The global data protection landscape is rapidly evolving, and we and our partners may be subject to federal, state and foreign data privacy and security laws and regulations governing the collection, use, disclosure, retention, and security of personal information, such as information that we may collect in connection with clinical trials in the United States and abroad. Any actual or alleged failure by us or our third-party vendors, collaborators, contractors and consultants to comply with any of these laws and regulations could result in, among other things, notification obligations, government investigations or enforcement actions against us, which could result in fines and penalties, claims for damages by affected individuals and third parties, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. These laws, rules and regulations evolve frequently and their scope may continually change, through new legislation, amendments to existing legislation and changes in enforcement practices, and may be inconsistent from one jurisdiction to another. The interpretation and application of health information-related and data protection laws in the United States, the EU and elsewhere, are often uncertain, contradictory and in flux. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities.
In the United States, numerous federal and state laws and regulations, including federal health information privacy laws, state data breach notification laws, state health information privacy laws and federal and state consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), which govern the collection, use, disclosure and protection of health-related and other personal information could apply to our operations or the operations of our collaborators. In addition, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that are subject to privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented (collectively, HIPAA). Depending on the facts and circumstances, we could be subject to criminal penalties if we knowingly obtain, use, or disclose individually identifiable health information provided to us by a HIPAA covered entity in a manner that is not authorized or permitted by HIPAA.
Many states have also adopted comparable privacy and security laws and regulations, some of which may be more stringent than HIPAA. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. Further, we may also be subject to other state laws governing the privacy, processing and protection of personal information. For example, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, CCPA) requires certain businesses that process personal information of California residents to, among other things: provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt-out of certain disclosures of their personal information; and enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. It has also created a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement, and additional compliance investment and potential business process changes may be required. Similar laws have passed in other states, and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. In the event that we are subject to or affected by HIPAA, the CCPA, the CPRA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition.
We currently operate in countries outside of the United States, including Belgium, Australia and China, where laws may in some cases be more stringent than the requirements in the United States. For example, in Europe, the EU General Data Protection Regulation (GDPR) went into effect in May 2018 and imposes strict requirements for the processing of the personal data of individuals within the European Economic Area (EEA) or in the context of our activities within the EEA. The GDPR applies enhanced protections to health or sensitive personal data and other special categories of personal data, including some of the personal data we process in respect of clinical trial participants which may be subject to additional compliance obligations and to local law derogations. The GDPR also imposes additional obligations when we contract with third-party processors in connection with the processing of any personal data. Failure to comply with the requirements of the GDPR could result in fines of up to €20 million or 4% of the total worldwide annual turnover of our preceding fiscal year, whichever is higher. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices (for a compulsory audit), civil claims (including class actions) and/or other administrative penalties.
Further, from January 1, 2021, we have to comply with the United Kingdom GDPR (UK GDPR), which, together, with the amended Data Protection Act 2018, retains the GDPR in UK national law (collectively, the UK GDPR), and imposes separate but similar obligations to those under the GDPR and comparable penalties, including fines up to the greater of £17.5 million or 4% of global turnover of the annual global revenues of the noncompliant undertaking.
Among other requirements, the GDPR regulates the transfer of personal data to third countries outside of the EEA, such as the United States, which are not considered by the European Commission to provide an adequate level of personal data protection, and the efficacy and longevity of current transfer mechanisms between the EEA, and the United States remains uncertain. We currently rely on approved data transfer mechanisms such as the EU standard contractual clauses (SCCs), the UK Addendum to the SCCs, the UK International Data Transfer Agreement and the new EU-U.S. Data Privacy Framework (DPF) to transfer personal data outside the EEA and the UK, including to the United States, with respect to both intragroup and third party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the adequacy of the DPF as an approved GDPR transfer mechanism to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the SCCs cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results.
In addition, we use artificial intelligence, including machine learning, and automated decision-making, technologies (collectively, "AI Technologies") in our business. The regulatory framework for AI Technologies is rapidly evolving as many federal, state, and foreign government bodies and agencies have introduced or are currently considering additional laws and regulations. Additionally, existing laws and regulations may be interpreted in ways that would affect the operation of AI Technologies. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or market perception of their requirements may have on our business and may not always be able to anticipate how to respond to these laws or regulations.
It is possible that new laws and regulations will be adopted in the United States and in other non-U.S. jurisdictions, or that existing laws and regulations, including competition and antitrust laws, may be interpreted in ways that would limit our ability to use AI Technologies for our business, or require us to change the way we use AI Technologies in a manner that negatively affects the performance of our products, services, and business and the way in which we use AI Technologies. We may need to expend resources to adjust our products or services in certain jurisdictions if the laws, regulations, or decisions are not consistent across jurisdictions. Further, the cost to comply with such laws, regulations, or decisions and/or guidance interpreting existing laws, could be significant and would increase our operating expenses (such as by imposing additional reporting obligations regarding our use of AI Technologies). Such an increase in operating expenses, as well as any actual or perceived failure to comply with such laws and regulations, could adversely affect our business, financial condition and results of operations.
Compliance with U.S. and foreign privacy and security laws, rules and regulations could require us to take on more onerous obligations in our contracts, require us to engage in costly compliance exercises, restrict our ability to collect, use and disclose data, or in some cases, impact our or our partners' ability to operate in certain jurisdictions. Each of these evolving laws can be subject to varying interpretations. Our actual or alleged failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with U.S. and foreign data protection laws and regulations could result in government investigations and enforcement actions (which could include civil or criminal penalties), fines and penalties, private litigation, and/or adverse publicity and could negatively affect our financial condition, operating results and business.