Summary
This week's digest covers eight significant developments across privacy and AI governance. The European Data Protection Supervisor warns of shadow AI risks in organisational settings, whilst the European Data Protection Board consults on both a harmonised Data Protection Impact Assessment template and a standardised personal data breach notification form. Separately, the European Health Data Space Regulation moves closer to implementation, and the EU's Data Omnibus debate surfaces contested ground on legitimate interest for AI training using special-category data. Beyond the EU, Canada has published its PIPEDA replacement, and an APAC overview illustrates the sharp divergence in consent frameworks across eight jurisdictions.
AI Governance and Shadow AI Risk
EDPS Flags Shadow AI as an Undetected Data Breach Vector
The European Data Protection Supervisor has published a blog post identifying 'shadow AI'—the unsanctioned use of AI tools by employees outside formal organisational approval processes—as a material data protection risk. The EDPS highlights that such deployments frequently go undetected, thereby creating potential personal data breaches, security vulnerabilities and regulatory non-compliance that organisations may be wholly unaware of. The Supervisor calls for a comprehensive governance response combining clear internal policies, robust technical controls and an organisational culture in which employees understand their obligations under the General Data Protection Regulation. For biotech and healthtech organisations processing special-category health data, the stakes are particularly acute, given that an undetected shadow AI incident could simultaneously trigger breach notification duties and supervisory scrutiny.
EDPB Guidance: DPIA and Breach Notification Templates
EDPB Consults on a Harmonised DPIA Template Across EU Member States
The European Data Protection Board launched a public consultation on 14 April 2026 on a harmonised Data Protection Impact Assessment template, designed to create consistency in how organisations assess high-risk processing activities under Article 35 of the GDPR. At present, Member State supervisory authorities apply varying formats, creating friction for multinational organisations that must satisfy multiple national requirements simultaneously. A standardised template would reduce that administrative burden considerably, and would provide a common baseline that data protection officers across the life sciences sector could incorporate into clinical and research programmes. Stakeholders with an interest in shaping the final instrument should monitor the EDPB's consultation channel for participation deadlines.
EDPB Seeks Feedback on Personal Data Breach Notification Template
The European Data Protection Board has released a draft template for personal data breach notifications under public consultation, with the period closing on 5 August 2026. The template is intended to be adopted across all EU Data Protection Authorities following the consultation, creating a uniform format for controllers reporting breaches under Article 33 of the GDPR. For healthcare and clinical research organisations—where data breaches may involve sensitive health records or trial participant data—a standardised notification form brings welcome clarity on the minimum information supervisory authorities expect. Organisations are encouraged to review the draft and submit responses before the August deadline to influence the final design.
European Health Data Space and Data Omnibus Developments
EHDS Regulation: Implementation Milestones Approach
The European Health Data Space Regulation, which entered into force in March 2025, is progressing towards its first major implementation milestones. The European Commission is required to adopt key implementing acts by March 2027, which will define operational parameters for the system, with cross-border exchange of primary health data following in March 2029. For the healthtech and life sciences sectors, the EHDS represents a structural shift in how patient data may be accessed and re-used for research and innovation across EU Member States. Organisations developing secondary-use strategies for health data should begin mapping their readiness against these timelines now, rather than waiting for the implementing acts to be finalised.
Data Omnibus: Member States Split on Legitimate Interest for AI Training with Special-Category Data
The Council's most recent compromise text on the EU Data Omnibus package, dated 21 May 2026, introduced a new recital—numbered 33a—indicating that special categories of personal data may be processed for AI training purposes on the basis of legitimate interest. France, Finland, Spain, Luxembourg and Sweden have expressed support for this position, whilst the Netherlands has proposed a less restrictive variant. This debate is of direct relevance to life sciences organisations, where clinical and genomic datasets frequently constitute special-category data; the legal basis on which such data may be used to train AI models remains unresolved and contentious. Practitioners should track Council and Parliament positions closely, as the final text will significantly affect AI development programmes involving health and genetic data.
Global Privacy Reform: Canada and APAC
Canada Publishes Bill C-36 to Replace PIPEDA
Canada has published Bill C-36, the Protecting Privacy and Consumer Data Act, which is intended to replace the long-standing Personal Information Protection and Electronic Documents Act. The Bill proposes the creation of a new independent body, the Digital Safety and Data Protection Commission of Canada, to oversee compliance and enforcement. For organisations conducting clinical research or operating healthtech platforms in Canada, this represents a significant structural change in the regulatory landscape, and early analysis of how the new framework aligns with—or diverges from—GDPR obligations will be essential for organisations managing cross-border data flows between Canada and the EU.
APAC Privacy Consent Frameworks: Eight Distinct Regimes Demand Tailored Approaches
A detailed overview published this week underscores that privacy law across the Asia-Pacific region cannot be treated as a single, uniform framework: at least eight distinct consent regimes operate across China, South Korea, India, Japan, Singapore and other jurisdictions, each with materially different rules. China mandates separate consent for each processing purpose and for cross-border transfers; South Korea prohibits bundled consent outright; India has introduced the regulatory concept of consent managers; and Japan has moved third-party sharing from an implied opt-in to an explicit one. For life sciences organisations running multi-country studies or deploying healthtech products across the region, these divergences demand jurisdiction-specific consent architectures and data transfer assessments rather than any attempt at a one-size-fits-all approach.
FAQs
Our frequently questions
Shadow AI refers to employees using AI tools without formal approval from their organisation. The EDPS warns that this can create hidden data protection risks, especially where personal data is entered into tools that have not been assessed, approved, or secured. For healthtech and biotech companies, the risk is higher because special category health data may be involved.
Organisations should create clear internal AI policies, introduce technical controls, and train employees on what they can and cannot do with AI tools. A strong governance culture is essential so that staff understand their GDPR obligations and know how to use approved AI systems safely.
The EDPB is consulting on a harmonised DPIA template for high risk processing under Article 35 of the GDPR. The aim is to reduce differences between Member State approaches and make it easier for organisations operating across the EU to assess privacy risks in a consistent way.
The draft EDPB breach notification template is intended to create a common format for reporting personal data breaches under Article 33 of the GDPR. This is especially useful for healthcare, clinical research, and life sciences organisations, where breaches may involve sensitive health records or clinical trial data.
The EHDS is moving towards key implementation milestones, with important implementing acts expected by March 2027 and cross border exchange of primary health data expected from March 2029. Organisations should start assessing their readiness now, particularly if they plan to use health data for research, innovation, or secondary use.
Key developments include Canada’s Bill C 36, which would replace PIPEDA, and growing complexity in APAC consent rules. Organisations operating internationally should compare new Canadian privacy obligations with GDPR requirements and avoid using a single consent model across APAC, where rules differ significantly between jurisdictions.
Find out how iliomad can help your company.
Only visible in production
DPIA Clinical Trials: How the EDPB Harmonised Template Reshapes Sponsor Obligations
The EDPB's 2026 harmonised DPIA template changes how sponsors conduct data protection impact assessments in clinical trials. Learn what it means for your programme.
Vendor GDPR in Clinical Trials: What the IQVIA CNIL Ruling Changes for Sponsors and Healthtech Companies
On 26 May 2026 the CNIL fined IQVIA Operations France EUR 5 million for failures in its two authorised health data warehouses, LRX and EMR. The decision exposes weaknesses in CRO data protection practice that have direct consequences for every pharmaceutical sponsor relying on a CRO to process patient, prescription or trial data. This article unpacks the four areas of failure, explains why pseudonymisation no longer offers the cover many sponsors assume, and sets out a practical oversight checklist for sponsor data controllers.
EU AI Act for Healthcare: What Life Sciences Companies Need to Know before August 2026
EU AI Act 2026 healthcare enforcement requires immediate compliance to avoid penalties.
