Data protection

Subscribe to Data protection via RSS

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during February and early March 2026 from the the United Kingdom, and European Union.

February 2026 saw a period of substantial regulatory activity across both the UK and EU, particularly in relation to AI governance, medical technologies, and data protection. In the UK, the policy landscape continued to evolve with initiatives affecting the regulation of medical devices, clinical research, and AI deployment. Key developments included the Medicines and Healthcare products Regulatory Agency’s (MHRA) consultation on the indefinite recognition of CE-marked medical devices, record levels of medical device testing, and the Prescription Medicines Code of Practice Authority’s (PMCPA) revised guidance on the use of social media. AI remained a major focus in the UK, with the UK government’s response to the consultation on the AI Management Essentials tool, increased industry involvement in the UK AI Security Institute’s alignment program, and feedback relating to governmental research on AI adoption across UK businesses. Additional international collaboration efforts included UK engagement at the India AI Impact Summit and an expanded science and technology partnership with Japan, as well as the launch of the first-ever AI Strategy for UK Research and Innovation.

Continue Reading Virtual and Digital Health Digest – February 2026

On 19 March 2026, the Court of Justice of the European Union (CJEU or Court) issued its judgment in Case C-526/24, Brillen Rottler GmbH & Co. KG v TC. The case concerned a data subject who subscribed to a German optician’s newsletter and, thirteen days later, submitted an access request under Article 15 GDPR. The company refused the request, arguing it was abusive. The data subject maintained it was legitimate and claimed at least €1.000 in non-material damages.

The CJEU’s judgment addresses three questions of broad significance: (1) when a first access request can be refused as “excessive”; (2) whether a violation of the right of access alone can give rise to a compensation claim under Article 82 GDPR; and (3) how non-material damage should be assessed in that context. While the judgment is relevant to all companies subject tot GDPR, we examine below the considerations it raises for life sciences companies specifically.

Continue Reading CJEU rules on GDPR access rights and abuse of rights: what the Brillen Rottler judgment means for life sciences companies

On 16 December 2025, the European Commission published its Proposal for a Regulation establishing a framework of measures for strengthening the EU’s biotechnology and biomanufacturing sectors, particularly in the area of health (the “European Biotech Act” or the “Proposal”). The Proposal is ambitious in scope: it amends several major pieces of EU health legislation, including the Clinical Trials Regulation (“CTR”), the Veterinary Medicines Regulation, the Food Law Regulation and the Substances of Human Origin Regulation (“SoHO”), while also introducing a new framework for EU strategic projects, AI-enabled biotechnology, and biodefence.

On 10 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 3/2026 on the Proposal (the “Joint Opinion”). While broadly supportive of the Proposal’s objectives, the EDPB and EDPS identified a number of significant data protection concerns, and issued recommendations. Although not legally binding, the Joint Opinion carries significant weight as it reflects the views of the EU’s primary data protection authorities and will directly shape the legislative debate ahead.

In this blog we examine the key data protection implications of the Proposal and the Joint Opinion for pharma and life sciences companies.

Continue Reading EDPB/EDPS Joint Opinion on the European Biotech Act Proposal: Key Data Protection Implications for Pharma and Life Sciences

On 19 November 2025, the European Commission published two legislative proposals – the Digital Omnibus on AI Regulation Proposal and the broader Digital Omnibus Regulation Proposal (“Proposals”) – as part of a wider initiative to simplify and streamline the EU’s digital regulatory framework. Together, the Proposals introduce targeted but significant amendments across a broad range of instruments, including the EU AI Act (Regulation (EU) 2024/1689), the GDPR (Regulation (EU) 2016/679), the ePrivacy Directive (2002/58/EC), the NIS2 Directive ((EU) 2022/2555), and the EU Data Act (Regulation (EU) 2023/2854).

Continue Reading EU Digital Omnibus: What the Proposed Reforms Mean for Pharma and MedTech

The Data (Use and Access) Act 2025 (“DUAA”) represents the UK’s first major reform of data protection law since leaving the EU. The Act aims to modernise the UK’s data protection framework by reducing administrative burdens on businesses, supporting innovation and maintaining high standards of data protection while enhancing the UK’s position as a competitive destination for data-driven industries.

As most of the data protection reforms introduced by the DUAA came into effect on 5 February 2026, life sciences companies should consider how the new framework reshapes their data protection compliance. While the DUAA introduces new rules, it also creates opportunities for the sector.

Continue Reading UK’s Data (Use and Access) Act: What Life Sciences Companies Need to Know

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during December 2025 and early January 2026 from the the United Kingdom, and European Union.

Continue Reading Virtual and Digital Health Digest – December 2025

On 11 December, after overnight interinstitutional negotiations between the European Parliament and the Council of the European Union (“Council”) and the European Commission, the institutions reached a provisional political agreement on the reform of the European Union (“EU”) pharmaceutical legislation.

This agreement concludes months of trilogue discussions and follows a much longer legislative process that began with the European Commission’s  proposal adopted in April 2023, the European Parliament’s position adopted on 10 April 2024, and the Council’s position adopted on 4 June 2025 (see our detailed advisory on the Commission’s proposal and our BioSlice blog posts on the Parliament’s and Council’s positions here and here).

The provisional agreement must now be formally adopted by both the Parliament and the Council.

Continue Reading European institutions agree on the reform to the EU Regulatory Framework for Medicinal Products

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during October and early November 2025 from the the United Kingdom, and European Union.

Continue Reading Virtual and Digital Health Digest – November 2025

The EU Commission has published its proposal for the “Digital Omnibus” aimed to simplify and streamline the EU rules governing artificial intelligence, data protection, cybersecurity, and data use more broadly. The proposal seeks to amend several cornerstone EU regulations, including Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2024/1689 (AI Act), Regulation (EU) 2023/2854 (Data Act), Directive 2002/58/EC (e-Privacy Directive) and Directive (EU) 2022/2555 (NIS2). The proposal also foresees the repeal of the fairly recent Regulation (EU) 2022/868 (Data Governance Act).

Below is a high-level snapshot of the proposal, ahead of a more detailed advisory we will publish.

The proposal will now moves through what is expected to be a challenging legislative procedure and policy and political discussions with the European Parliament and the Council.

Below we set out a quick overview of the most relevant elements for companies, including medical device manufacturers and other Life Sciences companies – e.g., changes to the AI Act, updates to the GDPR, reform of the EU cookie and tracking rules, data-sharing rules, and the new single-entry point for cybersecurity and data protection incidents reporting.

Continue Reading Digital Omnibus: The European Commission published its proposal to amend the GDPR, AI Act, Data Act and other related frameworks

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during September and early October 2025 from the the United Kingdom, and European Union.

This month, the EU and UK have been actively processing the future of AI development and regulation in life sciences and health care through a combination of legislative initiatives, opportunities for stakeholder engagement, and investment in infrastructure. In the EU, the European Commission has published draft guidance on reporting serious AI incidents under the AI Act, and the European Medicines Agency has initiated a stakeholder survey to define AI priorities in medicines regulation. In the UK, the UK government has announced a National Commission on the Regulation of AI in Healthcare and a new AIR-SP cloud platform. These developments signal a shift from theoretical regulation to practical implementation. There have also been two important decisions from the Court of Justice of the European Union refining the legal boundaries of digital health services and data protection.

Continue Reading Virtual and Digital Health Digest – October 2025