Connected medical devices are used to assist with diagnosing, monitoring or treating a medical condition and thereby facilitate the remote management of a medical condition by healthcare professionals. Such medical devices collect, process and transfer health data to other devices, applications or wearables, which is then stored on a cloud and/or a platform.
It does not cause surprise that data processed by connected medical devices is subject to the General Data Protection Regulation (the GDPR). The GDPR indeed regulates the processing of health data and imposes specific collection and processing obligations. The European Commission has recently tabled legislative proposals which impose additional obligations on the use of health data, including (i) the European Health Data Space (the EHDS), (ii) the Data Act and (iii) the Artificial Intelligence Act. In addition, the reviewed horizontal block exemption guidelines add antitrust considerations to such data exchanges. We discuss below how this draft legislation impacts medical device companies.
The EHDS: facilitating the secondary use of health data?
While the GDPR allows the use of health data for among others research purposes, occupational and preventive medicine and public interest in the area of health, the European Commission notes in the EHDS proposal its “uneven implementation and interpretation”, leading to “barriers to the secondary use of electronic health data”. One of the key objectives of the EHDS is thus to facilitate the reuse of electronic health data for specific purposes, such as research and development activities related to health, training of AI algorithms for health applications and providing healthcare, subject to a few limitations. To enable such reuse, the EHDS requires data holders to make data collected and generated by their devices available for secondary use. This is a major change as there is currently no obligation for medical devices companies to make their data available (other than to the regulator). If adopted, the EDHS will require medical device companies to make such data available if requested by third parties directly or via “health data access bodies” to be established at national level. This also means that medical device companies can in certain limited circumstances request access to specific electronic health data owned by third parties for their own research and development.
The EHDS is still to be discussed and approved by the European Parliament and the Council before adoption.
The Data Act: broadening the access to and sharing of data
The Data Act regulates amongst other things the sharing of data generated by medical devices. The current proposal provides that data holders should inform data users of their rights (including access rights and rights to have their data shared with third parties). This may apply, for example, if patients wish to centralise their medical data on one single app independent from their medical device company. Patients may thus request that the data generated by their device is shared with an independent app provider, and the data holder will not be able to refuse access to the app provider. This means that a medical device company may have to grant access to data generated by its devices to third parties (including also app developers and competitors). The current draft proposal also prohibits exclusive data sharing and access, and includes provisions on unfair contractual terms, ie any exclusion of liability or lack of remedy imposed unilaterally by a data holder on a SME will be deemed unfair and thus prohibited.
The Data Act is set to enter trilogue negotiations between the European Parliament and the Council before adoption.
The AI Act: additional compliance obligations
The draft AI Act may also increase compliance duties with respect to medical AI solutions qualifying as a medical device (in addition to the currently already existing data obligations under the Medical Devices Regulation). The draft AI Act indeed classifies medical devices as “high-risk” AI systems. Among the obligations imposed on high-risk AI system companies, some relate to data, in particular with respect to training, validating and testing data. As such, companies will have to, amongst other things, put in place governance and management practices regarding the training, validation and testing of data; ensure such data are relevant, representative, free of error and complete; and if applicable, consider characteristics or elements particular to specific geographical, behavioural or functional settings in which the system is intended to be used. The European Parliament is expected to vote on the AI Act in May 2023, after which trilogue negotiations between the Council and the Parliament will take place before the final AI Act adopted.
The Horizontal Guidelines: data exchanges can have potential anticompetitive effects
Finally, the Horizontal Guidelines, part of the revised Horizontal Block Exemption (the HBER) provide that information exchanges between actual or potential competitors at the same level of the supply chain could have anticompetitive effects. While the Guidelines provide criteria to assess such potential anticompetitive effects (i.e. the nature of the data, the characteristics of the exchange and the market characteristics), it will be important to review how such criteria will be implemented. The revised HBER was expected to enter into force in January 2023, but has been delayed until July 2023.
Outlook
While most of this legislation still is in draft form, it is likely that new obligations concerning data sharing, data use and data management will apply to medical device companies. Examples include “opening up” the data (Data Act), imposing additional administrative measures to access electronic health data for R&D (EHDS), and strengthening and further regulating the development of AI systems (AI Act). A layer of antitrust considerations may also become applicable when it comes to data transfers. It also remains to be seen how such proposals – if adopted – will fit within the existing regulatory framework governing medical devices, for example with respect to safety and performance requirements of the device. Indeed, medical devices are not always designed to automatically enable sharing health data with any third party (as per the EHDS and the Data Act), and adaptations to medical devices to make such sharing possible could lead to safety or performance issues.
