In a span of a mere two years, the state of California passed two ballot initiatives dealing with privacy that promise to have an impact on digital health, the second of which created an office specifically for privacy enforcement matters. Eric Goldman, a professor of law at the Santa Clara (California) University School of Law, said on a recent webinar that the state attorney general’s office and the new California Privacy Protection Agency (CPPA) have overlapping jurisdiction, and as a consequence, companies doing business in California may find themselves at the mercy of not one, but two enforcement entities.

Device makers may see privacy legislation in California and other U.S. states as a source of regulatory balkanization, but that very same problem is cropping up in the international arena. In addition to the European General Data Protection Regulation (GDPR), privacy requirements are popping up in Brazil and elsewhere, and Eric Bowlin, a partner at Deloitte Risk & Financial Advisory, told attendees on a virtual symposium that the best approach might be to base a compliance program on general principles.

The Court of Justice for the European Union (CJEU) has invalidated the EU-U.S. Privacy Shield, a mechanism designed to ensure the privacy of EU citizens’ data when conveyed to other nations in a manner consistent with the EU’s General Data Protection Regulation (GDPR). Makers of drugs and devices are not without recourse in transferring patient data to the U.S. for clinical trials conducted in Europe, but industry must revisit their standard contractual clauses to ensure those protocols provide the necessary privacy provisions, or face fines that could amount to tens of millions of euros.

A recent Senate hearing raised the question of whether privacy and confidentiality are at risk when software is installed in smart devices for disease surveillance purposes, but there may be no absolute guarantee of confidentiality, jeopardizing the goodwill of citizens who are wary of big government.