Photo of Kristof Van Quathem

Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it generally requires that the processing

On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.

The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code.  The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.  

We provide below an overview of the legal framework and the safeguards identified by the Garante.Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research

The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification.  In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard.  On May 16, 2024, France officially published an updated version of this “HDS” certification standard.

  1. Key Changes

The

In March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  Although the text has not yet been formally adopted by all the European institutions, a number of interesting points can already be highlighted.  This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted. This article focuses on the implications for “wellness applications” and medical devices; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.Continue Reading EHDS Series – 4: The European Health Data Space’s Implications for “Wellness Applications” and Medical Devices

On April 22, 2024, the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) issued a statement on the application of the AI Act in the medicinal product lifecycle. The EFPIA statement highlights that AI applications are likely to play an increasing role in the development and manufacture of medicines.  As drug development is already governed by a longstanding and detailed EU regulatory framework, EFPIA stresses that care should be taken to ensure that any rules on the use of AI are fit-for-purpose, adequately tailored, risk-based, and do not duplicate existing rules.  The statement sets forth five “considerations”:Continue Reading EFPIA Issues Statement on Application of the AI Act in the Medicinal Product Lifecycle

In recent months, the European Court of Justice (“CJEU”) issued five judgments providing some clarity on the scope of individuals’ rights to claim compensation for “material and non-material damage” under Article 82 of the GDPR. These rulings will inform companies’ exposure to compensation claims, particularly in the context of the EU’s Collective Redress Directive, but open questions remain about the quantum of compensation courts will offer in these cases and we expect both the CJEU and national courts to deliver additional case-law clarifying this topic in the coming year (for more information on recent CJEU cases related to compensation, see our previous blog posts here and here).

  • In VB v Natsionalna agentsia za prihodite (C-340/21), the CJEU concluded that individuals may have suffered “non-material damage”—and therefore be able to claim compensation—if they can demonstrate that they feared future misuse of personal data that was compromised in a personal data breach.  
  • In VX v Gemeinde Ummendorf (C-456/22), the CJEU found that there is no de minimis threshold for damage, below which individuals cannot claim for compensation.
  • In BL v MediaMarktSaturn (C-687-21), the CJEU restated its existing case-law, and expanded upon its analysis in VB by clarifying that alleged harms cannot be “purely hypothetical”.
  • In Kočner v Europol (C-755/21), the CJEU awarded non-material damages of €2000 for the publication in newspapers of transcripts of “intimate” text messages.
  • In GP v Juris GmbH (C-741/21), the CJEU found that where one processing activity infringes multiple provisions of the GDPR, this should not allow claimants to “double-count” the harm they suffered.

We provide further detail on each case below.Continue Reading Rounding up Five Recent CJEU Cases on GDPR Compensation

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.Continue Reading EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.Continue Reading EHDS Series – 1: Five Key Take Aways on Secondary Use of Health Data