certain non-U.S. nationals, of information products classified for national security purposes, as well as certain products, technology and technical data relating to those products. If we expand our presence outside of the U.S., it will require us to dedicate additional resources to comply with these laws, and these laws may preclude us from developing, manufacturing, or selling certain products and product candidates outside of the U.S., which could limit our growth potential and increase our development costs.
The failure to comply with laws governing international business practices may result in substantial civil and criminal penalties and suspension or debarment from government contracting.
We may incur substantial costs in our efforts to comply with evolving global data protection laws and regulations, and any failure or perceived failure by us to comply with such laws and regulations may harm our business and operations.
The global data protection landscape is rapidly evolving, and we may be or become subject to or affected by numerous federal, state and foreign laws and regulations, as well as regulatory guidance, governing the collection, use, disclosure, transfer, security and processing of personal data, such as information that we collect about participants and healthcare providers in connection with clinical trials. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, which may create uncertainty in our business, affect our or our service providers’ ability to operate in certain jurisdictions or to collect, store, transfer use and share personal data, result in liability or impose additional compliance or other costs on us. Any failure or perceived failure by us to comply with federal, state, or foreign laws or self-regulatory standards could result in negative publicity, diversion of management time and effort and proceedings against us by governmental entities or others.
In addition to our operations in the U.S. and our ongoing Phase 1b trial of LTI-03 in IPF patients in the UK, E.U. and Australia, which may be subject to healthcare and other laws relating to the privacy and security of health information and other personal information, we may seek to conduct clinical trials in the EEA and may become subject to additional European data protection laws, regulations and guidelines. The General Data Protection Regulation, (EU) 2016/679, or GDPR, became effective on May 25, 2018, and deals with the collection, use, storage, disclosure, transfer, or other processing of personal data, including personal health data, regarding individuals in the EEA. The GDPR imposes a broad range of strict requirements on companies subject to the GDPR, including requirements relating to having legal bases for processing personal information relating to identifiable individuals and transferring such information outside the EEA, including to the U.S., providing details to those individuals regarding the processing of their personal health and other sensitive data, obtaining consent to certain processing activities from the individuals to whom the personal data relates, keeping personal data secure, having data processing agreements with third parties who process personal data, responding to individuals’ requests to exercise their rights in respect of their personal data, reporting security breaches involving personal data to the competent national data protection authority and affected individuals, appointing data protection officers, conducting data protection impact assessments, and record-keeping. The GDPR provides for substantial penalties to which we could be subject in the event of any non-compliance, including fines of up to 10,000,000 Euros or up to two percent of our total worldwide annual revenues, whichever is greater, for certain comparatively minor offenses, or up to 20,000,000 Euros or up to four percent of our total worldwide annual revenues, whichever is greater, for more serious offenses. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. In addition, the GDPR includes restrictions on cross-border data transfers, and recent court decisions and regulatory guidance have substantially increased the compliance burden and legal uncertainty associated with transferring the personal data of EEA individuals to third countries outside of the EEA whose data protection laws are not believed to be adequate by European standards (although the recent EU-US Data Privacy Framework offers a new route for data transfers from the EU to be made lawfully to the US).
Further, the GDPR provides for opening clauses in certain areas, which enable the legislators of member states of the EU to implement additional requirements to the GDPR in national law, whereby national laws may partially deviate from the GDPR and impose different obligations from country to country, so that we do not expect to operate in a uniform legal landscape in the EEA.
Also, as it relates to processing and transfer of genetic, biometric and health data, the GDPR specifically allows national laws to impose additional and more specific requirements or restrictions, and European laws have historically
39
