We’ve all been there: The meeting’s almost over, next quarter’s goals are assigned, all the coffee and pastries have been eaten, when your commercial counterpart utters the infamous words: “We’re thinking of expanding.”
From a business perspective, geographic expansion opens the door to a variety of opportunities: new patients, new providers, new clinical research. But from a legal and privacy perspective, it’s a significant lift.
It’s no secret that privacy is a hot topic. People see the value of their personal data and are learning to make informed choices about whether to share it. On top of that, governments are becoming more involved in protecting personal information, with over 144 countries passing national-level data privacy laws dictating how businesses can use, collect, and even sell it.
But health-care data has always been different.
It’s one thing for a company to know your browsing habits—what you click on and your general browsing behavior. It’s another for them to know what medical conditions you have and what prescriptions you take for it.
Expanding into new areas as a health-care company requires you to understand both the privacy landscape and the regulatory environment. It involves a level of risk that has only grown over time.
The following steps can be leveraged to develop a tailored privacy compliance roadmap in new jurisdictions.
Know your product offerings and promises. It’s essential to understand the exact types of products or services your organization will offer in the new area. Are you looking at running a pilot with a few local health-care providers and their patients, or are you trying to integrate into every hospital in the country?
Communication with the business development team is key, helping your team understand the scope of the expansion, what external stakeholders are involved, and whether any other promises have been made. During talks about an expansion into Mexico, I learned that my company had already identified a local stakeholder and roll-out strategy. We were planning to offer a limited product in the area, the stakeholder wanted us to process data at a higher standard than required under local law, and this request was essential to the deal.
Local laws set the floor for privacy compliance, but there is always the opportunity to go above these requirements contractually. Having an open and honest dialogue about the terms of this expansion allowed us to identify key workstreams early and design appropriate roadmaps for compliance in the area.
Learn the new landscape. As you plan for expansion, pay close attention to the following areas:
Data Residency/Localization: Does the country require you to store data locally? Are there any requirements about the type and security of data warehouses used? For example, France requires any organization that hosts health-care data to have a Health Data Hosting certificate. While the obligation to obtain the certificate falls on the warehouse, health-care companies looking to expand into France should be aware that this requirement exists and chose a provider that meets this standard.
Data Transfers: Cross-border data transfers pose a variety of challenges, especially when it involves health data, referred to as “sensitive personal information” under the General Data Protection Regulation and similar frameworks. Transfers between the European Union and the US can now be accomplished via the Data Privacy Framework, a self-certification program, but for countries outside of these areas, additional requirements may apply.
Under Japan’s Act on the Protection of Personal Information, cross-border transfers can occur with only express consent from the data subject or by entering into a data processing agreement with the receiving party. While these requirements may appear like those under the Data Privacy Framework and other cross-border mechanisms, they still require legal and privacy review before deciding on an approach.
AI Governance: Several countries and economic areas have responded by passing laws to govern usage of artificial intelligence, training data, and intellectual property rights. The European Union’s Artificial Intelligence Act governs the use and classification of artificial intelligence systems throughout the entire European Union, while Italy’s new law narrows the focus to a national level.
While the two laws primarily align with one another, health-care businesses in Italy will need to pay particular attention to the sectoral details included in the new Italian law. Research whether there are any relevant AI laws your company will need to comply with—especially those surrounding clinical research, training models on patient data, and LLM note-taking apps.
Health-Care Regulatory Requirements: Depending on your experience, you might not be familiar with how the new country views health-care data, who it belongs to, and how efficient or inefficient the health-care system is. Local counsel can be helpful at outlining these concepts and advising on corporate and regulatory best practices.
Take Germany, for example, a country well-known in the privacy world for having strict local data privacy laws—its regulatory environment isn’t easy to navigate. Its “Fast Track” review of digital health apps and medical devices can take anywhere from a few months to a few years. Knowing these timelines in advance can help organizations truly weigh risk and design evergreen privacy programs that will last from initial submission to final approval.
Leverage what you have, build what you don’t. Once you’ve identified the parameters for entry into a new country, reflect on your current privacy program and what items you already have in your tool belt to leverage. If the new country requires privacy impact assessments, does your current template meet the requirements, or does it need to be altered? Are your Terms of Service and Privacy Policy scoped to include this country, or do they need to be amended? Is your product/platform/device in the correct language, or will it need to be professionally translated?
Leveraging what you have is a great way to streamline your privacy program. It prevents duplicative work and keeps your materials easy to use and up to date. But if you’re building something new, such as an AI impact assessment or new privacy review workflow, reach out to your network and professional associations. Privacy professionals are working on these topics and can be a resource when designing new policies and procedures.
Geographic expansion doesn’t have to be scary. With the right plan and a few strategic conversations, your organization can chart a path for successful entry into a new country. But that’s a topic for a different meeting—one with fresh coffee and better pastries.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Alexandra Sumner is chief privacy officer and corporate counsel for Microhealth, an international medical device company.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.