In this article
Summary
This week's digest covers the NHS rollout of an AI-powered patient triage tool, Anthropic's entry into biopharma with Claude Science, fresh evidence on disparate privacy risks in medical AI models, MHRA guidance on AI use in GxP inspection responses, the European Data Protection Supervisor's new checklist on automated decision-making, a US legislative push to ban health data sales, and the Supreme Court ruling that threatens the EU-US Data Privacy Framework. Together these developments signal that AI deployment in health and life sciences is accelerating while the regulatory and legal ground beneath transatlantic data flows is shifting sharply.
AI Tools Enter Clinical and Health Service Workflows
AI is moving from pilot programmes into operational health service delivery and biopharma research, raising immediate questions about governance, accountability and data protection compliance. Organisations deploying AI in clinical or regulated research settings must now plan concretely for human oversight, validation and, where health data is processed, a Data Protection Impact Assessment (a DPIA is a structured risk analysis required under Article 35 of the UK and EU General Data Protection Regulation before processing that is likely to result in high risk to individuals).
NHS App AI Triage Tool
The NHS plans to embed an AI triage function within its app, directing patients to the most appropriate care pathway, including GP, pharmacy, accident and emergency, community care or self-care, aiming to reach more than 200,000 users within one year and the full user base by April 2028, backed by a £10 billion digital investment. Early pilots showed measurable reductions in telephone queues and increased patient-facing time for clinicians, suggesting real operational benefit. From a regulatory standpoint, the tool processes health data at scale, so a comprehensive DPIA and clear legal basis under UK GDPR Article 9 for special category data will be essential before wider deployment. Parallel AI notetaking pilots, also referenced in the reporting, carry analogous obligations around data minimisation and retention.
Anthropic Launches Claude Science for Biopharma
Anthropic has released Claude Science, an AI workbench designed for scientific research and biopharma workflows, currently in beta for Claude Pro, Max, Team and Enterprise subscribers, with integrations to platforms including Benchling, Medidata and 10x Genomics. The company has also announced its own pre-clinical drug discovery programmes focused on neglected diseases, marking a significant expansion beyond its role as an AI provider. Life sciences organisations evaluating Claude Science for clinical research tasks should assess data processing agreements, confirm where patient or trial data would reside, and consider whether use in a regulated research context requires notification under applicable GxP frameworks.
Expert Evaluation of Clinical AI Tools at the Point of Care
A peer-reviewed study published on 3 July 2026 used a dataset of 620 real-world clinical queries, known as Real-POCQi, submitted by physicians across multiple specialties, asking 149 practising US physicians to compare responses from three general-purpose AI models (GPT-5.5, Gemini 3.1 Pro and Claude Opus 4.8) against a specialised clinical tool called OpenEvidence. The specialised tool outperformed the general-purpose models on clinically relevant criteria, a finding with direct implications for organisations selecting AI systems for point-of-care decision support. Health technology companies and NHS procurement teams should treat this evidence as grounds for rigorous clinical validation before deployment, as use of an underperforming tool in a care pathway could engage liability under the EU AI Act's high-risk AI provisions as well as patient safety law.
Privacy Risks in Medical AI: Disparate Harm and Regulatory Oversight
New research and regulatory guidance published this week converge on a single message: aggregate privacy metrics for AI systems can mask severe individual-level risks, and regulated entities must move towards granular, auditable privacy accounting.
Nature Study on Disparate Privacy Risks in Medical AI
Researchers publishing in Nature on 24 June 2026 demonstrated that medical AI models are vulnerable to membership inference attacks, which are techniques that allow an adversary to determine whether a specific individual's data was used to train a model, and that aggregate privacy scores systematically conceal elevated risks for underrepresented groups. Larger, more capable models were found to increase rather than decrease these risks. The study recommends that privacy audits report individual-level risk metrics and that differential privacy protections, applied at the patient level, be considered as a mitigation, though the authors note that differential privacy may require trade-offs in model utility. For life sciences organisations, this finding reinforces the case for granular DPIAs and for treating AI training datasets containing health data as high-risk processing under GDPR Article 35.
MHRA Guidance on AI Use in GxP Inspection Responses
The Medicines and Healthcare products Regulatory Agency (MHRA) published guidance on 29 June 2026 confirming that AI may be used to assist in drafting responses to Good Practice (GxP) inspection findings, where GxP refers to the suite of quality standards governing pharmaceutical manufacturing, clinical trials and laboratory practice. However, the MHRA makes clear that the regulated organisation remains fully accountable for the accuracy, factual correctness and evidential support of every statement submitted. Experienced human review and formal sign-off are described as essential, not optional. Voluntary disclosure of AI involvement is encouraged, including identification of which sections were AI-assisted and confirmation that human verification has been completed. Organisations that submit AI-generated responses without adequate human oversight risk regulatory censure regardless of the quality of the underlying content.
EDPS Checklist on Human Intervention in Automated Decision-Making
The European Data Protection Supervisor (EDPS), the independent supervisory authority for EU institutions, published on 2 July 2026 a checklist examining whether human oversight of automated decision-making (ADM) systems genuinely protects individuals' rights or merely provides the appearance of control. The checklist accompanies a TechDispatch paper and addresses concerns that nominally human review processes may be cursory, poorly resourced or structurally unable to override algorithmic outputs. For health and life sciences organisations using AI to inform clinical, eligibility or administrative decisions, the checklist offers a practical self-assessment tool aligned with GDPR Article 22, which grants individuals the right not to be subject to solely automated decisions producing significant effects. Compliance teams should use the checklist to stress-test existing human review workflows against the EDPS criteria.
Transatlantic Data Flows Under Acute Pressure
Two developments this week, one legislative and one judicial, combine to create serious uncertainty for organisations transferring health or location data between the European Union and the United States. Organisations relying on the EU-US Data Privacy Framework as a transfer mechanism should begin contingency planning immediately, including reviewing whether Standard Contractual Clauses provide a viable alternative and whether a transfer impact assessment is required.
US Health and Location Data Protection Act
A bipartisan bill introduced on 1 July 2026 by US legislators, titled the Health and Location Data Protection Act, would prohibit data brokers from selling or transferring Americans' health and location data, empower the Federal Trade Commission (FTC), state attorneys general and private individuals to enforce the prohibition, and allocate one billion US dollars to the FTC for implementation over ten years. While the bill addresses domestic US data broker activity rather than cross-border transfers directly, its passage would significantly affect the data ecosystem that underpins many digital health and clinical trial data supply chains. EU-based sponsors and contract research organisations sourcing real-world data from US brokers should monitor the bill's progress and assess current vendor arrangements against both US law and their own GDPR obligations.
Supreme Court Ruling on FTC Independence and the EU-US Data Privacy Framework
The United States Supreme Court ruled on 30 June 2026, by six votes to three, that the President may dismiss FTC commissioners at will, overturning the longstanding precedent established in Humphrey's Executor and significantly eroding the independence of multi-member federal commissions. The EU-US Data Privacy Framework (a formal adequacy arrangement adopted by the European Commission in 2023 to permit personal data transfers from the EU to certified US organisations) depends in part on the FTC's independence as an enforcement body. A politically controlled FTC may no longer satisfy the adequacy conditions assessed by the European Commission, raising the prospect of a third Schrems-style invalidation of the transfer mechanism. Organisations using the EU-US Data Privacy Framework as their sole transfer basis for health or clinical trial data should urgently assess whether Standard Contractual Clauses and a transfer impact assessment can provide a sustainable fallback.
FAQs
Our frequently questions
Not always, but in many cases yes. Where an AI system processes health data, supports clinical decision making, or is likely to create a high risk for individuals, a Data Protection Impact Assessment (DPIA) is generally required under Article 35 GDPR before deployment. This includes many AI triage, research and patient support tools.
Yes, but only after appropriate due diligence. Organisations should review data processing agreements, understand where data is stored, verify security controls, assess international data transfers and determine whether additional GxP validation or governance requirements apply before processing regulated clinical information.
A membership inference attack attempts to determine whether a specific individual’s data was used to train an AI model. New research suggests these risks may be significantly higher for underrepresented patient groups, meaning organisations should look beyond aggregate privacy metrics and include more granular privacy assessments when developing or procuring AI systems.
Organisations should review AI governance frameworks, perform DPIAs for new AI deployments, validate AI tools before use in regulated environments, strengthen human oversight for automated decision making, assess vendor and contractual arrangements, and re evaluate international data transfer mechanisms to ensure continued GDPR compliance.
Yes. Recent legal developments affecting the independence of the US Federal Trade Commission have increased uncertainty around the long term stability of the EU US Data Privacy Framework. Organisations should review their transfer mechanisms, consider Standard Contractual Clauses where appropriate and ensure Transfer Impact Assessments remain up to date.
Find out how iliomad can help your company.
Only visible in production
We'll get back to you as soon as possible.

Human Intervention in Automated Decision-Making: What the EDPS Checklist Means for Life Sciences
The EDPS checklist on human intervention in automated decision-making carries direct implications for GDPR clinical trials. Learn what effective oversight requires.

Informed Consent Form (ICF) and Ethnicity Data: Justification Requirements Under GDPR and MR-001
Ethics committees require scientific justification for ethnicity data in the ICF. Learn how GDPR Article 9, MR-001 and EU CTR 536/2014 apply to your clinical trial.

Health Data Under Pressure: US Legislative Shifts, AI Privacy Risks and EU Cloud Sovereignty Disputes | Weekly Digest
This week: a US health data broker bill, Supreme Court FTC ruling threatening EU-US data flows, AI membership inference risks, and French cloud sovereignty tensions.


