Summary

This week's digest highlights significant shifts in health data regulations, including a proposed US bill to ban data brokers from selling health information and a Supreme Court ruling jeopardizing FTC independence. Additionally, concerns regarding AI privacy risks and French cloud sovereignty tensions add to the evolving compliance landscape for healthtech organizations.

Contact us

1. US Legislative and Regulatory Upheaval: Health Data Protections and the FTC's Future

Two developments this week fundamentally alter the US regulatory landscape for health data: a proposed federal ban on data broker sales of health and location information, and a Supreme Court ruling that may strip the Federal Trade Commission of its political independence. Together, they create material uncertainty for any organisation relying on the EU-US Data Privacy Framework (DPF) as a lawful transfer mechanism under the General Data Protection Regulation (GDPR), which is the EU Regulation 2016/679 governing the processing of personal data.

US Senator Introduces the Health and Location Data Protection Act

Representative Katie Scanlon's bipartisan Health and Location Data Protection Act, introduced on 1 July 2026, would prohibit data brokers from selling or transferring Americans' health and location data and would grant enforcement powers to the Federal Trade Commission (FTC), state attorneys general and private individuals. The bill proposes an allocation of USD 1 billion to the FTC over ten years for implementation, signalling a significant federal commitment to curbing the data broker economy. For life sciences companies that purchase real-world health data sets for research or commercial purposes, this legislation, if enacted, would require a fundamental review of data sourcing arrangements and vendor contracts.

Click to read more

Supreme Court Ruling Threatens FTC Independence and the EU-US Data Privacy Framework

In a 6-3 decision issued in late June 2026, the US Supreme Court held that the President may dismiss FTC commissioners at will, overturning the longstanding precedent established in Humphrey's Executor v. United States and endorsing the so-called unitary executive theory, which holds that the President must retain direct control over all executive officers. This ruling places the political independence of the FTC in serious jeopardy. Because the EU-US Data Privacy Framework (DPF), the adequacy decision adopted by the European Commission in July 2023 to permit personal data flows from the EU to the US, relies in part on the FTC's capacity to act as an independent enforcement body, this judgment raises a credible risk that the European Court of Justice could revisit the DPF's adequacy status in proceedings that commentators are already calling a potential Schrems III. EU-based sponsors and healthtech companies transferring personal data to US processors should urgently review whether supplementary safeguards such as Standard Contractual Clauses (SCCs) are in place as a contingency.

Click to read more

2. AI in Healthcare: Membership Inference Risks and Clinical Trial Data Integrity

Medical Diagnosis AIs Vulnerable to Membership Inference Attacks

Research reported by The Register on 26 June 2026 demonstrates that medical diagnosis AI models are highly susceptible to membership inference attacks, a technique whereby an adversary determines whether a specific individual's data was used to train a model, using only partial medical information as an input. The vulnerability is more pronounced for under-represented or sensitive demographic groups, and risk increases with larger or more specific data sets. Under GDPR Article 35, controllers deploying such models are required to conduct a Data Protection Impact Assessment (DPIA), which is a structured analysis of the risks that a processing activity poses to individuals' rights and freedoms; the findings from this research suggest that existing DPIAs for medical AI systems may be materially underestimating re-identification risk and should be reviewed and updated accordingly.

Click to read more

Data Flow Integrity in AI-Assisted Clinical Trials

An analysis published by Clinical Leader on 26 June 2026 sets out how AI tools expand data integrity obligations across the entire clinical trial lifecycle, from protocol design through to submission. Sponsors must ensure end-to-end governance, provenance and traceability of source data, derived data and AI-generated outputs in line with the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring and Available) as well as FDA and ICH expectations. Critically, these obligations extend to Contract Research Organisations (CROs) and other vendors acting as data processors, meaning that data processing agreements must explicitly address AI tool validation, human oversight requirements and audit trail preservation.

Click to read more

3. Healthcare Vendor Breaches: A Growing Compliance Emergency

Analysis of data published by the US Department of Health and Human Services Office for Civil Rights (OCR) shows that business associates, defined under the Health Insurance Portability and Accountability Act (HIPAA) as third parties that handle protected health information on behalf of covered entities, were involved in 34% of reported healthcare breaches between 2018 and 2026, rising sharply from an average of 20% during the period 2009 to 2017. In the first half of 2026 alone, that figure reached 43%. Vendors are attractive targets because they frequently hold large volumes of protected health information and may provide access to multiple covered entities simultaneously. For EU-based organisations, this pattern reinforces the imperative to conduct robust due diligence on processors under GDPR Article 28 and to include specific breach notification obligations and audit rights in all data processing agreements.

Click to read more

4. EU Cloud Sovereignty: French Healthtech Challenges SecNumCloud Orthodoxy

Five major French healthtech scale-ups, namely Alan, Doctolib, Implicity, Lifen and Resilience, have publicly challenged the French government's insistence on SecNumCloud, the French National Cybersecurity Agency (ANSSI) cloud security certification scheme, as the default or sole acceptable standard for sensitive health data. As reported by Les Echos on 29 June 2026, the companies are calling for a risk-based approach incorporating audits and a graduated sovereignty score, arguing that the current framework is commercially unworkable and disproportionate. The French government and security advocates maintain that SecNumCloud provides protections against third-country government access that lower-tier certifications do not. Health data controllers operating in France should monitor this debate closely, as any revision to SecNumCloud policy could alter the lawfulness of existing cloud processing arrangements under the French Health Data Hub framework.

Click to read more

Contact us

FAQs

Our frequently questions

Why is the proposed US Health and Location Data Protection Act important for life sciences companies?

If enacted, the proposed legislation would significantly restrict the ability of data brokers to sell or transfer health and location data. Life sciences organisations that rely on commercially acquired real world data should review their data sourcing strategies, vendor due diligence processes and contractual protections to assess potential impacts.

Could the recent US Supreme Court ruling affect the EU US Data Privacy Framework?

Potentially, yes. The ruling raises questions about the political independence of the Federal Trade Commission, one of the key enforcement authorities underpinning the EU US Data Privacy Framework. Although the Framework remains valid today, organisations transferring personal data to the United States should ensure that alternative transfer mechanisms, such as Standard Contractual Clauses, are available if future legal challenges arise.

What are membership inference attacks and why do they matter for healthcare AI?

A membership inference attack attempts to determine whether a specific person’s data was used to train an AI model. Recent research shows that medical AI systems may be particularly vulnerable to these attacks, increasing the risk of re identification of patients. Organisations developing or deploying healthcare AI should reassess their Data Protection Impact Assessments and technical safeguards accordingly.

How does AI affect data integrity requirements in clinical trials?

AI does not reduce regulatory expectations for data integrity. Sponsors must ensure that both source data and AI generated outputs remain traceable, accurate and properly governed throughout the clinical trial lifecycle. Contracts with Contract Research Organisations and technology vendors should clearly define responsibilities for AI validation, human oversight and audit trail preservation.

Why are healthcare vendors becoming a greater compliance risk?

Healthcare vendors are increasingly targeted because they often process large volumes of sensitive health information for multiple organisations. Recent breach statistics reinforce the importance of robust vendor due diligence, comprehensive data processing agreements, ongoing security assessments and clearly defined breach notification obligations.

What is the debate around SecNumCloud and why should healthtech companies pay attention?

Several leading French healthtech companies are calling for a more flexible, risk based approach to cloud security requirements instead of relying solely on SecNumCloud certification. While no regulatory changes have been adopted, organisations processing health data in France should monitor developments closely, as future policy changes could influence cloud hosting strategies and compliance obligations.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Find out how iliomad can help your company.

[Map placeholder]
Only visible in production
38.709099
-39.182035
1.6
6d17042a3425c5b3
Your message has been received!
We'll get back to you as soon as possible.
Something went wrong, please try again.
Home

Discover our latest articles

View All Blog Posts
A clinical trial investigator reviewing an informed consent form with a data protection checklist highlighting the ethnicity data justification section
July 3, 2026
ICF
GDPR
Clinical Trials
Ethics Committee
Combination Products

Informed Consent Form (ICF) and Ethnicity Data: Justification Requirements Under GDPR and MR-001

Ethics committees require scientific justification for ethnicity data in the ICF. Learn how GDPR Article 9, MR-001 and EU CTR 536/2014 apply to your clinical trial.

June 29, 2026
Biotech & Healthtech
Clinical Trials
AI

Data Protection in Clinical Trials: Governing AI-Assisted Data Flows Under GDPR

AI intensifies clinical trial data protection, requiring end-to-end governance and inspection-ready controls.

EU AI Act Prohibitions, GDPR Enforcement and Clinical Trial Developments
June 24, 2026
AI
Clinical Trial Information System
Biotech & Healthtech
Data Governance
Regulations & Guidelines

Weekly Digest: EU AI Act Prohibitions, GDPR Enforcement and Clinical Trial Developments - Week of 22 June 2026

AI healthcare rules tighten as EU, US and GDPR developments accelerate.