Data protection

Subscribe to Data protection via RSS

Regulatory activity in the EU and UK over the past month has focused on AI in health care, health data access, and digital innovation frameworks. Recent regulatory developments in the EU and UK point to a decisive shift from high level policy ambition to the practical mechanics of enabling AI driven health care, with particular emphasis on health data governance, regulatory pilots, and institutional readiness.

At the EU level, attention is increasingly focused on building durable frameworks to support innovation while maintaining regulatory confidence. The European Medicines Agency is preparing to pilot enhanced regulatory support for breakthrough medical devices and in vitro diagnostics (IVD), an initiative expected to shape future reforms of the EU medical device and IVD regimes. In parallel, the European Commission has taken further steps to operationalize the European Health Data Space (EHDS) through new implementing rules on the governance of the European Health Data Space Board, signaling a move from legislation to execution. The European Data Protection Board (EDPB) has also issued draft guidelines on the application of the General Data Protection Regulation (GDPR) to scientific research, offering long awaited clarification on lawful bases, consent models, and secondary use of data, issues that are central to data intensive research and AI development and likely to influence practice across Member States once finalized.

In the UK, scrutiny has centered on whether existing data and regulatory structures are capable of supporting personalized medicine and AI at scale. Evidence to the House of Lords Science and Technology Committee highlighted the UK’s rich but underexploited health data assets and the persistence of access barriers since the pandemic, with witnesses pointing to fragmented governance and delays in data access as ongoing constraints. At the same time, the expansion of the Medicines and Healthcare products Regulatory Agency’s (MHRA) AI Airlock program, continued work by the National AI Commission, and targeted support for AI driven drug discovery reflect a more iterative, test and learn approach to AI regulation, focused on post market oversight rather than wholesale reform.

Continue Reading Virtual and Digital Health Digest – May 2026

Regulatory activity in the EU and UK over the past month has focused on accelerating the alignment of digital, AI, and life sciences regulatory frameworks, alongside increasing scrutiny of data governance and market readiness for emerging technologies. At the EU level, work to simplify and streamline EU AI-related legislation has advanced, with the Council of the European Union and European Parliament having adopted their positions on the European Commission’s (EC) Digital Omnibus reforms, and now entering trilogue negotiations on the final text. In parallel, MedTech Europe published its response to the EC consultation on the simplification of the EU AI rules as part of the Digital Omnibus, calling for clearer integration between the AI Act and other sectoral legislation, as well as extended implementation timelines. Separately, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued a joint opinion on the proposed European Biotech Act, emphasizing the need for clearer safeguards, harmonized legal bases for processing clinical data, and strong protections when health and genetic data are used in biotech and AI contexts. In the UK, developments have focused on the role of AI-enabled innovation within the health care system. A new parliamentary inquiry into personalized medicine and AI will examine ongoing challenges and barriers to National Health Service (NHS) adoption of new technologies, including procurement, digital infrastructure limitations, and system fragmentation. At the same time, the Medicines and Healthcare products Regulatory Agency (MHRA) has secured multi year funding to expand its AI Airlock Program to support the development of more ambitious AI medical devices. These initiatives signal a continued policy commitment to embedding digital and AI driven innovation into health care delivery and to strengthening the regulatory environment required to support safe deployment at scale.

Continue Reading Virtual and Digital Health Digest – April 2026

On 7 May 2026, the European Parliament and Council announced a provisional political agreement on the AI Act portion of the Digital Omnibus package. According to the European Parliament’s press release and the Council’s press release, the agreement aims to make compliance more workable, while maintaining its main provisions and risk-based approach. The agreed text has not yet been published, and the agreement remains provisional pending formal adoption by both institutions, which co-legislators intend to complete before 2 August 2026, the date on which the AI Act’s original high-risk system obligations were due to become applicable.

This blog post sets out what the press release describes as having been agreed, and flags the points most relevant to pharmaceutical and MedTech companies. As we noted in our earlier analysis, the Digital Omnibus on AI Proposal carries significant implications for life sciences companies. We will provide a fuller assessment once the agreed text is available and adopted.

Continue Reading EU AI Act Omnibus: Provisional Deal Announced – Initial Reflections for Life Sciences Companies

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during February and early March 2026 from the the United Kingdom, and European Union.

February 2026 saw a period of substantial regulatory activity across both the UK and EU, particularly in relation to AI governance, medical technologies, and data protection. In the UK, the policy landscape continued to evolve with initiatives affecting the regulation of medical devices, clinical research, and AI deployment. Key developments included the Medicines and Healthcare products Regulatory Agency’s (MHRA) consultation on the indefinite recognition of CE-marked medical devices, record levels of medical device testing, and the Prescription Medicines Code of Practice Authority’s (PMCPA) revised guidance on the use of social media. AI remained a major focus in the UK, with the UK government’s response to the consultation on the AI Management Essentials tool, increased industry involvement in the UK AI Security Institute’s alignment program, and feedback relating to governmental research on AI adoption across UK businesses. Additional international collaboration efforts included UK engagement at the India AI Impact Summit and an expanded science and technology partnership with Japan, as well as the launch of the first-ever AI Strategy for UK Research and Innovation.

Continue Reading Virtual and Digital Health Digest – February 2026

On 19 March 2026, the Court of Justice of the European Union (CJEU or Court) issued its judgment in Case C-526/24, Brillen Rottler GmbH & Co. KG v TC. The case concerned a data subject who subscribed to a German optician’s newsletter and, thirteen days later, submitted an access request under Article 15 GDPR. The company refused the request, arguing it was abusive. The data subject maintained it was legitimate and claimed at least €1.000 in non-material damages.

The CJEU’s judgment addresses three questions of broad significance: (1) when a first access request can be refused as “excessive”; (2) whether a violation of the right of access alone can give rise to a compensation claim under Article 82 GDPR; and (3) how non-material damage should be assessed in that context. While the judgment is relevant to all companies subject tot GDPR, we examine below the considerations it raises for life sciences companies specifically.

Continue Reading CJEU rules on GDPR access rights and abuse of rights: what the Brillen Rottler judgment means for life sciences companies

On 16 December 2025, the European Commission published its Proposal for a Regulation establishing a framework of measures for strengthening the EU’s biotechnology and biomanufacturing sectors, particularly in the area of health (the “European Biotech Act” or the “Proposal”). The Proposal is ambitious in scope: it amends several major pieces of EU health legislation, including the Clinical Trials Regulation (“CTR”), the Veterinary Medicines Regulation, the Food Law Regulation and the Substances of Human Origin Regulation (“SoHO”), while also introducing a new framework for EU strategic projects, AI-enabled biotechnology, and biodefence.

On 10 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 3/2026 on the Proposal (the “Joint Opinion”). While broadly supportive of the Proposal’s objectives, the EDPB and EDPS identified a number of significant data protection concerns, and issued recommendations. Although not legally binding, the Joint Opinion carries significant weight as it reflects the views of the EU’s primary data protection authorities and will directly shape the legislative debate ahead.

In this blog we examine the key data protection implications of the Proposal and the Joint Opinion for pharma and life sciences companies.

Continue Reading EDPB/EDPS Joint Opinion on the European Biotech Act Proposal: Key Data Protection Implications for Pharma and Life Sciences

On 19 November 2025, the European Commission published two legislative proposals – the Digital Omnibus on AI Regulation Proposal and the broader Digital Omnibus Regulation Proposal (“Proposals”) – as part of a wider initiative to simplify and streamline the EU’s digital regulatory framework. Together, the Proposals introduce targeted but significant amendments across a broad range of instruments, including the EU AI Act (Regulation (EU) 2024/1689), the GDPR (Regulation (EU) 2016/679), the ePrivacy Directive (2002/58/EC), the NIS2 Directive ((EU) 2022/2555), and the EU Data Act (Regulation (EU) 2023/2854).

Continue Reading EU Digital Omnibus: What the Proposed Reforms Mean for Pharma and MedTech

The Data (Use and Access) Act 2025 (“DUAA”) represents the UK’s first major reform of data protection law since leaving the EU. The Act aims to modernise the UK’s data protection framework by reducing administrative burdens on businesses, supporting innovation and maintaining high standards of data protection while enhancing the UK’s position as a competitive destination for data-driven industries.

As most of the data protection reforms introduced by the DUAA came into effect on 5 February 2026, life sciences companies should consider how the new framework reshapes their data protection compliance. While the DUAA introduces new rules, it also creates opportunities for the sector.

Continue Reading UK’s Data (Use and Access) Act: What Life Sciences Companies Need to Know

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during December 2025 and early January 2026 from the the United Kingdom, and European Union.

Continue Reading Virtual and Digital Health Digest – December 2025

On 11 December, after overnight interinstitutional negotiations between the European Parliament and the Council of the European Union (“Council”) and the European Commission, the institutions reached a provisional political agreement on the reform of the European Union (“EU”) pharmaceutical legislation.

This agreement concludes months of trilogue discussions and follows a much longer legislative process that began with the European Commission’s  proposal adopted in April 2023, the European Parliament’s position adopted on 10 April 2024, and the Council’s position adopted on 4 June 2025 (see our detailed advisory on the Commission’s proposal and our BioSlice blog posts on the Parliament’s and Council’s positions here and here).

The provisional agreement must now be formally adopted by both the Parliament and the Council.

Continue Reading European institutions agree on the reform to the EU Regulatory Framework for Medicinal Products