The privacy regulatory landscape continues to rapidly develop across Asia, Europe, and the U.S. — global life sciences companies must monitor new regulations and guidance, paying attention to how different pieces of legislation may interact and overlap. Cybersecurity remains a risk in the digital health space, especially with developments in wearable technology and medical devices also increasing the risk and scrutiny with regard to cybersecurity.
While significant attempts were made this year, the U.S. once again ended the 2022 federal legislative calendar without a comprehensive privacy law. The lack of such a federal law, coupled with the advancement of state privacy laws and enforcement efforts, leaves companies subject to U.S. laws without clear direction and with a growing number of overlapping compliance obligations to address.
Key to this complexity are the forthcoming changes to the California Consumer Privacy Act (CCPA), which, among other things, will bring the personal information of personnel, applicants, and business-to-business (B2B) residents of California within scope of the law. Amendments to the CCPA from the California Privacy Rights Act (CPRA) are effective January 1, 2023; become enforceable on July 1, 2023; and will represent a significant change in applicable law for many life sciences entities primarily processing data that is currently exempt from CCPA (including, for instance, data that is subject to the Health Insurance Portability and Accessibility Act (HIPAA)). Any entity that meets the CCPA thresholds, regardless of whether some data is exempt, may now face employee requests from California residents to access their personal information — a potentially costly and time-consuming obligation.
The amendments to the CCPA will also present new complexities, which will apply to companies already subject to the CCPA as well as those that will be pulled into the statute’s ambit in 2023. These include, for instance, new individual rights, potential requirements to perform risk assessments and cybersecurity audits, data retention restrictions and reporting requirements, and the removal of the 30-day right to cure period for notified violation. Further compounding the complexity, the CPRA regulations are considerably behind schedule, and the first set of final regulations is not expected until early 2023.
Looking to privacy enforcement, on January 1, 2023, the California Attorney General (CA AG) and the newly operational California Privacy Protection Agency will no longer be required to provide a 30-day period in which an entity can cure a violation. The CA AG issued its first-ever financial penalty in 2022 and is anticipated to continue to advance its compliance priorities via investigations and penalties. Moving outside of California, litigation for the Illinois Biometric Information Privacy Act (BIPA) is expected continue, though questions remain as to scope and application, Companies are awaiting two anticipated rulings from the Illinois Supreme Court that will address questions relating to the applicable statute of limitations and when claims accrue.
Increased threat actor activity combines with heightened regulatory considerations to create an ongoing set of cybersecurity concerns for life sciences entities. In the U.S., where most laws on cybersecurity have appeared in sectoral or particular circumstances, regulators are beginning to regulate this area more broadly. For example, the SEC has proposed new cybersecurity rules for public companies, regardless of sector. These proposed rules create disclosure requirements for cybersecurity risk management, strategy, governance, and mandatory incident reporting. Similarly, the Department of Justice (DOJ) is expected to continue leveraging the False Claims Act, pursuant to its Civil Cyber-Fraud Initiative, to pursue what it perceives to be cybersecurity-related fraud by federal government contractors, subcontractors, and grant recipients.
The Federal Trade Commission (FTC) has also renewed its longstanding oversight of consumer-facing cybersecurity by including the topic as part of a massive advanced notice of proposed rulemaking (ANPR). “Lax data security” is targeted by the ANPR and takes up a significant portion of the 95 questions on which it sought public input and commentary.
At the state level, the CCPA has historically focused primarily on reasonable security and data breaches. But as the large set of CCPA amendments (known as the CPRA, as discussed above) goes into effect on January 1, 2023, entities for which the “processing of consumer” personal information presents “significant risk to consumers’ privacy or security” must complete an annual cybersecurity audit. The CPPA has yet to issue regulations that govern when and how this audit is to take place, but it highlights the deepening of U.S. cybersecurity requirements and it is likely that some life sciences entities process personal information that will be subject to this new requirement.
In Europe and the U.S., issues around data privacy will continue to be complex for life sciences companies with respect to international data transfers, though significant change may be on the horizon. On October 7, 2022, the U.S. President introduced an executive order to facilitate a new Trans-Atlantic Data Privacy Framework (Framework), which will act as a successor to the invalidated EU-U.S. Privacy Shield. On December 13, 2022, the European Commission released a draft adequacy decision for the U.S., reflecting its belief that the Framework addresses the transfer issues raised when Privacy Shield was invalidated. The Framework is structured to be similar to Privacy Shield whereby companies will need to certify compliance to a series of commitments beyond those in U.S. law. While the Framework will be an available transfer mechanism should adequacy be granted, the executive order will still provide support to the existing Article 46 safeguards (e.g., EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S.
On the UK side, international transfers also continue to evolve with several adequacy agreements being either currently negotiated (e.g., with the U.S.) or recently settled (e.g., the UK and Republic of Korea released their adequacy agreement on July 5, 2022, which will facilitate data transfers between the UK and Republic of Korea). Further, the UK has introduced its own form of international data transfer agreement (IDTA) and addendum to the European Commission’s SCCs for international transfers, which life sciences companies will need to have in place to cover transfers of data from the UK. Life sciences companies should be aware that if they intend to implement the new EU SCCs for EU transfers and the UK Addendum for UK transfers at the same time, then the long-stop date for use of these new clauses was December 27, 2022. Therefore, new data transfer assessments and agreements should be put in place as soon as possible.
The above developments on international transfers are significant to multi-national life sciences companies that are involved in transferring health data, for example, from hospitals, sites, laboratories, group companies and vendors in the EU/UK, as part of clinical trial, medical device and digital health activities. Therefore, putting in place GDPR data transfer mechanisms, such as SCCs, and carrying out transfer impact assessments, will continue to be a key consideration in 2023.
In Europe, there has been a slew of new legislation that will also affect digital health players. Of particular note is the new compromise text of the AI Act, which was released on November 3, 2022. The AI Act takes a risk-based approach to regulating all AI systems, with the relevant legal obligations imposed by the AI Act reducing as the perceived risk level posed by the AI system reduces. The AI Act also adopts a broad definition of “AI systems” such that life sciences companies will need to consider how they are affected, including those using AI to manage health records, manufacture health trackers, and create AI driven medical devices. In particular, AI systems that are considered to be “high risk”, which can include medical devices, will be subject to mandatory requirements including: the provision of meaningful information about how the AI system works and how it may impact health data, complying with a “conformity assessment”, and complying with more stringent safety and technical standards. The text may be agreed on by early 2023, so life sciences companies using AI should monitor the AI Act’s development.
Also, on May 3, 2022, the European Commission issued its proposal for a Regulation on the European Health Data Space (EHDS). At a high level, the EHDS — which is expected to come into force in 2025 — seeks to (i) provide individuals with increased control over, and access to, their electronic health data (EHD), (ii) enable the secure cross-border sharing of such EHD among national EU healthcare systems, and (iii) facilitate the trustworthy and secure sharing of EHD for secondary research purposes.
In addition, the European Commission has responded to the increasing risk of ransomware attacks and other cybersecurity risks by introducing a Cyber Resilience Act (CRA). The CRA will impose certain essential cybersecurity requirements across all technologies with “digital elements” — including for instance, health tracking devices and other health monitoring systems. The CRA importantly applies to all “economic operators” as defined in the Act, which includes importers and distributors — with the most stringent obligations applying to manufacturers of digital products. Therefore, the CRA has the ability to apply to a wide variety of actors in the life sciences industry. The CRA is still in draft form and subject to public consultation. Once adopted, the current draft CRA provides that there would be a 24-month implementation period, although manufacturers would be subject to reporting obligations one year after the CRA comes into force.
China continues to tighten control over cross-border data transfers. On September 1, 2022, the CBDT Measures issued by the CAC came into effect. Under the CBDT Measures, a company must pass a CAC security assessment before exporting data from China if (i) it operates any critical information infrastructure designated by Chinese authorities; (ii) it processes personal information of 1 million or more individuals; (iii) it has, in the aggregate, transferred personal information of 100,000 individuals or sensitive personal information of 10,000 individuals outside of China since January 1 of the previous year; or (iv) the data to be exported is considered “important data” under Chinese law. The exact scope of “important data” is unclear and awaits further clarification from Chinese authorities. If a company meets any of these criteria, it has a six-month grace period commencing from September 1, 2022 (i.e., until the end of February 2023) to complete the CAC security assessment.
In addition to the CAC security assessment, Chinese law recognizes two other data transfer mechanisms: privacy protection certification and standard contract. However, these two mechanisms have not been implemented and are not yet available in practice because the certification bodies have not been approved and the draft standard contract has not been finalized.
Life sciences companies are expected to face more pressure to localize their data in China. Pursuant to the Guiding Principles for Review of Cyber Security Registration of Medical Devices (2022 Revision) issued by the Center for Medical Device Evaluation of the National Medical Products Administration, data related to medical activities that is generated or used by medical devices would be considered as “important data” and should in principle be stored locally in China. Such guiding principles are not a binding regulation but will likely be referred to by Chinese regulators when reviewing applications for medical device registration. In addition, a recommended national standard that was issued on October 14, 2022, and will take effect on May 1, 2023, requires that genetic recognition data and associated information be stored within China.