The CCPA and other similar laws could impact our business activities, depending on their interpretation. Additionally, other state legislatures have enacted or are currently contemplating, and may pass, their own comprehensive data privacy and security laws, with potentially greater penalties and more rigorous compliance requirements relevant to our business. For example, in March 2021, Virginia enacted the Virginia Consumer Data Protection Act (“CDPA”), a comprehensive privacy statute that becomes effective on January 1, 2023 and shares similarities with the CCPA, the CPRA, and legislation proposed in other states. Similarly, in June 2021, Colorado enacted the Colorado Privacy Act (“CPA”), which takes effect on July 1, 2023. The EU has adopted data protection laws and regulations which may apply to us in certain circumstances, or in the future. The collection and use of health data and other personal data is governed in the EU by the General Data Protection Regulation (“GDPR”), which extends the geographical scope of EU data protection law to entities and operations outside of the EU under certain conditions and imposes substantial obligations upon companies and new rights for individuals, and by certain EU member state-level legislation. The GDPR, which is wide-ranging in scope and applicability, imposes several requirements relating to the consent of the individuals to whom the personal data relates, the information provided to the individuals, the security and confidentiality of the personal data, data breach notification and the use of third party processors in connection with the processing of personal data, including clinical trials. The GDPR also imposes strict rules on the transfer of personal data out of the EU to the U.S., provides an enforcement authority and imposes large penalties for noncompliance, including the potential for fines of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. Further, Brexit has created uncertainty with regard to data protection regulation in the United Kingdom (“UK”). Specifically, the UK exited the EU on January 1, 2020, subject to a transition period that ended on December 31, 2020. On June 28, 2021, the European Commission issued an adequacy decision in respect of the UK’s data protection framework, allowing personal data transfers from EU member states to the UK to continue without requiring additional contractual or other measures in order to lawfully transfer personal data between the territories. This decision is subject to renewal after four years, however, and may be revisited by the European Commission at any time. The UK has implemented legislation similar to the GDPR, referred to as the UK GDPR, which provides for fines of up to the greater of £17.5 million or 4% of global turnover. In the medium and longer terms, however, the relationship between the UK and EU in relation to aspects of data protection law remains unclear, including with respect to cross-border data transfers and the role of the UK Information Commissioner’s Office with respect to the EU, which exposes us to further compliance risk. We may incur liabilities, expenses, costs, and other operational losses relating to the GDPR, the UK GDPR, and other laws and regulations in the EU and UK relating to privacy and data protection, including those of applicable EU Member States in connection with any measures we take to comply with them. We may in the future be required to put in place additional mechanisms in an effort to comply with these laws and regulations, which could divert management’s attention and increase our cost of doing business. In addition, other new regulation or legislative actions regarding data privacy and security (together with applicable industry standards) may increase our costs of doing business. In this regard, we expect that there will continue to be new proposed laws, regulations and industry standards relating to privacy and data protection in the United States, the EU, the UK and other jurisdictions, and we cannot determine the impact such future laws, regulations and standards may have on our business. With the GDPR, UK GDPR, CCPA, CPRA, CDPA, CPA, and other laws, regulations and other obligations relating to privacy, data protection, and cybersecurity imposing new and relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other obligations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices, and may incur significant costs and expenses in an effort to do so. Additionally, if third parties we work with, such as vendors or service providers, violate applicable laws or regulations or our policies, such violations may also put our or our customers’ data at risk and could in turn have an adverse effect on our business. Any failure or perceived failure by us or our service providers to comply with our applicable policies or notices relating to privacy, data protection, or cybersecurity, our contractual or other obligations to third parties, or any of our other legal obligations relating to privacy, data protection, or cybersecurity, may result in governmental investigations or enforcement actions, litigation, claims and other proceedings, harm our reputation, and could result in significant liability. To the extent we contract with government entities, such government contracts could expose us to additional risks inherent in the government contracting environment. To the extent we contract with any government entities, such government contracts carry various risks inherent in contracting with government entities. These risks include, but are not limited to, the following: • Government entities, particularly in the United States, often reserve the right to audit our contracts and conduct reviews, inquiries and investigations of our business practices and performance with respect to government contracts. If a government client discovers improper conduct during its audits or investigations, we may become subject to various civil and criminal penalties, including those under the civil U.S. False Claims Act, and administrative sanctions, which may include termination of contracts, suspension of payments, fines and civil money penalties, and suspensions or debarment from doing business with other government agencies. • U.S. government contracting regulations impose strict compliance and disclosure obligations and our failure to comply with these obligations could be a basis for suspension or debarment, or both, from federal government contracting in addition to breach of the specific contract. - 57 -
RkJQdWJsaXNoZXIy NTIzOTM0