Europe's data protection authorities have just set the stage for a major overhaul of how clinical trials operate across the EU, and biotech companies need to start preparing now. On March 10, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) released a joint opinion on the European Commission's proposed EU Biotech Act, a sweeping legislative framework that will reshape data governance expectations for clinical trials and introduce new requirements for artificial intelligence (AI) use across the medicinal product lifecycle .

The proposed Biotech Act, introduced in December 2025, amends key EU life sciences legislation, including the EU Clinical Trials Regulation (CTR), and signals that regulators are taking a hard look at how AI tools are being deployed in drug development. While the joint opinion broadly supports the Commission's initiative, it highlights several critical areas where clarification is needed to ensure compliance with the General Data Protection Regulation (GDPR), the EU's landmark privacy law. If adopted largely as proposed, the Biotech Act could significantly reshape data governance expectations for clinical trials in the EU .

What Are the Key Compliance Changes for Life Sciences Companies?

The EDPB and EDPS have identified several areas where the proposed framework requires clearer rules and higher expectations. These changes will affect how sponsors, investigators, and trial sites manage sensitive personal data, structure informed consent processes, and deploy AI-enabled tools in clinical research.

• Clinical Trial Data Processing: EU regulators support harmonizing GDPR legal bases for processing sensitive personal data in clinical trials, including secondary use for scientific research. However, they call for clearer rules on informed consent under the CTR and the impact of consent withdrawal, which may affect how sponsors structure data reuse strategies and long-term research programs .
• GDPR Responsibility Allocation: The opinion confirms that sponsors and investigators act as controllers under the GDPR, but urges further clarification on whether they qualify as joint or independent controllers at different stages of a trial. This has direct implications for contractual arrangements, liability allocation, and data subject rights management .
• Data Retention Limits: EU regulators support limiting the CTR's 25-year retention period to data contained in the clinical trial master file, rather than all personal data processed during a trial. This clarification could reduce long-term data storage burdens and compliance risk for sponsors .
• Electronic Informed Consent: While the EDPB and EDPS welcome explicit recognition of electronic consent under the CTR, they stress the need to distinguish it from GDPR consent and to ensure accessibility for participants without digital access, an important consideration for trial design and patient engagement strategies .
• AI Safety and Data Integrity: The opinion endorses requirements for sponsors to assess patient safety and data integrity risks arising from the use of AI in clinical trials. The EDPB and EDPS also call for clarity on how these obligations align with the EU AI Act, signaling increased scrutiny of AI-enabled trial tools and analytics .

How Should Biotech Companies Prepare for the New AI Requirements?

The intersection of the proposed Biotech Act and the EU AI Act represents a significant new compliance burden for life sciences companies. The EU AI Act, which was adopted in June 2024, imposes compliance requirements designed to progressively increase in accordance with the intensity and scope of the risks that AI systems can generate . For clinical trials, this means sponsors must now think carefully about how AI tools fit into the broader regulatory framework.

Life sciences companies should begin taking concrete steps now to align their operations with the emerging regulatory landscape. The joint opinion will inform the European Parliament's ongoing review of the proposed Biotech Act, with legislative discussions expected to continue through 2027 and adoption anticipated in late 2027 or 2028 .

• Audit Current AI Deployments: Map all current and planned uses of AI in clinical trials, paying particular attention to the type of data inputs each requires and processes, whether the AI is a public-facing or private system, and how the tool handles sensitive personal data. This inventory will help identify which systems may fall under high-risk AI classifications .
• Revise Data Governance Policies: Update contractual arrangements with investigators and trial sites to clarify GDPR responsibility allocation, distinguish between joint and independent controller relationships at different trial stages, and establish clear protocols for informed consent and consent withdrawal. Consider how these changes affect data reuse strategies and long-term research programs .
• Implement AI Risk Assessment Processes: Develop formal procedures to assess patient safety and data integrity risks arising from AI use in clinical trials. Ensure these assessments align with both the proposed Biotech Act requirements and the EU AI Act's risk-based framework, which prohibits certain AI systems considered to present unacceptable risk and mandates risk management, data governance, technical documentation, and human oversight for high-risk systems .
• Monitor Regulatory Guidance: Stay informed about regulatory sandboxes and testing environments that the EU regulators encourage to support advanced biotechnology development. These may offer opportunities for compliant innovation and early feedback on AI-enabled trial tools before full regulatory requirements take effect .

Why Is Europe Tightening AI Rules While Other Regions Push Back?

The proposed Biotech Act reflects a broader European commitment to protecting user rights and ensuring fair digital practices, even as external pressure mounts to ease regulations. Anu Bradford, Henry L. Moses Professor of Law and International Organization at Columbia University and a leading expert on how regulation shapes the digital economy, noted that Europe's regulatory leadership faces significant headwinds .

"The high-water mark of Europe's regulatory leadership is behind us. A few years ago, during the peak of the 'techlash,' it seemed like the world was moving toward stricter digital rules and the EU was setting the tone. But since then we've seen a strong backlash," Bradford explained.

Anu Bradford, Henry L. Moses Professor of Law and International Organization, Columbia University

Bradford warned that Europe must not abandon its greatest strength in the digital era: its commitment to protecting users' rights and a fair digital marketplace. She emphasized that over-regulation is not the core reason Europe lags in tech innovation; instead, lack of a unified digital market, underdeveloped capital markets, cultural aversion to risk, and talent gaps are much bigger factors .

The United States, by contrast, is pursuing a deregulatory approach to AI. A December 2025 executive order from the U.S. federal government emphasizes the potential economic benefits of AI and the importance of a national-level framework focused on economic dominance and reducing "cumbersome regulation." The U.S. order also warns of compliance challenges associated with a patchwork of state-level regulatory regimes and tasks advisors to prepare a legislative recommendation establishing a uniform federal policy framework for AI .

This divergence creates a complex landscape for multinational biotech companies. While Europe is strengthening oversight of AI in clinical trials, the U.S. is actively working to roll back state-level AI laws it deems too restrictive. Canadian organizations with U.S. operations should anticipate a continued emphasis on AI deregulation and active discouragement of state-level AI laws .

What Timeline Should Companies Expect?

The proposed Biotech Act is still in the legislative process, but the timeline is becoming clearer. The joint opinion from the EDPB and EDPS will inform the European Parliament's ongoing review, with legislative discussions expected to continue through 2027 and adoption anticipated in late 2027 or 2028 . This gives life sciences companies a window of roughly 18 to 24 months to assess how the framework could affect trial governance models, data strategies, AI deployments, and contractual arrangements with investigators and trial sites.

The EU AI Act, which was adopted in June 2024, provides a parallel timeline. Several of its provisions are slated to come into force in August 2026, with amendments being considered through the "Digital Omnibus" package to reduce administrative compliance burden for businesses and push back the date when rules relating to high-risk AI systems will come into force . This means biotech companies should expect some provisions to take effect sooner than others, requiring a phased compliance approach.

For life sciences companies operating in Europe, the message is clear: begin assessing compliance requirements now. The convergence of the proposed Biotech Act and the EU AI Act will create a more demanding regulatory environment for clinical trials, but organizations that move early on governance and compliance will be better positioned than those waiting for the final legislative text.