On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research
Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million
In late September, plaintiffs announced details regarding Google LLC’s (“Google”) and women’s health app developer, Flo Health Inc.’s (“Flo”) proposed settlements to resolve a class action lawsuit stemming from the Flo app’s allegedly unlawful sharing of health data with Google and others through online tracking technologies.
As part of the proposed settlements, Google agreed to pay $48 million and Flo agreed to pay $8 million, for a combined $56 million to resolve plaintiffs’ claims against these two entities.Continue Reading Flo Health, Google Settle Class Action Privacy Lawsuit for $56 Million
Congress Introduces Neural Data Bill
On September 24, Senate Democratic Leader Chuck Schumer (D-N.Y.), Senator Maria Cantwell (D-Wash.), and Senator Ed Markey (D-Mass.) introduced the Management of Individuals’ Neural Data (“MIND”) Act of 2025, which would require the Federal Trade Commission (“FTC”) to conduct a study and provide a report examining the governance of “neural data” under existing law and identify additional areas for federal regulation. The bill would also require the Office of Science and Technology Policy (“OSTP”) to issue guidance regarding federal agencies’ use of certain neurotechnology.Continue Reading Congress Introduces Neural Data Bill
California Lawmakers Advance Suite of AI Bills
As the California Legislature’s 2025 session draws to a close, lawmakers have advanced over a dozen AI bills to the final stages of the legislative process, setting the stage for a potential showdown with Governor Gavin Newsom (D). The AI bills, some of which have already passed both chambers, reflect
Continue Reading California Lawmakers Advance Suite of AI BillsLatest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies. The case is the latest in a series of False Claims Act (“FCA”) settlements under the current administration that evidence DOJ’s continued focus on cybersecurity obligations for government contractors, particularly those that maintain sensitive data and personal information on behalf of federal customers.Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
District Court Enjoins Privacy Rule Modifications Regarding Reproductive Health Care
On June 19, 2025, the U.S. District Court for the Northern District of Texas vacated the majority of the Biden Administration rule (the “2024 Rule”) modifying the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health. As discussed in further detail in our previous blog post, the 2024 Rule “limit[ed] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.” Continue Reading District Court Enjoins Privacy Rule Modifications Regarding Reproductive Health Care
Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025
Since the beginning of 2025, there have been a flurry of bills introduced at the state and federal level related to genetic privacy, which follows a similar trend over the past several years. These bills have focused on a range of issues, including general genetic privacy, national security implications of “foreign adversaries” accessing genetic information, the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, and the transfer of genetic data as part of bankruptcy proceedings, among others. We summarize a subset of such bills moving through state and federal legislatures below.
State Legislation
Montana SB 163
On May 1, the Montana governor signed SB 163 to amend the state’s Genetic Information Privacy Act (“MT GIPA”), which was originally enacted in 2023. Effective October 1, 2025, there will be several changes to the law, including:
- Creating Deidentification Exemption: The original version of MT GIPA did not contain an express exemption for deidentified data. SB 163 amends the law to include an express exemption for the use of deidentified genetic data for certain research purposes. Specifically, SB 163 includes an exemption for “deidentified genetic data obtained from a third party to the extent that the data is used to conduct internal, medical, or scientific research.” The deidentification standard is similar to the standard adopted under many comprehensive state privacy laws and other state DTC genetic privacy laws.
- Waiver of Certain Rights in the Clinical Trial Context: The law provides that consumers’ rights to access and delete data, destroy samples, and revoke consent must be waived in a limited context related to the collection of genetic data as part of a clinical trial if certain conditions are met, including prescriptive requirements for consent. Specifically:
- The relevant entity generally must obtain express and informed written consent for participation in a clinical research trial, including the collection and use of any genetic data, which must, among others, be in accordance with the good clinical practice (“GCP”) guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for home use and include the entity’s biological sample and data retention, sharing, and use policies.
- The biological sample and genetic data must be utilized for clinical research purposes only.
SB 163 states that these requirements are meant to “supersede all exceptions to, and waivers of” informed consent pursuant to the federal Common Rule. However, it is not clear how this new limited exemption is meant to interact with the existing exemption for entities that are engaged in collecting, using, or analyzing genetic data or biological samples in the context of scientific or clinical research with express consent of the individual and in accordance with human subject research frameworks, including GCP, the federal Common Rule, or FDA’s human subjects research regulations at 21 C.F.R. parts 50 and 56.Continue Reading Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025
Trump Administration Issues Executive Order on “Most-Favored-Nation” Prescription Drug Pricing
On May 12, 2025, President Trump issued an Executive Order titled “Delivering Most-Favored-Nation Prescription Drug Pricing to American Patients” and an accompanying “Fact Sheet: President Donald J. Trump Announces Actions to Put American Patients First by Lowering Drug Prices and Stopping Foreign Free-riding on American Pharmaceutical Innovation
Continue Reading Trump Administration Issues Executive Order on “Most-Favored-Nation” Prescription Drug PricingEuropean Health Data Space Published
On March 5, 2025, the Regulation on the European Health Data Space (“EHDS”) was published in the Official Journal (see here). The text enters into force on March 25, 2025, however it only becomes applicable in a staggered manner over several years.
The section on secondary use of the
Continue Reading European Health Data Space PublishedMHRA Consultation on Individualised mRNA Cancer Immunotherapies – Unique opportunity for a streamlined risk based regulatory framework?
The UK’s Medicines and Healthcare products Regulatory Agency (“MHRA”) is seeking industry feedback on its new draft guideline on individual messenger ribonucleic acid (“mRNA”) cancer immunotherapies (the “Draft Guidance”). Building on the success of mRNA vaccine technology in response to the Covid-19 pandemic, the technology is now being adapted to target diseases such as cancer. The MHRA aims to provide a streamlined robust regulatory framework for the approval of such personalised mRNA-based cancer vaccines without compromising safety.
The Draft Guidance covers the regulatory classification of these novel cancer treatments, product design and manufacture, non-clinical and clinical development, pharmacovigilance and the distribution of information to the wider public. Notably, the MHRA explicitly acknowledges that the regulatory and scientific principles discussed in the Draft Guidance could broadly apply to other disease indications or technologies that could benefit from personalisation or individualisation. Therefore, industry should be aware that the scope of the Draft Guidance may be extended in the future beyond mRNA cancer immunotherapies that use lipid nanoparticle delivery systems to other delivery systems and disease areas. Manufacturers, developers, patient organisations and other stakeholders have until 31 March 2025 to comment on the Draft Guidance.
We explore some of the interesting regulatory considerations arising from the Draft Guidance below.
Regulatory Classification
The classification of a medicinal product is key to determining what requirements and guidelines apply to the development, manufacture and delivery of that product. For example, advanced therapy medicinal products (“ATMPs”) have specific Good Manufacturing Practice (“GMP”) requirements (see e.g., ‘Guidelines on Good Manufacturing Practice specific to Advanced Therapy Medicinal Products’), strict traceability requirements and additional pharmacovigilance requirements.
Currently, individual mRNA cancer immunotherapies are classified under the Human Medicines Regulations 2012 (as amended) (“HMRs”) as ATMPs and are sub-classified as gene therapies. However, current mRNA therapies do not fit neatly under the ‘gene therapy’ umbrella because, unlike conventional gene therapies, which are designed to edit a person’s genome to treat or cure a disease, mRNA therapies do not involve integration into the host genome.
The Draft Guidance reveals that “a new ATMP sub-classification for nucleic acids that do not edit the patient’s genome is being considered.” A practical advantage of a new sub-classification would be the opportunity to create bespoke and risk proportionate requirements and guidelines for mRNA therapies. This would avoid overburdensome risk mitigations for these products as compared to similar products such as COVID-19 vaccines.
The Draft Guidance also predicts that mRNA therapies could be chemically synthesised (i.e., not manufactured by biotechnology). Such therapies would fall outside the scope of the current definition of a gene therapy as they would not be a biological product. The MHRA is considering the classification of relevant chemically synthesised mRNA therapies as ATMPs.Continue Reading MHRA Consultation on Individualised mRNA Cancer Immunotherapies – Unique opportunity for a streamlined risk based regulatory framework?