Healthcare providers, including physicians, and third-party payors will play a primary role in the recommendation and prescription of any product candidates for which we obtain regulatory approval. Arrangements with healthcare providers, third-party payors and customers may expose us to broadly applicable fraud and abuse and other healthcare laws and regulations that may constrain the business or financial arrangements and relationships through which we would market, sell and distribute our products. As a biotechnology company, even though we will not control referrals of healthcare services or bill directly to Medicare, Medicaid or other third-party payors, federal and state healthcare laws and regulations pertaining to fraud and abuse, transparency, health privacy and security and patients' rights and comparable foreign legislation are and will be applicable to our business. Outside the United States, interactions between pharmaceutical companies and health care professionals are also governed by strict laws, such as national anti-bribery laws of EU Member States, national sunshine rules, regulations, industry self-regulation codes of conduct and physicians' codes of professional conduct. If we fail to comply with these, or to comply with these adequately or appropriately, we could be subject to significant penalties.
For details regarding the restrictions under applicable federal and state healthcare laws and regulations that may affect our ability to operate, see "Business-Government Regulation-Additional Regulation"
The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of healthcare reform, especially in light of the lack of applicable precedent and regulations. Scrutiny has also increased, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Responding to investigations can be time-and resource-consuming and can divert management's attention from the business. Efforts to ensure that our business arrangements with third parties will comply with applicable healthcare laws and regulations will involve substantial costs. If our operations or if any physicians or other healthcare providers or entities with whom we expect to do business are found to not be in compliance with applicable laws or applicable regulations, we and they could be subjected to significant civil, criminal and administrative enforcement actions, see "Business-Government Regulation-Additional Regulation"
Further, we are required to comply with domestic and international privacy and data security laws, such as the EU GDPR and the CCPA, which apply to the collection, use, disclosure, transfer, or other processing of personal data, including data we collect about trial participants in connection with clinical trials. Numerous U.S. states have enacted comprehensive privacy and data security laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance.
Certain jurisdictions have enacted data localization and cross-border data transfer laws, which could make it more difficult to transfer information across jurisdictions. In particular, the EEA and the U.K. have significantly restricted the transfer of personal data to the United States and other countries whose privacy and data security laws they believe to be inadequate. Other jurisdictions may adopt or have already adopted similarly stringent interpretations of data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and United Kingdom to the United States in compliance with law, such as the EEA standard contractual clauses, the U.K.'s International Data Transfer Agreement / Addendum and the EU-U.S. Data Privacy Framework and the U.K. extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If we are unable to implement a legal mechanism to ensure that our transfers of personal data from the EEA or the U.K. are lawful, we could face adverse consequences, including increased exposure to regulatory actions, substantial fines and penalties and injunctions against processing or transferring personal data, and could be required to increase our data processing capabilities in the EEA, the U.K. or elsewhere at significant expense. Restrictions on our ability to transfer personal data from the EEA, the U.K. or elsewhere could impact our clinical trial activities in the EEA or the U.K. and limit our ability to collaborate with CROs and other third parties. Additionally, companies that transfer personal data out of the EEA and U.K. to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. For more information regarding these regulations, see "Business-Government Regulation-Privacy Regulation."
We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. We publish privacy policies, marketing materials and other statements, such as statements related to compliance with certain certifications or self-regulatory principles, concerning data privacy and security. Regulators in the United States are increasingly scrutinizing these statements, and if these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. In addition, privacy advocates and industry groups have proposed, and may propose, standards with which we are legally or contractually bound to comply, or may become subject to in the future.
Our obligations related to privacy and data security (and consumers' expectations regarding them) are quickly changing and becoming increasingly stringent, creating uncertainty. These obligations may be subject to differing applications and interpretations, which may be inconsistent or in conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources. These obligations may also necessitate changes to our information technologies, systems and practices and those of any third parties that process personal data on our behalf. We may at times fail, or be perceived to have failed, in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties upon which we rely may fail to comply with such obligations, which could negatively impact our business operations and compliance posture.
Any failure or alleged failure (including as a result of deficiencies in our policies, procedures or measures relating to privacy, data security, marketing or communications) by us or our third-party partners to comply with laws, regulations, policies, legal or contractual obligations, industry standards or regulatory guidance relating to privacy or data security, may result in significant consequences. These consequences may include, but are not limited to, governmental enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar), litigation (including class action claims) and mass arbitration demands, additional reporting requirements and/or oversight, bans or restrictions on processing personal data, orders to destroy or not use personal data, civil and criminal liability and imprisonment of company officials. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business or financial condition, including but not limited to interruptions or stoppages in business operations (including clinical trials), inability to process personal data or to operate in certain jurisdictions, limited ability to develop or commercialize our products, expenditure of time and resources to defend any claim or inquiry or revision or restructuring of our operations.
Additionally, our employees and personnel may use generative artificial intelligence, or AI, technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology may result in additional compliance costs, regulatory investigations and actions and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. We use AI to assist us in making certain decisions, which is regulated by certain privacy laws. Due to inaccuracies or flaws in the inputs, outputs or logic of the AI, the model could be biased and could lead us to make decisions that could bias certain individuals or classes of individuals, and adversely impact their rights, employment and ability to obtain certain pricing, products, services or benefits.