Event Recap: Privacy & EU Data Act Updates

The third session of Navigating What's Next examined how privacy and data governance are shaping artificial intelligence oversight across the United States and Europe. Paul Rothermel, Senior Attorney at Gardner Law, explained how privacy enforcement in the U.S. continues to ramp-up, in particular for improper use and implementation of the online tracking technologies which proliferate the Internet and mobile applications. Oliver Süme, Partner at Fieldfisher, provided an overview of the EU Data Act, which takes data governance oversight to a new level, even for non-personal data sets, directly impacting medical devices and other health care technology.

Evolving Privacy Enforcement in the United States

Rothermel discussed federal and state enforcement activity under Section 5 of the Federal Trade Commission (“FTC”) Act, addressed continued enforcement activity under the Health Insurance Portability and Accountability Act (“HIPAA”), as well as state-level enforcement coming from the California Attorney General. Cases involving BetterHelp, Cerebral, and Monument Health illustrate how regulators are targeting companies that collect health related data without clear consent or adequate disclosures. Regulators are especially focused on analytics and advertising uses of health information, even when a company claims the data has been deidentified.

Rothermel emphasized how privacy obligations extend to common advertising technologies like Google Analytics, Meta Pixels, among other typical uses of online tracking technologies. He noted that many companies are unaware of how these tools are implemented on their websites and in their mobile applications, or, as in the case of Healthline.com, may fail to properly implement proper consent management processes for these tools. Companies should also be prepared for creative and aggressive litigation through longstanding privacy laws such as the California Invasion of Privacy Act (or “CIPA”) as highlighted by Shah v. Capital One Financial Corp. (N.D. Cal. Mar 3, 2025). Shah involves a private party alleging the use of certain online tracking technologies constituted an actionable personal data breach under California’s data breach law.

European Data Governance

The session outlined the increasing interaction among the GDPR, the EU AI Act, and the EU Data Act. While the GDPR governs personal data and the AI Act focuses on requirements such as traceability, human oversight, and model robustness, the Data Act introduces a separate set of obligations for product generated data. These obligations apply to connected medical devices, wearables, digital health tools, and any other networked product capable of generating and transmitting data.

Presenters highlighted a growing tension between the GDPR principle of data minimization and the data intensive needs of AI systems. Companies should apply privacy by design principles, maintain internal documentation that supports proportionality and necessity, and implement technical safeguards that align with both personal data and product data requirements.

Practical Guidance for Compliance

Rothermel and Süme encouraged organizations to take a structured approach to data governance. Süme emphasized that the EU Data Act may overlap with the General Data Protection Regulation in some respects but is a law with even broader applicability going beyond personal data. They concluded that privacy, data governance, and AI regulation are evolving quickly. Organizations that invest in unified legal, privacy, and data governance processes will be better positioned to meet regulatory expectations and support compliance with these new and emerging laws.

“A common misconception is that the U.S. has lax privacy laws. The reality is that privacy enforcement is here to stay and the U.S. is among the most aggressive in enforcing its privacy laws. Health data continues to be not only a high-value data breach target but a point of emphasis for regulators.”
— Paul Rothermel, Senior Attorney, Gardner Law

How Gardner Law Can Help

Gardner Law advises FDA regulated and technology focused companies on privacy compliance, AI governance, and cross border data strategy. Our attorneys support privacy, AI, and information security compliance programs, audits, contractual provisions and diligence, consents, website and mobile app implementation, privacy policies and notices, and strategic decision-making in data privacy and governance matters . Contact us for to learn how we can help you navigate what’s next in privacy and beyond.