In addition, our products may be subject to U.S. and foreign export controls, trade sanctions and import laws and regulations, including increased tariffs. Governmental regulation of the import or export of our products, including the potential negative impact of tariff increases, or our failure to obtain any required import or export authorization for our products, when applicable, could harm our business. Furthermore, U.S. export control laws and economic sanctions prohibit the provision of certain products and services to countries, governments and persons targeted by U.S. sanctions. If we fail to comply with export and import regulations and such economic sanctions, penalties could be imposed, including fines and/or denial of certain export privileges.
Data collection under European and U.S. laws is governed by restrictive regulations addressing the collection, use, processing and, in the case of Europe, cross-border transfer, of personal information (i.e., information that relates to an identified or identifiable individual).
We may collect, process, use or transfer personal information from individuals located in the European Economic Area, or EEA, Switzerland and the United Kingdom in connection with our business, including in connection with conducting clinical trials in these regions.
Additionally, if any of our product candidates are approved, we may seek to commercialize those products in the EEA or the United Kingdom or Switzerland. The collection and use of personal information (which includes health data) in the EEA is governed, in part, by the provisions of the General Data Protection Regulation (EU) 2016/679, or the GDPR, or its UK equivalent, the UK General Data Protection Regulation, or, together with the UK’s Data Protection Act 2018, the UK GDPR, or the new Swiss Federal Act on Data Protection, or FADP. These regulations impose requirements relating to having a legal basis for processing personal information and transferring such information outside of the EEA, the United Kingdom and Switzerland, respectively, as applicable, including to the United States, informing concerned individuals about the processing of their personal information, keeping personal information secure, having data processing agreements with third parties who process personal information on our behalf, responding to individuals’ requests to exercise their rights in respect of their personal information, reporting security breaches involving personal information to the competent national data protection authority and affected individuals, appointing data protection officers, conducting data protection impact assessments and record-keeping.
Any actual or alleged failure to comply with the GDPR, UK GDPR, FADP, or other data protection laws may result in regulatory inquiries and other proceedings, substantial fines, other administrative penalties and civil claims being brought against us, which could have a material adverse effect on our business, financial condition and results of operations.
The GDPR, UK GDPR and FADP also restrict the transfer of personal information outside of the EEA, United Kingdom and Switzerland, respectively, unless appropriate safeguards are in place.
One primary set of safeguards, the Standard Contractual Clauses adopted by the European Commission, has been updated recently. With regard to data transfers outside of the EEA to the United States, in March 2022, the European Union and United States established a new framework for personal information transfers, the EU-U.S. Data Privacy Framework, or the EU-U.S. DPF. A related framework, the Swiss-U.S. Data Privacy Framework, or Swiss-U.S. DPF, also was established, and was the subject of an adequacy decision by the Swiss Federal Council on August 14, 2024. On July 10, 2023, the European Commission adopted an adequacy decision relating to the EU-U.S. DPF. Additionally, a UK Extension to the EU-U.S. DPF, became effective on October 12, 2023. We are evaluating whether to make use of the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to transfer personal information from the EEA to the United States.
Data protection regulation in the United Kingdom is subject to some uncertainty. Although the European Commission granted “adequacy” status to the United Kingdom in June 2021, and personal information can flow from the European Union to the United Kingdom and back, the United Kingdom may change its policy with respect to the export of personal information to third countries, such as the United States. The United Kingdom made targeted amendments to the UK GDPR in the UK Data (Use and Access) Act 2025, or DUAA, which was enacted on June 19, 2025. The European Commission has renewed the UK’s adequacy decision after assessing the DUAA through December 2031, but it may be modified or revoked in the interim. In addition, in February 2022, the United Kingdom’s Information Commissioner’s Office issued new Standard Contractual Clauses for the transfer of personal information outside of the United Kingdom. The data transfers enforcement landscape and the longer-term stability of the EU-U.S. DPF and related programs remain uncertain, which could require us to modify our policies and practices and increase our compliance costs.
The EU also has implemented new and revised laws and regulations relating to cybersecurity, including the Network and Information Security Directive II, or NIS2, adopted in 2023, which aims to enhance cybersecurity across critical infrastructure and essential services in the EU. NIS2 provides for all EU member states to have issued implementing legislation by October 2024; however, several EU member states have not finalized their respective legislation and guidance.
We may, therefore, incur liabilities, expenses, costs, and other operational losses under the GDPR, the UK GDPR, the FADP, and applicable laws and regulations of European Union member states in connection with any measures we take to comply with them.