Summary
This week’s update highlights major developments in AI regulation, healthcare compliance, data protection and clinical research. The European Parliament approved AI Act simplification measures that would delay certain high risk AI compliance deadlines, while also introducing a ban on AI tools that generate non consensual intimate imagery. In parallel, new analysis of the EU AI Act emphasises that some AI practices in healthcare are prohibited outright, regardless of risk classification.
In the United States, California AB 2575 signals growing legislative focus on human oversight in healthcare AI, while an FDA warning letter underlines the risks of using unvalidated AI in regulated manufacturing environments.
On the data protection side, the Bavarian DPA clarified that Data Protection Officers must be reachable through communication channels that are not monitored by the controller. The CTIS Joint Controllership Arrangement also reinforces the need for clinical trial sponsors to understand how data protection responsibilities are allocated across EU institutions, Member States and sponsors.
In biotech and clinical research, Definium Therapeutics reported positive Phase 3 results for DT120 in major depressive disorder, adding momentum to the psychedelic assisted therapy field. The newsletter also highlights the continuing importance of human oversight in AI assisted research and drug discovery.
EU AI Act: Amendments, Prohibitions and Healthcare Implications
European Parliament Approves AI Act Simplification Measures and Nudifier Tool Ban
The European Parliament has voted 423 in favour, 57 against and 174 abstentions to approve amendments to the EU AI Act. The proposed changes would postpone compliance obligations for certain high risk AI systems until December 2027 for stand alone systems and August 2028 for other systems.
At the same time, Parliament introduced an outright ban on AI applications that generate non consensual intimate imagery, often referred to as nudifier tools.
For biotech, healthtech and life sciences organisations, the extension should not be treated as a reason to delay compliance work. Many clinical decision support tools and healthcare AI systems may fall within the high risk category. Organisations should use the additional time to accelerate readiness activities, including system classification, risk management, technical documentation, data governance reviews and conformity assessment planning.
Prohibited AI Practices in Healthcare Under the EU AI Act
A paper published in the Journal of Law, Medicine and Ethics examines the absolute prohibitions set out in Article 5 of the EU AI Act and their specific relevance to healthcare settings.
The authors highlight that certain AI practices are prohibited outright, regardless of whether a system is classified as high risk. These include subliminal manipulation, exploitation of vulnerabilities and certain forms of social scoring. This point is often overlooked in compliance discussions that focus primarily on high risk AI obligations.
Health technology developers, clinical AI vendors and healthcare providers should therefore audit their systems not only against high risk requirements, but also against the Act’s prohibited practices. Where a use case falls within Article 5, no conformity assessment, mitigation measure or internal control can make that deployment lawful.
California AB 2575: AI Safeguards in Healthcare Settings
California Assembly Bill 2575 passed the State Assembly on 27 May 2026 and was assigned to the Senate Health and Privacy committees on 10 June 2026. The bill would introduce safeguards for the use of artificial intelligence in health facilities, clinics and physicians’ offices.
The proposal expressly seeks to preserve human medical expertise and establish protective requirements for AI assisted clinical decision making.
Organisations operating in California, or serving Californian patients, should monitor the Senate committee process closely. The bill reflects a broader US legislative trend towards mandatory human oversight in healthcare AI, aligning in several respects with the EU AI Act’s approach to high risk systems.
FDA Warning Letter Highlights Risks of Unvalidated AI in Manufacturing
The US Food and Drug Administration issued a warning letter to Purolea Cosmetics Lab citing serious violations of Current Good Manufacturing Practice requirements, including the inappropriate use of artificial intelligence in drug manufacturing processes.
According to the FDA, the facility manufactured unapproved drug products intended to treat serious conditions without adequate testing or validated AI controls.
The warning letter is a timely reminder that AI tools used in regulated manufacturing environments must be validated in accordance with applicable quality standards. AI cannot replace the procedural controls, testing obligations and quality management requirements mandated under CGMP regulations.
GDPR Enforcement and Data Protection Obligations
Bavarian DPA Clarifies Separate Communication Channels for DPOs
The Bavarian Data Protection Authority, BayLDA, has clarified that data subjects wishing to contact a Data Protection Officer must be able to use a communication channel that is not monitored by the controller.
This clarification relates to Article 38(4) of the GDPR, which requires that the DPO be accessible to data subjects. BayLDA indicated that a dedicated functional email address, such as dpo@[organisation], used exclusively by the DPO, any appointed deputy and directly supervised staff, would satisfy this requirement.
Organisations should review their DPO contact arrangements to ensure that a shared inbox or controller monitored communication channel is not presented as the primary means of contacting the DPO. This is particularly important in life sciences, where patients, research participants and clinical trial subjects may need to exercise their rights discreetly.
CTIS Joint Controllership Arrangement: Roles and Responsibilities
The Clinical Trials Information System Joint Controllership Arrangement sets out the allocation of data protection responsibilities among the European Commission, the European Medicines Agency, EU Member States and clinical trial sponsors for personal data processed within CTIS.
The arrangement defines each party’s compliance obligations under EU data protection law, explains how data subject rights should be managed across stakeholders and establishes procedures for handling requests from trial participants.
Sponsors operating under the EU Clinical Trials Regulation 536/2014 should ensure that their internal data protection frameworks reflect the JCA’s allocation of controller responsibilities. This is particularly important where access, rectification or erasure requests may involve several parties within the CTIS ecosystem.
Clinical Trials and Biotech
Definium Therapeutics Reports Positive Phase 3 Results for DT120 in Major Depressive Disorder
Definium Therapeutics announced positive topline results from its Phase 3 Emerge study of DT120, a lysergide orally disintegrating tablet, in participants with major depressive disorder.
The company reported that a single dose of DT120 met the study’s primary endpoint and all key secondary endpoints compared with placebo. It also reported rapid onset of effect, durable outcomes and no serious safety signals.
The result is notable for the broader psychedelic assisted therapy field, as it provides Phase 3 evidence supporting the potential of lysergide based treatments. The findings are likely to inform future regulatory submissions to authorities such as the FDA and potentially the European Medicines Agency.
FAQs
Our frequently questions
The European Parliament has approved simplification measures that would postpone certain high risk AI compliance obligations. The proposed deadlines would move to December 2027 for stand alone high risk AI systems and August 2028 for other systems. Parliament also introduced a ban on AI tools that generate non consensual intimate imagery, often referred to as nudifier tools.
Biotech, healthtech and life sciences organisations should not treat the extended timelines as a reason to delay compliance work. Many clinical decision support tools and healthcare AI systems may qualify as high risk under the EU AI Act. Companies should use the additional time to classify systems, prepare technical documentation, review data governance, strengthen risk management and plan conformity assessments.
Yes. Article 5 of the EU AI Act prohibits certain AI practices entirely, regardless of whether the system is otherwise classified as high risk. These may include subliminal manipulation, exploitation of vulnerabilities and certain forms of social scoring. If a use case falls within a prohibited category, it cannot be made lawful through mitigation measures or conformity assessment.
California AB 2575 is relevant because it would introduce safeguards for the use of AI in health facilities, clinics and physicians’ offices. The bill is focused on preserving human medical expertise and creating protective requirements for AI assisted clinical decision making. It also reflects a broader trend towards mandatory human oversight in healthcare AI.
The FDA warning letter to Purolea Cosmetics Lab shows that regulators expect AI used in regulated manufacturing environments to be properly validated. AI tools cannot replace testing, procedural controls or quality management obligations required under CGMP rules. Organisations using AI in manufacturing should ensure that these systems are validated and documented according to applicable regulatory standards.
Organisations should review whether their Data Protection Officer can be contacted through a channel that is not monitored by the controller. They should also assess whether their clinical trial data protection frameworks reflect the CTIS Joint Controllership Arrangement, especially where data subject rights requests may involve multiple parties such as sponsors, regulators, Member States and EU institutions.
Find out how iliomad can help your company.
Only visible in production
CTIS Data Protection: Joint Controllership, GDPR Obligations and Sponsor Responsibilities
Understand CTIS data protection obligations under EU CTR 536/2014 and GDPR. Learn how the Joint Controllership Arrangement allocates roles among sponsors, EMA and Member States.
Pseudonymisation Clinical Trials: CNIL's Enforcement Clarifications and What They Mean for Life Sciences Organisations
CNIL's 2026 enforcement action clarifies the line between pseudonymisation and anonymisation in clinical trials. Learn the GDPR implications and recommended practices.
Weekly Privacy & AI Regulation Digest: Shadow AI, EDPB Templates, EHDS and Global Reform - Week of 16 June 2026
Shadow AI risks, EDPB breach and DPIA templates, the European Health Data Space, Canada's PIPEDA replacement and APAC consent divergence, this week's key updates.
