European Data Protection Board

Subscribe to European Data Protection Board via RSS

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during February and early March 2026 from the the United Kingdom, and European Union.

February 2026 saw a period of substantial regulatory activity across both the UK and EU, particularly in relation to AI governance, medical technologies, and data protection. In the UK, the policy landscape continued to evolve with initiatives affecting the regulation of medical devices, clinical research, and AI deployment. Key developments included the Medicines and Healthcare products Regulatory Agency’s (MHRA) consultation on the indefinite recognition of CE-marked medical devices, record levels of medical device testing, and the Prescription Medicines Code of Practice Authority’s (PMCPA) revised guidance on the use of social media. AI remained a major focus in the UK, with the UK government’s response to the consultation on the AI Management Essentials tool, increased industry involvement in the UK AI Security Institute’s alignment program, and feedback relating to governmental research on AI adoption across UK businesses. Additional international collaboration efforts included UK engagement at the India AI Impact Summit and an expanded science and technology partnership with Japan, as well as the launch of the first-ever AI Strategy for UK Research and Innovation.

Continue Reading Virtual and Digital Health Digest – February 2026

On 16 December 2025, the European Commission published its Proposal for a Regulation establishing a framework of measures for strengthening the EU’s biotechnology and biomanufacturing sectors, particularly in the area of health (the “European Biotech Act” or the “Proposal”). The Proposal is ambitious in scope: it amends several major pieces of EU health legislation, including the Clinical Trials Regulation (“CTR”), the Veterinary Medicines Regulation, the Food Law Regulation and the Substances of Human Origin Regulation (“SoHO”), while also introducing a new framework for EU strategic projects, AI-enabled biotechnology, and biodefence.

On 10 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 3/2026 on the Proposal (the “Joint Opinion”). While broadly supportive of the Proposal’s objectives, the EDPB and EDPS identified a number of significant data protection concerns, and issued recommendations. Although not legally binding, the Joint Opinion carries significant weight as it reflects the views of the EU’s primary data protection authorities and will directly shape the legislative debate ahead.

In this blog we examine the key data protection implications of the Proposal and the Joint Opinion for pharma and life sciences companies.

Continue Reading EDPB/EDPS Joint Opinion on the European Biotech Act Proposal: Key Data Protection Implications for Pharma and Life Sciences

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during December 2025 and early January 2026 from the the United Kingdom, and European Union.

January 2026 saw significant activity as UK and EU authorities advanced major initiatives affecting the use of AI, digital technologies, data governance, and cybersecurity in healthcare and life sciences. Notable developments include EMA’s and FDA joint principles on the use of AI across the medicinal product lifecycle, the European Commission’s call for evidence on the proposed amendments to the Medical Devices Regulation (EU) 2017/745 (MDR) and In Vitro Diagnostic Regulation (EU) 2017/746 (IVDR), proposals to strengthen the EU Cybersecurity Act, and important data protection interventions. In parallel, UK and EU regulators continued to focus on the safe deployment of digital tools in healthcare, including new Medicines and Healthcare products Regulatory Agency (MHRA) guidance on mental health technologies and ongoing work to refine AI governance. These updates, alongside developments in Intellectual Property (IP) and product liability, signal a rapidly evolving regulatory environment that will help to shape digital innovation and compliance expectations throughout 2026.

Continue Reading Virtual and Digital Health Digest – January 2026

On 19 November 2025, the European Commission published two legislative proposals – the Digital Omnibus on AI Regulation Proposal and the broader Digital Omnibus Regulation Proposal (“Proposals”) – as part of a wider initiative to simplify and streamline the EU’s digital regulatory framework. Together, the Proposals introduce targeted but significant amendments across a broad range of instruments, including the EU AI Act (Regulation (EU) 2024/1689), the GDPR (Regulation (EU) 2016/679), the ePrivacy Directive (2002/58/EC), the NIS2 Directive ((EU) 2022/2555), and the EU Data Act (Regulation (EU) 2023/2854).

Continue Reading EU Digital Omnibus: What the Proposed Reforms Mean for Pharma and MedTech

The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:

Continue Reading European Data Protection Board publishes study on secondary use of personal health data for scientific research

In the last month, both the European Data Protection Board (“EDPB”) and the Court of Justice of the European Union (“CJEU”) provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 (“GDPR”).

In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).

In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).

Continue Reading Notable developments in the interpretation of key GDPR concepts – why should Life Sciences companies care?

On 7 July 2021, the European Data Protection Board (EDPB) adopted the final version of its guidelines 07/2021 on the concepts of controller and processor in the General Data Protection Regulation (GDPR) (Guidelines), following a period of public consultation regarding the first draft of the Guidelines (about which we reported in an earlier blogpost). As discussed below, the final Guidelines have considerable significance for the life sciences sector.

Another key GDPR development that is directly relevant for the life sciences sector and international transfers of personal health data (e.g., conduct of cross-border clinical trials) is the adoption of the new version of the standard contractual clauses (New SCCs) published by the European Commission (EC) on 4 June 2021. The second part of this blogpost outlines some key takeaways of the New SCCs. (We provide a more detailed analysis of the design, scope and main content of the New SCCs in our related advisory.)Continue Reading Recent GDPR developments relevant for the life sciences sector

On 7 September 2020, the European Data Protection Board (EDPB) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.

The draft Guidelines contain elements that are of interest for companies active in the life science sector as they may have an impact on comapnies’ day-to-day research and commercial activities in the EU and their compliance with Regulation (EU) 2016/679 (GDPR).
Continue Reading Draft EU guidelines on the concepts of controller and processor—key elements for life sciences companies