Phone
+1(949)289-9623

Mailing Address
POBox 74462
San Clemente, CA 92673

Work Hours
MO - FR: 7AM - 7PM

Navigating European Regulations and Trans-Atlantic Health Data Transfers

Serge Jonnaert
CEO & M&A Advisor – Software & Technology

Europe is once again well represented at the 2024 BIO Conference in San Diego, the largest and most comprehensive event for biotechnology, with more than 18,500 attendees from biotech, pharma, academia, non-profits, and governments. Eleven countries (Belgium, Czech Republic, Estonia, France, Germany, Italy, Lithuania, Netherlands, Poland, Spain, Switzerland) are present along with prominent European bodies such as the European Innovation Council (EIC) and EuropaBIO.

For companies providing software and tech-enabled services to the biotech markets in both the US and Europe, stringent regulations now govern the handling of patient health data, ensuring privacy, security, and ethical use. This critical issue was the focus of an engaging panel discussion hosted by Flanders Investment & Trade and moderated by Sari Depreeuw, Partner at Crowell & Moring LLP. Panelists included Chris Cardon, CEO of Ziphius; Joanna Smolinska, Deputy Head of the EU Office in San Francisco; and Tom Cooremans of My-Data Trust.

The conversation was anchored around trans-Atlantic health data transfers, and related considerations of the European General Data Protection Regulation (GDPR), the Digital Services Act (DSA), and the most recent Artificial Intelligence Act (AI Act), enacted on March 13, 2024 by the European Parliament, considered along with China’s Measures on Generative AI as the first comprehensive legal frameworks for AI.

Introduced in 2018, GDPR brought the first seismic shift in how data privacy is perceived and practiced. Explicit consent from patients is now non-negotiable, and they must be able to access and transfer their data seamlessly. The regulation is about empowering patients and ensuring their data is secure, laying a foundation of trust crucial for advancing bioresearch. The U.S. is also trying to move towards a federal data privacy law with the proposed American Privacy Rights Act (APRA), though it faces a lengthy legislative journey, and there’s no guarantee that the APRA will become the law of the land that will preempt most state laws. Currently, there are 20 comprehensive state-level privacy laws, with California, that led the charge, aiming to expand its current data protection laws even further. This creates a complex patchwork of regulatory compliance issues regarding data collection, storage, management, security, retention, and disposition. In most cases, sensitive data categories include health, biometric, genetic, geolocation, sexual behavior, race, ethnicity, national origin, and sex.

If GDPR is the foundation, the European Digital Services Act (DSA) builds the walls around the data privacy edifice. It broadens the scope, addressing how digital services, including those in healthcare, should operate. For researchers, this means greater transparency in how data is collected and used. Platforms must clearly disclose their data practices, ensuring patients know where their information goes and how it’s handled. The DSA’s accountability mechanisms hold data handlers to high standards, ensuring compliance isn’t just a checkbox exercise but a commitment to ethical practices.

The full implications of the new European AI Act are not yet tested. Some provisions will take effect in 2026, while those related to prohibited AI systems and generative AI will be effective in 2025. Although the AI Act exempts AI specifically developed for scientific research and development, there is still a lot of room for interpretation. Its extraterritorial implications and challenging requirements are significant, with fines up to 35 million euros or 7% of a company’s global annual revenue. This would equally apply to US companies operating in Europe.

Individually, and collectively, none of these are to be ignored for companies that handle data across both sides of the Atlantic, a significant undercurrent in discussions at BIO2024. The stakes remain high with continued collaborative research across the Atlantic driving monumental advances in healthcare.

Some software companies are already exploring creative ways to ‘containerize’ encrypted patient data within its geographic jurisdiction and performing distributed analysis across multiple geographies (on the encrypted data), thereby complying with the respective regulatory requirements, while still able to conduct research across vast regions.

As biotech research is global, navigating the increasingly complex data regulations is paramount. Companies collaborating across the Atlantic will have to adapt swiftly to comply with these evolving regulatory frameworks, especially in working within the EU as it leads the way in patient data privacy and emphasizes accountability and transparency. While these regulations may seem burdensome to some, they are driven by a clear ethical imperative to ensure the security and responsibility of our global digital health ecosystem and the patient population it serves.

Europe and the US should work towards a robust, harmonized framework for data transfer, one that respects their respective regulatory requirements while facilitating the flow of crucial biotech research data. Until this is in place, getting the right regulatory and legal advice is imperative, not just advisable, to protect your organization, especially if you operate across both regions.

For more information on trans-Atlantic tech M&A, contact THE.MERGER.COMPANY™ at info@the.merger.company

#BIO #BIO2024 #europe #biotechnology #regulations