Rising inflation rates have increased our operating costs and could negatively impact our operations.
In addition, inflation rates, particularly in the United States, have increased recently to levels not seen in decades. Increased inflation has resulted in increased operating costs (including our labor costs), and may result in reduced liquidity, and limitations on our ability to access capital, including by raising debt and equity capital. In addition, the United States Federal Reserve has raised, and is expected to again raise, interest rates in response to concerns about inflation. Increases in interest rates, especially if coupled with reduced government spending and volatility in financial markets, may further increase economic uncertainty and heighten these risks.
We may incur substantial costs in our efforts to comply with evolving global data protection laws and regulations, and any failure or perceived failure by us to comply with such laws and regulations may harm our business and operations.
The global data protection landscape is rapidly evolving, and we may be or become subject to or affected by numerous federal, state and foreign laws and regulations, as well as regulatory guidance, governing the collection, use, disclosure, transfer, security and processing of personal data, such as information that we collect about participants and healthcare providers in connection with clinical trials.
Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, which may (i) create uncertainty in our business, (ii) affect our or our service providers’ ability to operate in certain jurisdictions or to collect, store, transfer use and share personal data, (iii) result in liability or (iv) impose additional compliance or other costs on us. Any failure or perceived failure by us to comply with federal, state, or foreign laws or self-regulatory standards could result in negative publicity, diversion of management time and effort, or proceedings against us by governmental entities or others. California passed the California Data Privacy Protection Act of 2018, or the CCPA, which went into effect in January 2020. The CCPA provides new data privacy rights for consumers and new operational requirements for companies, which may increase our compliance costs and potential liability. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as for private rights of action for certain data breaches that result in the loss of personal information. While there is currently an exception for protected health information that is subject to HIPAA and clinical trial regulations, as currently written, the CCPA may impact certain of our business activities. The CCPA may lead to similar laws in other U.S. states or at a national level, which could increase our potential liability and adversely affect our business.
In addition to our operations in the United States, which may be subject to healthcare and other laws relating to the privacy and security of health information and other personal information, if we establish operations or conduct clinical trials in Europe, we will be subject to European data privacy laws, regulations and guidelines. The General Data Protection Regulation, (EU) 2016/679, or GDPR, became effective on May 25, 2018, and deals with the collection, use, storage, disclosure, transfer, or other processing of personal data, including personal health data, regarding individuals in the European Economic Area, or EEA. The GDPR imposes a broad range of strict requirements on companies subject to the GDPR, including requirements relating to having legal bases for processing personal information relating to identifiable individuals and transferring such information outside the EEA, including to the United States, providing details to those individuals regarding the processing of their personal health and other sensitive data, obtaining consent of the individuals to whom the personal data relates, keeping personal information secure, having data processing agreements with third-parties who process personal information, responding to individuals’ requests to exercise their rights in respect of their personal information, reporting security breaches involving personal data to the competent national data protection authority and affected individuals, appointing data protection officers, conducting data protection impact assessments, and record-keeping. The GDPR increases substantially the penalties to which we could be subject in the event of any non-compliance, including fines of up to €10 million or up to 2% of our total worldwide annual turnover for certain comparatively minor offenses, or up to €20 million or up to 4% of our total worldwide annual turnover (i.e., revenues), whichever is greater, for more serious offenses. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. In addition, the GDPR includes restrictions on cross-border data transfers.
Further, national laws of member states of the EU are in the process of being adapted to the requirements under the GDPR, possibly implementing national laws which may partially deviate from the GDPR and impose different obligations from country to country. As a result, we do not expect to operate in a uniform legal landscape in the EEA. Also, as it relates to processing and transfer of genetic data, the GDPR specifically allows national laws to impose additional and more specific requirements or restrictions. European laws have historically differed quite substantially in this field, leading to additional uncertainty. The U.K.’s decision to leave