For example, in Europe the GDPR became effective May 25, 2018 and imposes strict requirements for processing the personal data of individuals within the European Economic Area, or EEA, or in the context of our activities within the EEA. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4% of the annual global revenues of the noncompliant undertaking, whichever is greater. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the EEA, and the United States remains uncertain. Case law from the Court of Justice of the European Union states that reliance on the standard contractual clauses, or SCCs, - a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism - alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On July 10, 2023, the European Commission adopted its Adequacy Decision in relation to the new EU-US Data Privacy Framework, or DPF, rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the SCCs cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results.
We are also subject to the retained version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland, the UK General Data Protection Data Protection Regulation and Data Protection Act 2018, or collectively, the UK GDPR, which imposes separate but similar obligations to those under the GDPR and comparable penalties, including fines of up to £17.5 million or 4% of a noncompliant undertaking’s global annual revenue for the preceding financial year, whichever is greater. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a data transfer mechanism from the UK to U.S. entities self-certified under the DPF.
In the U.S., certain states have also adopted data privacy and security laws and regulations, which govern the privacy, processing and protection of personal information. For example, the California Consumer Privacy Act of 2018, or CCPA, and became effective on January 1, 2020. Similar laws have been passed in other states and are continuing to be proposed at the state and federal level.
These laws create new individual privacy rights and impose increased obligations, including disclosure obligations, on companies handling personal data. In many jurisdictions, consumers must be notified in the event of a data security breach, and such notification requirements continue to increase in scope and cost. Data privacy and security laws and regulations may limit the use and disclosure of certain information and require us to adopt certain cybersecurity and data handling practices that may affect our ability to effectively market our services to current, past, or prospective customers. While we have invested in, and intend to continue to invest in, resources to comply with these standards, we may not be successful in doing so, and any actual or perceived failure to comply could result in additional cost and liability to us, damage our reputation and have an adverse effect on our business, results of operations and reputation.
As data privacy, data use and data security laws are interpreted and applied, compliance costs may increase, particularly in the context of ensuring that adequate data protection and data transfer mechanisms are in place. In recent years, there has been increasing regulatory enforcement and litigation activity in this area in the United States, Germany and in various other countries in which we operate.
Compliance with regulations for medical devices and solutions is expensive and time-consuming, and failure to obtain or maintain approvals, clearances, or compliance could impact financial projections and/or subject us to penalties or liabilities.
Our Desktop Labs and Desktop Health products and services, and healthcare provider customers and distributors, are and will be subject to extensive federal, state, local and foreign regulations, including, without limitation, regulations with respect to approvals and clearances for products, design, manufacturing and testing, labeling, marketing, sales, quality control, and data privacy and security. Unless an exemption applies, we must obtain clearance or approval from the Food and Drug Administration (or comparable foreign regulatory body) before a medical device or solution can be marketed or sold; this process involves significant time, effort and expense. The healthcare market overall is highly regulated and subject to frequent and sudden change. Our failure to secure clearances
