EU Biotech Act Proposal:


Analysis from our Senior Lawyer 


Dr Ersi Michailidou


On 12 March 2026, the European Data Protection Board (EDPB) and EDPS - European Data Protection Supervisor have adopted a joint opinion on the proposed European Biotech Act, supporting the harmonisation of clinical trials while calling for essential safeguards for sensitive health data. 


The draft Biotech Act was released by the European Commission in December 2025. 


Here is the analysis from our senior lawyer Dr. Ersi Michailidou:


Key recommendations from EDPB/EDPS include:

  • Clarifying controller roles: The Proposal should specify whether the actors involved in funding and conducting clinical trials act as sole or joint data controllers, to ensure a clear allocation of responsibilities.
  • Limiting data retention: The mandatory 25-year minimum retention period should expressly apply only to the clinical trial master file, rather than to all personal data processed during a trial*.
  • Further processing for other clinical trials or for scientific research: as the Proposal aims to provide a legal basis under Union law for the further processing of trial data by the same controller, the Biotech Act should clearly define the purposes, as well as specific safeguards for such processing.
  • Consistency with the AI Act: While promoting the use of AI in biotechnology, the Biotech Act should ensure that obligations for sponsors complement the existing requirements under the AI Act to ensure a consistent regulatory environment.
  • Appropriate Technical and Organisational Measures: The EU Clinical Trial Regulation (' CTR') 2016/534 should explicitly require the use of pseudonymisation whenever it is not necessary to process directly identifiable personal data.
  • Regulatory sandboxes: If needed, the Commission's implementing acts regarding sandboxes in the specific context of clinical trials should provide for the legal basis for the processing of personal data, as well as for the derogation under Art. 9(2) for the processing of sensitive data; regarding other sandboxes, the processing of personal data should always be based on a legal basis under the GDPR.



( * ) This is a bit surprising, as it is forbidden by Good Clinical Practices ('GCP') ICH E6 to delete the clinical data base for example.


A question? Contact Ersi at e.c.michailidou ( at ) pharmarketing.net for an informal discussion




Welcome to Dr Katrin Spiegel 


from Switzerland!


Our new senior consultant Dr Katrin Spiegel joined our magic team: she will act as Data Protection Representative in Switzerland for some of our clients.


Katrin graduated in Chemistry from the ETH Zürich, Switzerland. She then obtained a PhD in Molecular and Statistical Biophysics from SISSA, Italy and a MSc in International Health Technology Assessment and Reimbursement from the University of Sheffield, UK. Then she worked in Horsham, UK and in Paris, France and now went back to Zürich, Switzerland with her family. In her freetime she loves hiking, reading, and skiing.


Katrin has over 10 years' experience in Medical Writing for several life science organizations, specifically for clinical studies.

instrumental for our foreign clients would they need specific regulatory advice on , both in life sciences and privacy.

Remember that in Switzerland, each of the 30 cantons have their own Parliament, and therefore their own local laws, their own health authorities, data protection authorities and Ethics Committees!


To learn more contact Katrin at k.m.spiegel@pharmarketing.net





Examples of Non-Compliance 


with Health Data Privacy


Data Protection Authorities ('DPAs') published several decisions related to the processing of health data in the past months.


Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!


Canada:


Fact:


The World Anti-Doping Agency (WADA') will limit its use of athlete sensitive personal data after a complaint from Privacy Commissioner of Canada Philippe Dufresne claimed the agency allegedly violated athletes' privacy by sharing data with sports federations. Dufresne said he welcomes WADA's commitment to better protect athletes' personal data and "take steps to help ensure that this information is only used for the purposes for which it was collected."
Full story


Takeaway:

We would like to complement what Mr Dufresne said by adding: The WADA should :

1) Limit the use of personal data because of the principle of minimization

2) Inform the athletes that it is sharing such personal data with sports federations and

3) If relevant ask the consent of such athletes, or otherwise check that they have a valid legal basis to transfer the personal data

4) if transferring personal data outside of Canada, implement the relevant Technical and Organization security measures to make the transfer of personal data compliant with PIPEDA (Canadian federal privacy law)

5) check that the recipient organisation complies with privacy laws.


Croatia:


Fact:


The DPA fined a hospital €3,000 for a failure to report a data breach in time and for an insufficient incident response plan. The DPA opened its investigation after an employee unlawfully photographed a screen showing medical data and disclosed it externallyRead more or edit on GDPRhub...


Takeaway:

The Data Protection Officer of the hospital should inform the local DPA if the data breach could have a severe impact on the private life of the data subjects, or if the DPO is unsure.


Lithuania:


Fact:


The DPA fined hospital €6,000 for unlawfully installing video surveillance cameras in operating rooms and staff workplaces without a valid legal basis, and for storing the data for excessively long periods. Read more or edit on GDPRhub...


Takeaway:

Always ask the authorization to the relevant government agency of your country BEFORE implementing CCTV in your offices, expecially if you receive members of the public.

In addition, it is mandatory to put information notices in several places of the hospital, inside and outside.

Lastly, the video recordings should be kept in accordance to the local guidelines for storage duration; a good practice for CCTV is 30 days. If you want to keep the recordings for more time, then you need to document why and list the additional security measures your organisation will put in place.


Romania:


Fact:


The DPA fined a dental clinic RON 10,190 (€2,000) for failing to cooperate during an investigation following a data breach. The data breach involved an ex-employee copying the clinic’s patient database in order to set up appointments at a different clinicRead more or edit on GDPRhub...


Takeaway:


United States:


Fact:


GuardDog Telehealth allegedly admitted it shared individuals' health records with law firms after software company Epic Systems filed a lawsuit against several health technology companies for selling sensitive health information without consent, The Washington Post reports. Epic said GuardDog Telehealth shared more than 6,000 patient records with various companies.


Takeaway:


Personal data collected from people should only be used for a similar objective. Reselling personal data can only be done if the data subjects were informed and gave their consent.


Fact:


3 major health data breaches took place in the US in March:


  • South Carolina-based molecular diagnostics company Vikor Scientific (recently rebranded as Vanta Diagnostics) as the victim of a data breach that compromised the information of 139,964 individuals.


  • On March 29, 2026, the ransomware group Qilin announced their cyberattack on Doctor.com (doctor.com), a key player in the US healthcare industry. Doctor.com is a healthcare technology company based in the USA (New York), specializing in patient engagement, healthcare marketing, online scheduling, and digital communication solutions for medical providers. Qilin has threatened to release sensitive data unless negotiations are initiated promptly.


  • On March 29, 2026, NJ Pain Care Specialists were also victims of a cyberattack.


Takeaway: 


As no details have not been shared on the 3 cyberattacks above, we can only recommend to our readers to always  follow, as a minimum, the guidelines of ISO 27001 or of the NIST or similar ones.


In addition, for organizations which have been targeted by a cyberattack in the past or who are not 100% sure of their protection to cyberattacks, it is good practice to hire an IT services company specialized in Cyber and ask them to perform a penetration test at regular intervals, and also to scan the dark web for potential stolen personal data.


When looking for such a Cyber IT expert, check that they have the relevant Cyber certificates, like Cyber essentials in the UK.




Privacy News 


from around the Globe

Privacy News from around the Globe:


Global:


  • ICH Expert Working Groups issue updated technical documents for three guidelines: ICH E2B (R3), ICH M4Q (R2) (Common Technical Document – Quality), ICH E6 (R3) (Good Clinical Practice)
  • ICH: Updated and Expanded ICH Q9(R1) Quality Risk Management Briefing Pack available, read here: https://ich.org/news/updated-a...
  • EMA webpage dedicated to the reform of the EU pharmaceutical legislation: https://www.ema.europa.eu/en/a...
  • ICH annotations Information to help comply with ICH guidelines, if you are running clinical trials in the UKhttps://www.gov.uk/government/...


Argentina and US:


On February 5, 2016, Argentina and the US signed the Agreement on Reciprocal Trade and Investment ('ARTI'). It will reduce trade barriers, but also establish guidelines for the transfer of personal data between the 2 countries: 1) Argentina will recognise the US as an adequate country for data transfers

2) Argentina will become member of the Global Cross-Border Privacy Rules Forum ('Global CBPR Forum'), which has defined rules for the safe transfer of personal data between countries. Download the full text of ARTI here: https://ustr.gov/sites/default...


Argentina/Brazil/Paraguay/Urugay:


These countries are part of the Mercosur which entered in force on 10 January 2026;  the Agreement contains several clauses related to privacy: signatory countries must adopt or maintain regulatory mechanisms that protect the personal information of those who participate in electronic commerce, taking into consideration international standards, promoting security and transparency in processing, and establishing "(...) common measures for the protection and free circulation of data in MERCOSUR. Specifically, the Agreement has an impact on direct commercial communications and international data transfers. Will the MERCOSUR become an area where personal data can flow freely like within EU/EEA? and if yes, which measures should be in place for international transfer of data? Read the article from (in Spanish) the IAPP here: https://iapp.org/news/a/argent...


Colombia


Colombia released Instructions on model contractual clauses for the international transfer and transmission of personal data: download here (in Spanish): https://sedeelectronica.sic.go...


European Union:


The European Data Protection Board ('EDPB') released a 'Data Protection guide for small business'  https://www.edpb.europa.eu/sme... You will find examples , templates, and interactive tools to guide you on the road to become compliant with GDPR

The European Commission opened consultation on draft Cyber Resilience Act guide: the consultation ends today on 31st March 2026: https://ec.europa.eu/info/law/...

The European Commission published its second draft of Code of Practice on Marking and Labelling of AI-generated content: read here: https://digital-strategy.ec.eu...


Australia:


The recent Australia-EU trade agreement includes safeguards on cross-border data flows, allowing safe and compliant data transfers. The agreement aims to "ensure predictability and legal certainty for businesses and a secure online environment for consumers who engage in digital trade transactions across borders, and will remove barriers and prevent discrimination between online and offline activities." Read here: https://policy.trade.ec.europa...


France:

  • Healthcare Data Hosting: the French decree dated 24 March 2026 strengthens the existing guidelines for healthcare data hosting: data must be stored in EU/EEA, the hosting contract must contain privacy clauses and if patient data (even redacted) are transferred outside EU/EEA, a specific derogation must be used. The decree came in force on 27 March 2026except for the territoriality of the data storage, the rules on access to data and the presence of privacy clauses in contracts: these rules will come into force only on 27 September 2026. Read the decree (in French) here: https://www.legifrance.gouv.fr...
  • The French DPA, the CNIL, hosted a conference on privacy for medical research on 26 March 2026; our senior consultants Caroline BlaisonKarine Renault and Dr Valerie Isabelle attended. Here some key points from future French local guidelines: 
  • Extraterritoriality of the Methodologies of References (MR001 to MR008): if an organisation based in France processes personal data from patients based outside France for health research, it should apply such MRs to the data of patients based abroad (NEW)
  • New versions of MR001 (Interventional studies) and MR003 (Retrospective studies) will be released by the CNIL in the next months. The new versions will be available in French and English and will allow for more situations (e.g. genomic research, performance studies, market studies, patients with prior prison record, information on subject's religion...); Information of patients will be facilitated in special situations (unconscious patients, medical emergency, children, information by email, or other digital channel, etc.); a new category of recipient will be introduced: recipient which could present a risk; recipients of personal data with several responsibilities will get specific attention; more information will be provided in the MRs for example on the legal basis, with more detailed definitions. Lastly, the MRs will be supplemented by checklists and by 2 guidelines: one technical, one on the legal side.
  • Remote reviews will be facilitated.
  • For more information on these CNIL announcements, contact Karine Renault at k.i.renault@pharmarketing.net
  • The CNIL and the Health Authority HAS released Guidelines for IA in Health for review; deadline: 16 April 2026 https://www.cnil.fr/fr/ia-et-s...


Singapore


The Ministry of Health of Singapore released guidelines for the use of AI in healthcare: read here: https://www.moh.gov.sg/others/...


South Africa:


Changes to the Protection of Personal Information Act, 2013 (PoPIA) on health data protection: One of the key changes in the final Regulations is the removal of references to sex life information. The Regulations now apply exclusively to the processing of health information. It clarifies the cross-border transfer notification requirements. Read more here: https://www.bizcommunity.com/a...


South Korea:


Important update to the PIPA: Large-scale data breaches will lead to penalties of up to 10 percent of organisations' total revenue (compared to 3% today) and will target the CEO. This will take effect on 11 September 2026. Read article from the Korean times here: https://www.koreatimes.co.kr/s...


United Kingdom:


The ICO released an Interactive guidance tool on international transfers under UK GDPR https://ico.org.uk/for-organis...

Cybersecurity: The Financial Conduct Authority ('FCA') release new incident and third party rules to bolster resilience, read here: https://www.fca.org.uk/news/ne...

The ICO issued guidance on the Recognised Legitimate Interest, which can be used only for situations of public interest (crime prevention, public security, etc.). This legal basis is different from the 'classic' 'Legitimate Interest of the Data Controller'. Read here: https://ico.org.uk/for-organis...


United States: Oklahoma


Gov. Kevin Stitt, R-Okla., signed Senate Bill 546 into law, enacting the state's comprehensive privacy law, KOCO-TV News reports.

The law covers businesses that control or process the personal data of at least 100,000 Oklahomans, or the data of at least 25,000 consumers while deriving at least 50% of gross revenue from data sales. Read more: https://www.oklegislature.gov/...


  1. The proposed EU Biotech Act defines clearly the retention period of clinical data


No: the draft EU Biotech Act only refers to the storage of the Trial Master File, and says that other data should not be kept if not needed: so, there is a grey area, as Good Clinical Practices mandate that the sponsor and the sites keep the clinical data base; also, the EU CTR 2016/514 states that all data collected during a clinical trial must be kept for at least 25 years after the publication of the Clinical Study Report, and this includes the clinical data base.


  1. The Agreement between Argentina and the US mandates that the US comply with Argentina's Privacy laws when transferring personal data to Argentina


No: this agreement only puts obligations on Argentina for privacy matters.