In part one of this series, Alaap Shah, Lisa Pierce Reisz, and Avery Schumacher from Epstein Becker & Green, P.C., explored the evolving federal legal landscape governing health data in the U.S., focusing on the regulatory agencies responsible for oversight and enforcement of relevant laws and regulations. In part two, they delve into the intricate and varied state health data privacy laws across the US.

In September 2024, a company specializing in direct-to-consumer genetic testing and ancestry analysis services agreed to pay $30 million as part of a class action settlement brought on behalf of consumers whose genetic and personal information was leaked as a result of a data breach last year. The breach exposed the data of approximately 6.9 million users, including location, ancestry reports, DNA matches, family names, profile pictures, birthdates, and more.

In the wake of an uptick in the proliferation of consumer ancestry testing over the last several years, this settlement has reinvigorated discussions about the data collection and storage practices of genetic information companies. These concerns have also animated a recent wave of state legislative activity aimed at protecting residents' genetic data, including the passage of LB 308, the Genetic Information Privacy Act (GIPA), in Nebraska, which was signed by Governor Jim Pillen on February 13, 2024, and went into effect on July 17, 2024.

In addition to Nebraska, there are currently 11 other states with statutes governing direct-to-consumer genetic testing companies: Alabama, Arizona, California, Kentucky, Maryland, Montana, Tennessee, Texas, Utah, Virginia, and Wyoming.

The passage of GIPA comes on the heels of Governor Jim Pillen signing into law the Nebraska Data Privacy Act (NDPA) on April 17, 2024, as Nebraska joined the 18 other states with comprehensive privacy statutes. The NDPA is set to go into effect on January 1, 2025.

In this Insight article, Maureen Fulton, Nathan Sheeley, and Briseyda Garcia-Ticas, from Koley Jessen P.C., L.L.O., will first review the key provisions of GIPA, including the scope of protected information and the statutory obligations imposed on direct-to-consumer genetic analysis companies. Next, they will provide an overview of the NDPA. Finally, they will contrast the two statutes by highlighting important differences in their threshold applicability, purpose, and enforcement structure.

India's commitment towards the promotion and development of artificial intelligence (AI) was recently highlighted in the Union Budget of 2024-25 that was announced by the Indian government in July 2024. The Budget allocated $65 million exclusively to the IndiaAI Mission, an ambitious $1.1. billion program that was announced earlier this year to focus on AI research and infrastructure in India. It has also widely been reported that the Ministry of Electronics and Information Technology (MeitY) is in the process of formulating a national AI policy, which is set to address a wide spectrum of issues including the infringement of intellectual property rights and the development of responsible AI. As per reports, MeitY is also analyzing the AI framework of other jurisdictions to include learnings from these frameworks in its national AI policy. Part I of this series focussed on understanding the regulatory approaches adopted by some key jurisdictions like the EU and the USA. In Part two, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, explore measures that India can adopt, and lessons it can take from such markets, in its journey in the governance of AI systems.