Data protection

Subscribe to Data protection via RSS

Introduction

On 4 June, EU Member States, meeting in the Council of the European Union (‘Council’), have agreed on a position on the pharmaceutical reform package.

This agreement was reached despite significant divergences between EU Member States in the preceding weeks. It marks a key milestone in the process for adoption of the EU revision of EU’s general pharmaceutical legislation, as it sets out the Council’s position for the trilogue negotiations to find a text agreeable to the Parliament and the Council, which can now begin.

The innovative pharmaceutical industry will welcome aspects of the Council’s adopted negotiating mandate as it provides greater certainty with regards to regulatory data protection and it lightens some of the obligations introduced in the European Commission proposal for reform of the EU pharmaceutical legislation adopted in April 2023 and the European Parliament’s position adopted on 10 April 2024 (see our detailed advisory). At the same time, the Council has adopted positions on some aspects of the proposals that could be seen as less favourable to industry.

We discuss some of the key provisions and changes in the Council’s adopted position below. This is, however, not covering all elements of the reform of the EU pharmaceutical legislation and the final outcome of the legislative process remains uncertain.Continue Reading Council of the European Union backs reforms to the EU Regulatory Framework for Medicinal Products

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during April and early May 2025 from the United States, United Kingdom, and European Union.

Cybersecurity is a hot topic in the UK and EU this month. In both, cybersecurity plans are developing, with the European Commission conducting a consultation on the EU Action Plan to strengthen cybersecurity within hospitals and health care providers, and the UK Cyber Security and Resilience Bill being published, introduced partly because of cyberattacks on UK hospitals. This is clearly an important area for developers of digital products and services, who should watch the progress of these policies closely.Continue Reading Virtual and Digital Health Digest – May 2025

On 21 May 2025, the European Commission published its Proposal for a Regulation (“Proposal”), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 (“GDPR”), to simplify obligations for small and medium-sized enterprises (“SMEs”) and extend certain mitigating measures to small mid-cap enterprises (“SMCs”).Continue Reading Proposed GDPR Simplifications for SMEs and SMCs

The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:Continue Reading European Data Protection Board publishes study on secondary use of personal health data for scientific research

On 5 March 2025, Regulation 2025/327 (EHDS Regulation), creating a European Health Data Space (EHDS), was published in the European Union Official Journal (EU Official Journal), marking the end of the legislative process of the EHDS Regulation.

As set out in a previous blog, the EHDS Regulation allows Life Sciences companies to apply for

Members of the European Parliament (MEPs) have voted overwhelmingly in favour of the pharmaceutical reform package following a debate on 10 April.

The vote is a key step in the passage of the new Directive and Regulation, which together form the EU’s revisions to the General Pharmaceutical Legislation (GPL). These revisions are part of the overall EU pharmaceutical strategy that was announced by the European Commission in November 2020, with the core GPL amendments proposals published in April 2023.

With the vote, the European Parliament has now endorsed the position adopted by the Environment, Public Health and Food Safety Committee on 19 March 2024. The Committee had amended the Commission’s proposal in several respects. Overall, the Parliament’s amendments are aimed at encouraging and fostering more innovation in the EU, and industry will be pleased that some of its core concerns have been addressed, although significant areas of uncertainty remain.

The adoption of the package is likely to be delayed by the European Parliament elections in June this year. The reforms will be taken up by the new Parliament after the elections, and so it is difficult to see any agreement being reached before 2026.

Below is a summary of the Parliament’s position in some of the key area. This summary is, however, not exhaustive but rather highlights topics that have been subject to increased interest for industry and extensive discussions in the European Parliament.Continue Reading European Parliament backs reforms to the EU Regulatory Framework for Medicinal Products

On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.Continue Reading Proposed fine against Danish hospital for failure to supervise data processors

On 7 July 2021, the European Data Protection Board (EDPB) adopted the final version of its guidelines 07/2021 on the concepts of controller and processor in the General Data Protection Regulation (GDPR) (Guidelines), following a period of public consultation regarding the first draft of the Guidelines (about which we reported in an earlier blogpost). As discussed below, the final Guidelines have considerable significance for the life sciences sector.

Another key GDPR development that is directly relevant for the life sciences sector and international transfers of personal health data (e.g., conduct of cross-border clinical trials) is the adoption of the new version of the standard contractual clauses (New SCCs) published by the European Commission (EC) on 4 June 2021. The second part of this blogpost outlines some key takeaways of the New SCCs. (We provide a more detailed analysis of the design, scope and main content of the New SCCs in our related advisory.)Continue Reading Recent GDPR developments relevant for the life sciences sector

On 7 September 2020, the European Data Protection Board (EDPB) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.

The draft Guidelines contain elements that are of interest for companies active in the life science sector as they may have an impact on comapnies’ day-to-day research and commercial activities in the EU and their compliance with Regulation (EU) 2016/679 (GDPR).
Continue Reading Draft EU guidelines on the concepts of controller and processor—key elements for life sciences companies