James Castro-Edwards

Subscribe to James Castro-Edwards's Posts
Contact:Read more about James Castro-Edwards

The Data (Use and Access) Act 2025 (“DUAA”) represents the UK’s first major reform of data protection law since leaving the EU. The Act aims to modernise the UK’s data protection framework by reducing administrative burdens on businesses, supporting innovation and maintaining high standards of data protection while enhancing the UK’s position as a competitive destination for data-driven industries.

As most of the data protection reforms introduced by the DUAA came into effect on 5 February 2026, life sciences companies should consider how the new framework reshapes their data protection compliance. While the DUAA introduces new rules, it also creates opportunities for the sector.Continue Reading UK’s Data (Use and Access) Act: What Life Sciences Companies Need to Know

The EU Commission has published its proposal for the “Digital Omnibus” aimed to simplify and streamline the EU rules governing artificial intelligence, data protection, cybersecurity, and data use more broadly. The proposal seeks to amend several cornerstone EU regulations, including Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2024/1689 (AI Act), Regulation (EU) 2023/2854 (Data Act), Directive 2002/58/EC (e-Privacy Directive) and Directive (EU) 2022/2555 (NIS2). The proposal also foresees the repeal of the fairly recent Regulation (EU) 2022/868 (Data Governance Act).

Below is a high-level snapshot of the proposal, ahead of a more detailed advisory we will publish.

The proposal will now moves through what is expected to be a challenging legislative procedure and policy and political discussions with the European Parliament and the Council.

Below we set out a quick overview of the most relevant elements for companies, including medical device manufacturers and other Life Sciences companies – e.g., changes to the AI Act, updates to the GDPR, reform of the EU cookie and tracking rules, data-sharing rules, and the new single-entry point for cybersecurity and data protection incidents reporting.Continue Reading Digital Omnibus: The European Commission published its proposal to amend the GDPR, AI Act, Data Act and other related frameworks

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during June and early July 2025 from the United Kingdom and European Union.

There has been a flurry of new guidance from the Medical Device Coordination Group this month, including guidance on classification of medical device software, on supply of software apps through online platform such as the App Store and Google Play, and on the interaction between the Medical Device Regulation and the EU AI Act. These are welcome guidance documents to provide important clarification for manufacturers as they develop software medical devices, although the guidance documents inevitably cannot cover every situation and leave some questions unanswered. Continue Reading Virtual and Digital Health Digest – July 2025

Clinical research studies within the NHS in England and Wales require Health Research Authority (HRA) approval, which brings together the HRA’s assessment of governance and legal compliance with the independent ethical opinion by a Research Ethics Committee (REC). The HRA has recently changed the requirements for the UK GDPR transparency wording in new health and social care research applications submitted via the Integrated Research Application System (IRAS). The HRA service had previously provided a review service for sponsors’ GDPR transparency statements. In October last year, the HRA communicated its new updated GDPR template to all sponsors. The new HRA template was developed to ensure that research participants have all the information that they need to make an informed decision about the ways in which their personal data can be used during a clinical trial.Continue Reading UK Health Research Authority GDPR wording template to be used from 1 April