We maintain a large quantity of sensitive information, including confidential business and patient health information in connection with our preclinical studies, and are subject to laws and regulations governing the privacy and security of such information. The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention and security of personal information, including as our operations continue to expand or if we operate in foreign jurisdictions. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our business, results of operation, and financial condition.
In the United States, there are numerous federal and state data privacy and security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, security breach notification laws and consumer protection laws. Each of these laws is subject to varying interpretations and constantly evolving. By way of example, the regulations promulgated under HIPAA and the Health Information Technology for Economic and Clinical Health Act impose, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information. While we do not believe that we are currently acting as a covered entity or business associate under HIPAA and thus are not directly regulated under HIPAA, any person may be prosecuted under HIPAA's criminal provisions either directly or under aiding-and-abetting or conspiracy principles. Consequently, depending on the facts and circumstances, we could face substantial criminal penalties if we knowingly receive individually identifiable health information from a HIPAA-covered healthcare provider or research institution that has not satisfied HIPAA's requirements for disclosure of individually identifiable health information.
The U.S. Federal Trade Commission, or the FTC, also has authority to initiate enforcement actions against entities that mislead customers about HIPAA compliance, make deceptive statements about privacy and data sharing in privacy policies, fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers or that may violate Section 5 of the FTC Act. Even when HIPAA does not apply, according to the FTC failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards.
In addition, certain state laws govern the privacy and security of health-related and other personal information in certain circumstances, some of which are more stringent than HIPAA and many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. For example, the CCPA requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Additional compliance investment and potential business process changes may be required. Similar laws have been passed in other states, and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. In the event that we are subject to or affected by HIPAA, the CCPA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition.
Our operations abroad may also be subject to increased scrutiny or attention from data protection authorities. For example, in Europe, the GDPR took effect in May 2018. The GDPR governs the collection, use, disclosure, transfer or other processing of personal data of individuals within the EEA or in the context of our activities within the EEA. In addition, some of the personal data we process in respect of clinical trial participants is special category or sensitive personal data under the GDPR, and subject to additional compliance obligations and to local law derogations. Among other things, the GDPR imposes requirements regarding the security of personal data and notification of data processing obligations to the competent national data processing authorities, changes the lawful bases on which personal data can be processed, expands the definition of personal data and requires changes to informed consent practices, as well as detailed notices for clinical trial subjects and investigators. In addition, the GDPR regulates the transfer of personal data subject to the GDPR to the United States and other jurisdictions that the European Commission does not recognize as having "adequate" data protection laws, and the efficacy and longevity of current transfer mechanisms between the EEA and the United States remains uncertain. On July 10, 2023, the European Commission adopted its Adequacy Decision in relation to the new EU-US Data Privacy Framework, or the DPF, rendering the DPF effective as a GDPR transfer mechanism to United States entities self-certified under the DPF.
The GDPR imposes substantial fines for breaches and violations (up to the greater of €20 million or 4% of our consolidated annual worldwide gross revenue). In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease or change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/or civil claims, including class actions. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the GDPR. Further, from January 1, 2021, companies must also comply with the United Kingdom GDPR and the amended UK Data Protection Act 2018, or, together, the UK GDPR. The UK GDPR retains the GDPR in UK national law. The UK GDPR mirrors the fines under the GDPR, for instance, fines up to the greater of €20 million (£17.5 million) or 4% of global turnover. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a UK GDPR data transfer mechanism to United States entities self-certified under the UK Extension to the DPF. As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business.
We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the SCCs cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Compliance with these and any other applicable data privacy and security laws and regulations is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms ensuring compliance with the new data protection rules within required time frames. If we fail to comply with any such laws or regulations, we may face significant fines and penalties that could adversely affect our business, financial condition and results of operations.