge, while addressing potential conflicts of interest in their roles.
Chile’s New Personal Data Protection Law
Chile’s Law No. 21.719, published on December 13, 2024, establishes a personal data protection agency and regulates data processing by entities inside and outside Chile that target or monitor Chileans. The law, effective in 24 months, grants data subjects rights such as access, rectification, and deletion while emphasizing principles of legality, fairness, and transparency, with specific exemptions for personal activities and opinion expression.
Data Privacy Enforcement
Gene by Gene Faces Genetic Privacy Lawsuit
Gene by Gene Ltd., operating as FamilyTreeDNA, faces a proposed class action for allegedly sharing over 10,000 customers’ genetic data with Alphabet and Meta without consent. The complaint, filed in Illinois, claims the use of tracking tools on its website violated the Illinois Genetic Information Privacy Act by disclosing sensitive ancestry and health information to third parties.
领英推荐
HHS Penalizes Florida Practice for HIPAA Violations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights fined a Florida pain management practice $1.19 million for failing to terminate former employees’ access to electronic protected health information (ePHI) and other violations of the HIPAA Security Rule.
AI? & Techbio
AI in Biology: Augmented Intelligence
While advancements like AlphaFold have transformed protein structure prediction, biology’s complexity requires rich, real-world data often unavailable. Startups like Fauna Bio and Enveda demonstrate that AI success hinges on generating proprietary datasets and leveraging “augmented intelligence,” where simpler models efficiently guide experiments to solve specific biological challenges.
Cleerly’s AI-Powered Cardiovascular Imaging
Cleerly, an AI-driven cardiovascular imaging startup, focuses on early detection of coronary artery disease through CT scans, aiming to screen large populations akin to cancer detection programs. The company recently secured $106M in funding, achieved Medicare coverage for its plaque analysis test, and is conducting large-scale clinical trials, positioning itself strongly in a competitive yet expansive market alongside players like HeartFlow and Elucid.
Addressing AI Hallucinations Under GDPR
AI hallucinations in general-purpose systems challenge GDPR compliance, particularly around accuracy and data subject rights, as seen in complaints against platforms like ChatGPT. Regulators like the Hamburg DPA and UK ICO suggest focusing on system outputs rather than internal workings, while companies implement guardrails, filters, and transparency features to reduce inaccuracies. A balanced regulatory approach and collaboration between stakeholders are crucial to protect individual rights while enabling innovation in AI..
Food For Thought
French Health Data and Sovereignty Challenges
The debate over hosting French health data with Microsoft Azure continues, now involving the EMC2 data warehouse managed by the Health Data Hub for the European Medicines Agency. Critics highlight risks of U.S. data access and limitations of pseudonymization, underscoring broader concerns about technological sovereignty as France plans to transition to a sovereign cloud solution by 2025 amid dominance by U.S. cloud providers.
Podcasts?
Looking forward to 2025 !
The entire Iliomad team wishes you an incredible year ahead! As for us, we’re stepping into 2025 with great ambition—expanding our team, launching new services, and pursuing exciting growth opportunities on our roadmap. Here’s to a successful year for all! ??