Proposal to manage IVDR

It had been been in the works for some time, although it also seemed unlikely for quite some time that this would happen. The implementation of the IVDR had been the slow little, neglected sister of the MDR implementation with greatly insufficient notified body capacity becoming available, and crucial elements of regulatory infrastructure (like the reference labs) still missing.

The MDCG published the Joint Implementation Plan for the IVDR in which it stated that there were serious issues with the IVDR that needed resolution.

Then the Council requested the Commission to prepare a legislative solution to deal with the problems plaguing the IVDR at the EPSCO Council of 15 June 2021. And also the European Parliament asked for a solution.

After an assessment of data on market readiness collected by the European Commission during the first half of 2021 the Commission concluded that Member States, health institutions, notified bodies and economic operators will not be in a position to ensure the proper implementation and application of the Regulation from 26 May 2022.

Now the proposal has been made public.

Let’s take a closer look at the proposal and see what we can say at this stage:

Is the proposal the anticipated “delay”?

Many have been hoping for a ‘delay’, often without being very clear of what they hoped that the delay would look like. The proposal is not a delay (because the date of application of the IVDR does not change – remains 26 May 2022), but something much more sophisticated and certainly not a one size fits all solution. The proposal does not simply move the date of application with one year as happened with the MDR (although there were additional tweaks too with the MDR). Given:

“the limited notified body capacity, the number of devices that need to undergo a conformity assessment involving a notified body should be spread over a longer period, allowing for a gradual phase-in of the new Regulation’s requirements while prioritising high-risk in vitro diagnostics. This can be achieved by amending Article 110 of the Regulation on transitional provisions, providing a period for existing higher risk class devices that is shorter than the one for existing lower risk class devices. At the same time, the existing transitional period for devices covered by notified body certificates issued under Directive 98/79/EC should be extended by 1 year until 26 May 2025. This will avoid that the transitional periods under Regulation (EU) 2017/745 and Regulation (EU) 2017/746 end at the same time and lessen the strain on Member States’ competent authorities, notified bodies, manufacturers, health institutions and other actors who deal with both medical devices and in vitro diagnostics.”

Proposal, p.4

Accordingly, the proposal is a combination of measures:

  • IVDR risk class based phase-in (much like happened under the December 2019 MDR corrigendum for up-classified class I devices); and
  • moving the backstop date of the IVDR grace period (to “lessen the strain on Member States’ competent authorities, notified bodies, manufacturers, health institutions and other actors who deal with both medical devices and in vitro diagnostics “, Proposal, p. 4).

These changes are made in article 110 IVDR, the article that sets out the transitional regime. If you apply track changes to the text of article 110 (2) – (4) IVDR as the proposal changes them this looks as follows:

Tracked changes overview of amendments proposed to Article 110 (2) – (4) IVDR

No provisions seem to be made for ‘normal’ class A devices (only for sterile ones), which means that the date of application is set in stone at 26 May 2022 for normal class A devices, for example the lab instruments. Special categories of devices, such as companion diagnostics, seem to be addressed in the proposal by their risk class (which would be C for companion diagnostics).

As said and as you will have seen, the proposal is not a one size fits all solution. This means that every IVD company (manufacturers, but also importers and distributors (see below under legacy devices) )will need to check for each of its IVDs in which class it will end up in order to be able to see what the consequences of the proposal are (provided that the proposal is not altered in the legislative procedure of course). This means that you get to work with the MDCG IVDR classification guidance, which has been described in a lot of detail in the annotation of Annex VIII of the IVDR in my book The Enriched MDR and IVDR.

Legacy devices under IVDR

The result of the proposal is that unlike as originally intended under the IVDR there will now be a pretty large group of legacy devices on the market that will need to apply certain parts of the IVDR already as per date of application. The parts of the IVDR that have to applied for legacy devices will be bigger than is evident at sight, because an MDCG task force has issued an internal document in September stating that legacy devices under the MDR are subject to for example most parts of article 13 (importers) and 14 (distributors) MDR as well, which means that the same will apply for the IVDR. Unfortunately this document is not public (yet). It will however serve as input for other MDCG guidance, such as (I would expect) the impending MDCG guidance Q&A on importers and distributors.

While the document does not explicitly address the IVDR it would not be logical if it would not apply to the IVDR in the same way, since the economic operator provisions are identical and supposed to be interpreted the same. So, if you were betting on your legacy devices being out of scope of economic operator provisions of the MDR and IVDR, think again.

As I have seen with the MDR, manufacturers of legacy devices have found it very difficult to apply the article 120 (3) mandated parts of the MDR QMS that amended article 110 (3) IVDR would impose:

“the requirements of this Regulation relating to post-market surveillance, market surveillance, vigilance, registration of economic operators and of devices shall apply to devices referred to in the first, second and third subparagraph instead of the corresponding requirements in Directive 98/79/EC”.

Article 110 (3) IVDR

In addition, the legacy devices cannot undergo any significant changes until thy are IVDR CE marked (see for the MDCG guidance for the MDR on significant changes (not yet ported to the IVDR – MDCG?). This means a lot more than most people think. For example, you will not be able to do important software upgrades to a software IVD device as this will almost always trigger a significant change. If you implement your merger or acquisition wrong, you may well trigger a significant change that may invalidate the commercial rationale for the merger or acquisition. If you think you are buying an IVD company with legacy devices and the seller advertises that the company will implement important upgrades to their legacy devices in the coming years, this will likely not be possible due to the significant change restrictions, so buyer beware!

In-house produced devices

The Commission proposes more time to transition for the in-house produced devices regime under article 5 (5) IVDR:

“As, since its outbreak, many health institutions, in particular hospitals, have had to focus all their efforts on dealing with COVID-19, the Commission proposes to also introduce a transitional period for the requirements for devices manufactured and used within the same health institution (‘in-house devices’). This will give health institutions extra time to comply with the new requirements and ensure that in-house tests, which are often essential –especially for rare diseases, can continue to be developed in clinical laboratories.”

Proposal, p. 3

This extra time is implemented by changing Article 113(3) IVDR, the article that manages what provisions are delayed applicable, by adding points (i) and (j): ‘

  • Article 5(5), points (b), (c) and (e) to (i), shall apply from 26 May 2024; 
  • Article 5(5), point (d), shall apply from 26 May 2028.’. 

In non-lawyers language this means that most of the points of article 5 (5) are delayed until 26 May 2024 and one until 2028, but not all of them! Article 5 (5) (a) will apply immediately as of the date of application of 26 May 2022:

  • (a) the devices are not transferred to another legal entity;

This means that health institutions, while they do not have to have technical documentation and a suitable QMS ready for in-house devices by the date of application, the first restrictions on in-house devices are a fact by 26 May 2022: no more transferring to another legal entity.

Preliminary discussion

Personally I still think it is surprising how long it took the MDCG, the Council and the Commission to arrive at the conclusion that the IVDR was in dire straits, heading to a situation of creating significant collateral damage in the transition. I have also marveled at how badly prepared health institutions have consistently been for the IVDR and how hard it has been for them to come to grips with being directly regulated under the MDR and the IVDR.

The proposal will need to take its time now to go through the legislative procedure, which is normally a process of at least a year. However, as we have seen with he MDR delay proposal last year, this can go a lot faster with the right amount of political alignment having taken place beforehand (two and a half months give or take). The question is of course if the political alignment is there. While the European Parliament has asked for a ‘delay’ this may not be exactly what they had been looking for. Also, the European Parliament had felt kind of ambushed with the MDR delay situation, and expressed a wish to have more time the next time around (which is this time). This defines the window as anything between two and a half months from now and the date of application of the IVDR.

Will this proposal, if it makes it into law, save the IVDR’s transition?

It will, first of all, depend on critical infrastructure being delivered on time. Eudamed is still a total tricky headache, even if modest steps are made and more modules are available on a voluntary basis now (devices and certificates come online beginning of October). The current experience is with the MDR, but the IVDR is still somewhat different so lots of new issues to discover. It would help if sufficient reference lab capacity is available timely. There is still a lack of guidance on the IVDR, although a lot of the MDR guidance can be leveraged to understand similar mechanisms in the IVDR (I have made convenient comparison tables for this in my book).

Secondly, a necessary condition is that the IVDR does not fall in the same trap as the MDR with a huge pile-up of legacy devices at the end of the transitional period that has a good chance of not making it to a regulation certificate because of lack of capacity, see the Team-NB position paper on expiring certificates, which shows the huge bulge at the end of the grace period:

Position paper
Directives expiring certificates (Team-NB)

The staggered phase-in of IVDs by class will hopefully make somewhat of a difference for the IVDR, but in the end it depends on when the notified body capacity is available. As we have seen with the MDR, you cannot kick the can down the road and then bet on sufficient capacity being available later – which is precisely what happened for the MDR. And now the question is whether the system can pass this huge stone without too much collateral damage.

Thirdly, more notified bodies capacity is needed than there currently is. There is nothing that this proposal does to improve this. This capacity will not only need to be able to deal with the enormous amount of manufacturers that has never dealt with a notified body before (and will make every time consuming mistake in the book) but also with new manufacturer coming to the market with new products. I personally see in my practice for the MDR and IVDR at this moment that new manufacturers (especially the small and medium sized ones) needing a notified body basically have very little chance of getting on board at a notified body, impacting their time to market.

So, early days to say if this proposal will save the day. It will really depend if the MDCG, the Commission and the Member States will put the necessary resources on the table to make the transition a success and whether industry and health institution will also commit the resources to understand and apply the rules timely. Rules without resources are basically wishful thinking.

Can you drop preparation and sit on your hands now as manufacturer? Better not, this is a proposal – it may not make it. If not, you will be faced with the current implementation schedule. So continue on your timelines for the moment. If you are an importer or distributor of legacy IVD devices, start learning because you will have a role to play in the system as well.

Happy MDR DoA and Swixit / noTurkxit day!

As they say: this is the first day of the rest of your life, and in a way it is. The MDD is dead, long live the MDR!

The (AI)MDD is no more now, but is it?

Three important events happened today that are all relevant to this question: the MDR became applicable, the Swixit that seemed to be entirely avoidable happened anyway by the Swiss throwing their medical devices industry under the bus by walking out on the last minute negotiations to avoid a really hard swixit (my impression of the chain of events) and mysteriously Turkxit did not happen.

Net result: we have a newly applicable MDR, for a smaller Union (minus Switzerland), and the (AI)MDD is still around.

MDR applicable

With the MDR becoming applicable we have now entered the period that many people call the ‘grace period’, which may turn out to be a period of fierce grace to many, during which the MDD and the MDR will actually co-exist much like the Siamese twin monster from Sesame Street, for several years to come. Notified bodies that are not notified anymore for the directives still remain alive for surveillance of these certificates, and these devices may not be subjected to a significant change, as that will lead to termination of the certificate.

During this period, it is crucial for every economic operator dealing with the MDR to understand the legalese part in the back of the MDR: articles 120-123.

Article 120 (3) MDR, as the heading of article 120 suggest, provides for transitional provisions. These apply to devices that have a CE certificate under the AIMDD and the MDD with a validity beyond the date of application of the MDR or a declaration of conformity for a device that would need a notified body assessment under the MDR. All other devices must be fully compliant with the MDR as of today.

Article 120 (3) MDR provides that these devices may ride out the CE certificate or declaration of conformity, provided that the manufacturer already implements certain elements of the MDR: post-market surveillance, market surveillance, vigi­lance, registration of economic operators and of devices in place of the corresponding requirements of the Directives. Article 120 (3) is silent on what the manufacturer needs to do with the all the additional elements of the MDR, such as importer and distributor requirements in articles 13 and 14, the PRRC and the implant card in article 18.

One way to look at it is to say that article 120 (3) intends to create a self-contained bubble of an exemption regime for legacy devices within the universe of the MDR, valid between the date of application and 26 May 2024, but this is not unambiguously stated in the text of the MDR – a kind of space/time anomaly as we know from Star Trek, in which normal rules of MDR physics do not apply.

Another way to look at it is to say that what is not delayed, is not delayed. Article 123 MDR governs the entry into force and date of application of (parts) of the MDR. Notably, article 123 (3) contains a list of derogations from the principle that everything in the MDR is applicable as of 26 May 2021. Some articles referred to in article 123.3 apply before that date (e.g. the articles on national authorities for the MDR and the formation of the MDCG) while others are deferred to later dates, notably article 123 (3) (d) that delays application of everything to do with Eudamed until a later date now that Eudamed is not fully functional before 26 May 2021. Since article 123 (3)is the exemption to everything applying as of 26 May 2021, one must assume that everything not delayed under article 123 (3) is not delayed. The provisions not delayed include articles 13 – 18 MDR, as these are not mentioned in article 123 (3).

If you’d like more detail, check out this podcast in which I discuss these options with Gert Bos.

Given these two seemingly conflicting theories, how can a manufacturer reconcile his obligations for legacy devices?

There are two options.

The first option is to treat article 120 (3) as a self-contained regime within the MDR (the space/time anomaly theory), in which the old provisions of the Directives continue to apply, plus only the MDR elements explicitly mentioned in article 120 (3), imprecise though as these are described there. This option requires that the manufacturer is able to run parallel QMSes for legacy and MDR products for the duration that he still places legacy devices on the Union market. Also, it requires that his supply chain can tell legacy devices and MDR devices apart and treats them differently, because in the space/time anomaly articles 13 (importers) and 14 (distributors) and 25 (traceability of devices) do not apply, but the obligations for registration of devices and economic operators do (see article 120 (3)). You can imagine that this is not for everyone and that many manufacturers that I know choose to just not make this difference.

The second option is to adopt the not delayed MDR obligations ‘early’ and also adopt the MDR elements that are not explicitly mentioned in article 120 (3) but which are also not delayed under article 123 (3) and which are not relevant to MDR conformity assessment only – remember, you don’t have to redo conformity assessment for a legacy device. This allows the manufacturer to transition to a single QMS for all devices, which will not only be practical internally but also for the supply chain. This is also the position adopted by several competent authorities and is supported by recital 98 of the MDR. Recital 98 states that the Directives should  be  repealed  to  ensure  that  only  one  set  of  rules  applies  to  the placing  of  medical  devices  on  the  market  and  the  related  aspects  covered  by  this  Regulation. Of course you could still argue that this one set then makes an exemption for legacy devices, creating the space/time anomaly – but still I think this is not the most logical interpretation.

Which one to choose? I know that this has still not been decided upon in guidance (none of the legacy devices guidance documents addresses this, only registration in Eudamed, see here and here) and that there are different schools of thought on this subject.

The authorities that I spoke with seem to favor option 2 and this is also the option that I think is the more logical of the two.

Swixit

The last couple of days were a wild ride: the Commission and the Swiss were negotiating about an amendment to the Mutual Recognition Agreement (MRA) to avert the worst consequences of Swixit, and the Swiss walked out of these negotiations at the very last day (my impression of events). The more nuanced version of the Commission:

“However, and although we do not expect potential disruptions in the health sector during the COVID-19 pandemic, on 30 March 2021 the EU proposed to Switzerland as a precautionary measure a limited modification of the medical devices chapter of the MRA providing for a transitional validity period for existing devices with Swiss certificates until 26 May 2024 (at the latest) and the same transitional validity for certificates issued in the EU. Despite consistent efforts and EU readiness to conclude such a transitional arrangement, the proposed modification was not agreed ahead of 26 May 2021.

As a result, until a potential agreement on the proposed modification to the MRA is reached, the trade facilitating effects of the MRA for medical devices, including the mutual recognition of conformity assessment results, the absence of the need for an authorised representative and the alignment of technical regulations, cease to apply as from today Wednesday 26 May 2021.”

In other words, remember Brexit? Yep, this is the similar except limited to the devices regulatory framework. For the moment, because absent a comprehensive agreement for Switzerland’s relationship with the EU (the Institutional Framework Agreement, process started in 2014, agreement reached in 2019 and Switzerland refusing to implement it ever since – sounds like Brexit, no?) the EU will push Switzerland out of the internal market one MRA at a time by refusing to renew every MRA that expires because the legislation subject of the MRA changes.

Consequences please! Oh yeah, see this stakeholder notice for that:

  • For all new devices, Swiss manufacturers will be treated as any other third country manufacturer intending to place their devices on the EU market. In particular, new Swiss medium and high-risk devices must be certified by conformity assessment bodies established within the EU.
  • Existing certificates issued under the MRA by conformity assessment bodies established in Switzerland will no longer be recognised as valid in the EU.
  • For existing certificates issued under the MRA by conformity assessment bodies established in the EU, Swiss manufacturers and third country manufacturers whose authorised representative was previously established in Switzerland, must designate an authorised representative established in the EU.
  • On 19 May 2021, the Swiss Federal Council adopted an amendment to the Swiss Ordinance on Medical Devices establishing conditions for trade of medical devices covered by EU issued certificates on the Swiss market. This includes the recognition of existing certificates issued under the MRA by conformity assessment bodies established in the EU and transitional timelines for the designation of a representative in Switzerland for EU/EEA manufacturers of medical devices.

Market participants (e.g. affected manufacturers, EU importers and distributors, authorised representatives) as well as EU market surveillance and customs authorities in Member States must now:

  • (since existing certificates issued under the MRA by conformity assessment bodies established in Switzerland will no longer be recognised as valid in the EU as of 26 May 2021) ensure that medical devices are certified by an EU conformity assessment body where such certification is required on the basis of the applicable conformity assessment procedure;
  • ensure compliance with the requirements for economic operators, in particular the need for an EU authorised representative;
  • comply with the requirements on registration and labelling of products.

And this is not all, just what the Commission can tell us today. More consequences still potentially to follow.

No Turkxit

There is basically no public information about the Turkxit having been averted for devices, but I can tell you that the Commission informed the member states that the last steps that were needed to solve the ‘personal data protection issue’ have now formally been taken, and that Turkey is now continuing to be a Union member state for the purposes of the MDR and IVDR.

This will likely have everything to do with Turkey having access to all the personal data in Eudamed, but we will need to see this confirmed in public communication – developing story as they would say in the press.

Turkey had its MDR and IVDR legislation ready to go, and is now a continued valued member of the Union market in which devices can freely circulate once placed on the market lawfully.

Onwards and upwards

Are we discouraged by all this complexity? Of course not.

We have now gone through the looking glass of the MDR, and have found ourselves in the wondrous universe of the MDR that we will need to work with for the coming decades, saying “Curiouser and curiouser!” and sometimes believing as many as six impossible things before breakfast – we may even be agreeing that we’re all mad here.

Personally I’m with the Dodo, who said that “the best way to explain it is to do it.” Onwards and upwards!

The Enriched MDR and IVDR – finally available

Finally and just in time for the date of application of the MDR: here it is, the book that I’ve been working on for a long long time.

It turns out that writing books while having a more than full-time job running a law firm and being a busy lawyer is a bit of a challenge.

I chose not to do this via a publisher but rather self-publish because in my long career as a publishing legal writer I have been consistently underwhelmed and sometimes badly disappointed by what a publisher does for an author (the good people at RAPS being the positive exception by the way). 

But here we are now and there you have it: the first book that I am aware of about the MDR and IVDR that contains this degree of commentary on the entire MDR and IVDR at state of the art around the date of application of the MDR, available as a stamped PDF (like when you buy an ISO standard) or as an ePub format eBook that you will be able to read on your tablet of choice with basically every e-reader software. I recommend using a good quality tablet with a color screen to read the book, because it has nice colors and high resolution flow charts and diagrams in it.

An esthetically pleasing tool

The book is set up as claimed in the title (intended purpose, right): it’s an enriched of the MDR and IVDR texts in that it provides:

  • An introductory chapter describing the history of the medical devices directives and EU medical devices policy, explains why the MDR and IVDR turned out the way they did and discusses them on a high level (part 1);
  • The current text of the MDR including annexes with comments on an article by article and clause by clause  basis for both the regulation and the annexes (not all articles and clauses have been commented yet, but this will grow over time). All implementing acts, MDCG and CAMD guidance, European Court medical devices case law and a lot of notified body and branch association guidance are all discussed in context of the articles and clauses of the MDR (part 2);
  • Same for the IVDR (part 3);
  • A section with sources of reference materials, helpful for staying informed and finding furthter information (part 4); and
  • A section with a number of useful tables, such as a comparison table between the MDR and IVDR (so the IVD industry readers can easily see which wheels have already been invented in the general devices world) and a comparison table between the clinical investigation provisions in the MDR and the Clinical Trials Regulation (since the legislator’s intent was that they should align to a high degree) (part 5). 

I’ve tried to write this book as a tool that I like to use in daily practice myself, and not as a pretty paperweight.

This is why I decided to go digital only for the moment and make the book easy to navigate with crosslinks from the table of content to every article in the MDR and IVDR and make as much content as possible on the internet directly accessible from the book as URLs, so you can quickly get to the underlying sources. Of course this can be improved and it will be in future editions.

Since it is all digital text, it’s full text searchable! Very convenient compared to paper books.

Last argument against paper (I’ve looked into print-to-order possibilities) is that the book would become prohibitively expensive if you want a book of nearly 1200 pages (the PDF version) printed and bound in good quality that can take a beating in daily use. However, if there is a big ask for paper versions, I can explore a paper option.

Most legal and regulatory books are intensely boring, not very appealing to look at and underwhelming from a design perspective. I wanted something different and more appealing so I’ve invested in a specific design language for the book. My law firm’s designer Hamid Sallali (http://thisishamid.com) did a great job on the design and coached me through the development process with a lot of patience and humor – if you need great digital graphic design he’s your man. I believe that a book should be esthetically pleasing and easy on the eyes. For that reason we have payed extra attention to layout with a non-standard and beautiful font that is specifically easy to read on a screen, good quality images in colour and appealing design elements for separator pages. 

Of course there are still things that can be improved, and they will be in later editions. Please send any feedback to erik.vollebregt@axonlawyers.com.

Kudos!

No person is an island, and neither am I. This book was proofread at various stages of completion by a group of people that I hold in high regard in the medical devices field: Sabina Hoekstra-Van den Bosch, Amélie Chollet, Kees Macquelin, Bassil Akra and Ronald Boumans.

They each provided very valuable input and useful different perspectives on purely personal title. All remaining mistakes and inaccuracies are my own of course. 

And then there is the contribution of two other people that I have the privilege of working with on a daily basis: my awesome colleague Cécile van der Heijden who was instrumental for the data protection (GDPR) and clinical investigation entries and my fantastic paralegal Thijs Mooren who continuously helped tame the ever expanding manuscript, made sure that the right information ended up in the right place, made flowcharts and took care of all horizontal referencing between the MDR, IVDR and old directives and other features that make the book more usable and useful.

Developments and discounts

One of the advantages and disadvantages of a book is that it is fixed content: you can easily carry it around in your tablet or computer without need for connectivity, but it is fixed content. Please be mindful of this when using the book. The MDR and IVDR are in full flux still and there is a lot happening in the field of horizontal legislation, like Turkxit apparently having been averted in the last days before DOA, Swixit still under hectic negotiation, the Market Surveillance Regulation becoming applicable as of 16 July, the proposal for the AI Regulation, the proposal for product liability class actions in the medical devices and IVD space, notified bodies being held liable for insufficient surveillance of manufacturers, revision of the GDPR and so on.

Documents on the internet may move, links may be broken (one of the reasons for delay of the book was that I had to correct a lot of links in footnotes that turned out not to be valid anymore). Even some new MDCG guidance became available in May 2021 that I was not able to process for the book anymore.

Accordingly, the book (while up to date as per beginning of April 2021) will not capture developments after that date.

A next edition will close that gap of course, and readers that buy this first edition in the first two months after the date of application of the MDR (so before 26 July 2021) will receive a discount code for a 20% discount that can be applied to their purchase of the second edition.

Competent authorities

If you are working for a competent authority or another public institution involved in the devices field, I know that you will probably not have any budget to buy flashy eBooks but may still be interested in this book.

If you think it would be useful to have this book for your work, please send me an email (erik.vollebregt@axonlawyers.com) and I will provide you with a copy for free.

Universities

If you are a university or other teaching institution and would like to include the book in your curriculum, that would be awesome! Send me an email and I will make sure that your students will get a good deal. 

Come and get it!

Oh, and finally – you can get the book here in PDF (to use on whatever PDF reader on any device that you like) and in ePub format (to use specifically on eReaders):

I hope that the book will be useful for you and that you’ll enjoy using it. If you like it, tell others – if you don’t, tell me.

The new EU AI regulation proposal, medical devices and IVDs

Now this is fun: at a time just before the date of application of the MDR when we do not even have harmonised standards for the new software requirements in Annex I, section 17 MDR and Annex I, section 16 IVDR, the Commission proposes new mandatory regulation to supplement the the MDR and the IVDR that overlaps mostly with the MDR and IVDR.

Ladies and gentlemen, I give you the proposal for a a regulation laying down harmonised rules on artificial intelligence (the Artificial Intelligence Act for short, or the AIA for even shorter).

This post is a first quick impression of the proposal, especially with respect to its effects in the medical devices and IVD space. It’s fairly long and winding, because I did not have time to write something more concise.

Background

Nobody wants to be left behind when it comes to AI and its regulation, and everybody still wants their jurisdiction to be attractive to innovation. The AIA is part of the EU’s artificial intelligence strategy that covers many aspects of AI, such as legal personality for artificial beings, liability, copyright and ethics for AI deployment and functioning.

The AIA is intended to underpin the risk and benefits aspects when deployed in the world, as to ensure that AI remains trustworthy and in service of humans (‘human-centric’, as the proposal calls it), as well as operate within the boundaries of the law. In healthcare this would look like the proverbial holodoc AI from Star Trek Discovery (which show has, apart from the worst character ever developed in the Star Trek universe (Neelix), also epic characters such as Captain Janeway).

We knew that this proposal was coming, because the Commission had announced in its White Paper on AI that EU product legislation would be impacted, and mentioned medical devices regulation specifically in that context:

“The proposal sets harmonised rules for the development, placement on the market and use of AI systems in the Union following a proportionate risk-based approach. It proposes a single future-proof definition of AI. Certain particularly harmful AI practices are prohibited as contravening Union values, while specific restrictions and safeguards are proposed in relation to certain uses of remote biometric identification systems for the purpose of law enforcement. The proposal lays down a solid risk methodology to define “high-risk” AI systems that pose significant risks to the health and safety or fundamental rights of persons. Those AI systems will have to comply with a set of horizontal mandatory requirements for trustworthy AI and follow conformity assessment procedures before those systems can be placed on the Union market. Predictable, proportionate and clear obligations are also placed on providers and users of those systems to ensure safety and respect of existing legislation protecting fundamental rights throughout the whole AI systems’ lifecycle. For some specific AI systems, only minimum transparency obligations are proposed, in particular when chatbots or ‘deep fakes’ are used.” (P. 3 proposal)

Keywords of the proposal are ‘trust’, ‘safety’ and ‘human-centric’: 

“If AI is to be a tool for genuine public good, then the public must understand it. As well as promoting transparency and explainability, national governments and international bodies like the EU should be investing in skills. Not so we know the minutiae of how every AI application works but so we can trust, based on evidence, that its impact is positive.”

From EURACTIV: https://www.euractiv.com/section/digital/opinion/ai-rules-must-help-increase-public-trust/

As we have seen with other tools for genuine public good like vaccines, this will be a very hard sell to the public. The public is showing time and again that it is not very good at understanding even well-understood technology for good, often assisted in utter misguidedness by the very companies that stand to be regulated by this proposal (yes, you, Facebook, for example).

Also, as long as we have large data breaches in the news every day and companies hoarding data are evidently not doing this for the public good, this will be an even harder sell. 

All the sci-fi movies about evil AI that decides that its first post singularity to-do item is to rid the world of humanity have probably not helped very much either.

Finally, member states are generally totally lacking in teaching the skills humans need to understand IT services that they consume (positive exception: the Finnish, that left the EU the Elements of AI course as a gift after the last Finnish presidency – that a was a cool course to do and I enjoyed it, thanks very much!). 

So, before I start picking this proposal apart to discuss how it could be improved, let me say that it is very difficult to put together a piece of horizonal legislation that is supposed to regulate very complex technology that few people really understand, and then regulate it in a way that its use produces net benefits for society. This regulation could be a project much like the GDPR (as you will read below it has a lot of overlaps with it) which was supposed to curb companies (like Facebook) that were not planning to do anything good for society at all, but rather use it as raw material for their own purposes. The difference with the GDPR is that the GDPR is very much principle based regulation (requiring a lot of clarification in guidance and notoriously imprecise and the AIA is technical essentially goods legislation, relying more on standards and conformity assessment (and probably still requiring a lot of guidance).

CE squared – two integrated overlapping conformity assessments

The AIA sets up a system of conformity asssessment for artificial intelligence systems, which, given the definition of AI system, will almost always double as medical device under the MDR if deployed for medical intended purpose. The conformity assessment will also involve notified bodies like under the MDR.

The ‘provider’ of an articial intelligence system will also have post-market monitoring obligations to proactively collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions, very much like PMS under the MDR.

The AIA prohibits certain AI practices that mainly have to do with transparency, but these does not seem to interfere with deployment in healthcare.

All software that qualifies as medical device under the MDR or medical devices running software with an AI component will be classified as a high risk AI system under the AIA because it is

“the product whose safety component is the AI system, or the AI system itself as a product”

covered by the MDR or the IVDR (article 6 (1) AIA). This definition seems to have been chosen with a concept of direct actuation in the human world (bad decision -> human interacting with product dead) but this definition ignores the indirect and more insidious effects of harm that we know from IVDs for example, that do not interact directly with a human. The definition of ‘safety component’ (“a component of a product or of a system which fulfils a safety function for that product or system or the failure or malfunctioning of which endangers the health and safety of persons or property”) does not seem to have been written with diagnostics firmly in mind, although you could say that a failure of an AI system interpreting IVD instrument data could endanger health of persons by means of generating false positives or false negatives which means that this would be covered. But what about AI systems deployed in drug discovery leading to ‘discovery’ of a medicinal compound with much more than necessary side effects? This is an entirely different degree of causality.

Anyway, medical devices / IVDs in scope of the MDR and IVDR will in basically all cases constitute high-risk AI systems in the meaning of the AIA. This means that they will be subject to the requirements of among other things

  • Risk management system (similar to MDR and IVDR) (article 9)
  • Data governance and data management practices (similar to MDR/IVDR and GDPR) (article 10)
  • Technical documentation (similar to MDR/IVDR article 11)
  • Logging capabilities (similar to GDPR) (article 12)
  • Transparancy and information to users (similar to GDPR) (article 13)
  • Human oversight requirements (similar to MDR/IVDR) (article 14)
  • Accuracy, robustness and cybersecurity (similar to MDR/IVDR and GDPR) (article 15)
  • Obligations very much like article 10 MDR/IVDR (device manufacturer obligations plus QMS) (articles 16 and 17)
  • Economic operator requirements (similar to MDR/IVDR) (articles 25 to 28)
  • MDR and IVDR PMS systems must integrate AIA PMS elements (Article 61 (4))

The proposal mentions in the discussion of stakeholder input that

“several stakeholders warn the Commission to avoid duplication, conflicting obligations and overregulation”.

I think these stakeholders are right. While the AIA says in recital 85 that it is supposed to amend the MDR and the IVDR, it is quite hard to see where the actual amendments are in the avalanche of overlap, as indicated in the list above. Some measures are taken to avoid the worst of overlap, such as the option to provide a single set of technical documentation for the AI systems that are also devices in the meaning of the MDR and IVDR (article 11 (2)). Otherwise this is remains quite the puzzle.

Article 24 AIA contains strange overlap provision:

“Where a high-risk AI system related to products to which the [MDR or IVDR ] apply, is placed on the market or put into service together with the product manufactured in accordance with those legal acts and under the name of the product manufacturer, the manufacturer of the product shall take the responsibility of the compliance of the AI system with this Regulation and, as far as the AI system is concerned, have the same obligations imposed by the present Regulation on the provider.”

This seems to be a kind of system / kit provision intended to manage exactly the cases caught under … systems and kit provisions already provided for under the MDR and IVDR. So more overlap, not necessarily consistent.

Article 43 (3) AIA manages overlap and conformity assessment re overlap, providing that where AI systems that are devices or are part of a device can be assessed under the MDR or IVDR conformity assessment producedure, with some AIA extras. This begs the question how will that work with notified bodies? Do they need accreditation under the AIA as well to do a full MDR or IVDR AI system / device assessment? Under what MDR / IVDR code would that notified body competence be covered? Would it be possible to split the device / AI system by having the AI part evaluated by an AIA notified body and the device part by an MDR / IVDR notified body? Or what if (theoretically) an MDD class I software device also needs to obtain an AIA certification before May 2024 – would that be a significant change in the meaning of article 120 (3) MDR? Interesting puzzle to figure out.

The AIA is not very clear about the result of conformity assessment under overlapping assessment and how this will be reflected in a final declaration of conformity. The result under the AIA would be an EU technical documentation certificate (article 44 AIA) which seems to be complementary to an MDR / IVDR certificate and, according to the MDR / IVDR, might be accounted for in a single declaration of conformity for the AI system under both regulations (AIA and your choice of MDR or IVDR) – see article 48 (3) AIA.

Article 63 (3) AIA provides that the MDR and IVDR competent authorities shall be market surveillance authorities for AIA. This made me raise an eyebrow or too, as this solution is too ‘practical’ to be realistic. With the structural understaffing of Member States’ competent authorities for medical devices and IVDs as it is, it will be very interesting to see where they will get the expertise in AI needed for proper market surveillance and enforcement. This would require Member States to take medical devices as a policy area more serious and invest in competent oversight with sufficient capacity, which will of course not happen if the MDR and IVDR are any measure for this. It seems that the ‘competent’ in competent authority will be a tenuous claim for AI in the EU, thus at least not ticking that box for the EU’s AI strategy. Good legislation is one thing, but actually competent authorities is another if you want to achieve the goals of legislation like the AIA.

Seriously, lobby and trust

There is also the category of ‘seriously?’, which contains provisions like the user obligations under article 29, which entail among other things that users of high-risk AI systems shall use such systems in accordance with the instructions of use accompanying the systems (article 29 (1) AIA). This provision is rather alien in the universe of CE marking legislation, where the user does not have direct obligations because the scope of deployment of the AI system would be limited by the scope of the CE marked intended use anyhow (like is the case under the MDR and IVDR). A separate obligation on the user to only use the system in accordance with the IFU creates an entirely extra layer of regulation for AI systems that are also a medical device.

The first traces of lobby are also visible in the proposal, for example where it says that

“Users of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system, to the extent such logs are under their control.” (article 29 (5) AIA)

If there is anything that would inspire trust it would be that the logs generated are always under control of the user, especially since that provision does not mention who must keep the logs if they are not under control of the user, which is a major regulatory oversight in my opinion.

Some trust enhancing measures for medical AI systems can be found in article 7 MDR and IVDR, which pose limitations on the (marketing and advertising) claims that can be made for devices, and consequently for AI systems that are also devices.

And then there are the GDPR overlaps / dovetails as well. See below fro more discussion of the resulting three-dimensional problems that this produces.

Better legal recourse against notified body decisions re AI system certification, but not if they’re medical devices

Genuinely new in the AIA is a first step to better legal recourse against notified body decisions, which is news for me as a lawyer. This is different from the MDR / IVDR. Article 45 AIA provides that

“Member States shall ensure that an appeal procedure against decisions of the notified bodies is available to parties having a legitimate interest in that decision.”

This kind of provision is sorely missing in the MDR and IVDR, and was one of my criticisms on the MDR and IVDR, as these provide for legal recourse against notified body decisions only via the certification agreement and a requirement for the notified body to have an internal appeal process. Some member states provide for extra legal recourse pathways because they treat notified bodies as emanations of state or similar entitites. The provision in the AIA does not limit recourse to the parties of the certification agreement alone, which is also an interesting development. Just like under proper administrative law licensing procedures, interested third parties should be able to appeal a certifciation decision under the AIA.

Does this now mean that a decision concerning an MDR / IVDR certificate covering an AI system can be challenged under this provision? No, because it would be an MDR / IVDR certificate, which would seem to mean that an AI system provider is worse off for legal protection under the MDR / IVDR than under the AIA because the AI system is also a medical device. On the other hand, the AI system provider has nothing to worry about in terms of interested third parties appealing the certification decision, which could be a problem under the AIA.

Transparency

Article 52 provides for an ‘anti-holodoc’ transparency obligation:

“Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that natural persons are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use.“

AI systems posing as a doctor for example will need to clearly be in the uncanny valley in order to be compliant, or must be very clear about their status. Fortunately the holodoc was never short of drama about what it was like to be an AI-powered hologram confined to the sick bay, but this will almost need to be a feature.

An AIA-MDR/IVDR-GDPR Rubik’s cube

The proposal contains many implicit and explicit links with the GDPR, such as that users of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a data protection impact assessment under the GDPR (article 29 (6) AIA). This provision seems to assume that a DPIA is always required in this context, which is not necessarily true. Another interesting link with the GDPR is the provision of a legal basis for bias monitoring (article 10 (5) AIA) for the functioning of the AIA. I would assume that this legal basis extends to the context of clinical data for devices that often does not take account of the lack of clinical data for women and children, and is often biased for adult men, which the AI system would be too if trained on such biased data.

Implicit links exist where we are talking privacy by design and and security by design under the GDPR, and risk management under the MDR / IVDR. The AIA adds a third dimension which will make designing and deploying AI systems even more complex, as you will be dealing with three regulatory dimensions. I have described in a lot of detail how the MDR / IVDR risk management requirements and the GDPR design requirements interact (see for example here, specifically slide 34).

The result would be now that you would have overlapping technical documentation for the AIA and MDR/IVDR requirements and a GDPR DPIA and system design documentation for the purpose of the GDPR, which all need to be consistent with each other over time. Speaking of three dimensions, it will be like continuously working a regulatory Rubrik’s cube between parts of the company that typically do not engage every much with each other.

This is just a very short summary specifically for medical devices and IVDs and there is a lot more to say about the AIA links with the GDPR than this.

Is this proposal one in the category of putting the NO in innovation?

As has happened with the MDR and IVDR, the software industry will be slow to catch on to this, wait too long with starting preparations and be engaged in a last minute scramble for compliance. Dear industry, now you know – time to start preparing. This regulation will happen, one way or the other because politicians have decided it is needed and it will look a lot like this proposal. You only have yourself to blame if you wait too long.

A big question is who will be the notified bodies that can certify AI systems that are also medical devices or IVDs. This will be done by MDR / IVDR notified bodies that have been assessed for an AI systems competence top up (article 43 (3) juncto article 33 (4), (9) and (10) AIA). Given that it took the average notified body about two years to go through notification for the MDR and IVDR and that the major bottleneck was approval of the NB CAPA plan after joint audit, this will be interesting. Of course the MDR and IVDR notified bodies will have their QMS up and running so hopefully this application could be handled swiftly. On the other hand, we do have enormous bottlenecks for MDR and IVDR NB capacity and that did nothing to move things along any faster. I cannot begin to emphasize in how bad of a situation we are with notified body capacity for the IVDR, and not these few notified have just gotten extra tasks for AI systems in these IVD space. Like I’ve said before: why would we need effective IVD market access policy in these pandemic times, right? It’s not like we need to do large scale testing for any purpose or something or would need AI systems to be able to help identify new mutations of corona viruses or something useful like that any time soon – pardon the sarcasm.

Another interesting question is how the AIA relates to the in-house exemption under articles 5 (5) MDR and IVDR, as this is not addressed in the AIA. This would mean that health institutions developing their own home-brew AI systems for deployment in the health institution will need to certify them as high-risk AI systems with a notified body that is not necessarily competent in AI in healthcare because there is no obligation to go to an MDR or IVDR notified body with an AIA top-up. This is very likely to limit innovation in health institutions, because the whole idea of the in-house exemption is to forego CE marking of the in-house device. It is also not clear if the existence of a commerically CE marked AI system would pre-empt health institutions for deploying their own AI system (article 5 (5) (d) MDR and IVDR).

Will this proposal make the EU a world leader in AI by setting clear guidelines? In its current form I think it will not.

Although the proposal can definitely be improved, my worry is the execution. We are right back at the glaring undercapacity of market access procedures and lack of expertise at competent authorities level, which in the end is caused by the Member States on the one hand refusing to cede competence to the Commission (and properly fund the Commission for this) and on the other hand the Member States’ inability to properly resource their part of the regulatory system. While the Commission is probably doing what it can with the instruments that it has, this kind of thing is not something you can make work with a pretty technical regulation that follows conventional CE logic but relies on a market access system that is proven to be under-resourced for years to come.

You actually need a functioning regulatory infrastructure with a market access mechanism with sufficient capacity and predictability which is simply not there at the moment. We are utterly lacking that for the MDR and IVDR, and as a consequence for the AIA in the medical space. If this problem is not solved, the AIA will not live up to expectations in the health space and will become a disappointment.

MDR date of application next month – and the book

Finally! Another post on this blog. You would think that I would write a lot on a blog like this just before the date of application of the MDR next month, right? Well, I did – just not on the blog but I was working hard to finish my book on the MDR and IVDR before the date of application of the MDR – see below for more detail. Also, I was and remain overwhelmed with last minute advice requests about the MDR which is about to become applicable next month.

And in the end not even that many new or surprising things happened over the last months. Unsurprisingly, the date of application of the MDR was not moved again, so the date of application is really next month, and we will need to work with what we’ve got.

MDR applicable next month

What weird times right? We’ve not been at the point of being able to say that the MDR would be applicable next month so far – less than 50 days from now. Last year the date of application was moved just a little before we were able to say ‘next month’, but no such luck this year (as I’ve been predicting) so it is happening for real.

MDR roll-out has been happening slowly and still not so surely, see the latest version of the Rolling Plan. Still no harmonised standards, still no Common Specifications other than SUD reprocessing, etc. but rather a lot of cans being kicked own the road to the next quarter. Nothing out of the ordinary there.

Eudamed’s actor module is up on a voluntary basis for some time now, since December 2020. I have been able to play around with it and have been able to see that the promises around personal data protection are definitely not met. If you want the (mobile) phone number of a PRRC for a given manufacturer or importer, scraping it out of Eudamed is just way too easy. If I were a recruiter in the devices industry or looking to hire my competitor’s PRRC, this is where I’d look. If I were a manufacturer, I’d think a bit harder about creating a prrc@manufacturer.medtech email address and not having them put in their mobile phone number, for example.

The transitional regime of the MDR still keeps causing problems for many companies, and this will increase over the next months. On the one hand because it is truly kind of complex, on the other hand because companies have often not been planning ahead very well and are now finding that that have truly and irreversibly painted themselves in a corner.

And then there is of course the unproductive situation that some member states now allow their notified bodies to do remote audits for the MDR (e.g. Netherlands) and some do not (e.g. Germany). This shows how far we still are from an EU Health Union. Come on, if member states can’t even agree on this, how should they face the even bigger challenges that we will no doubt face down the road? My true European heart breaks in face of this pointless divergence.

Another problem is that (I am finding) the economic operator regime and the transitional regime in the MDR are still very badly understood by many economic operators, which leads to some specific problems in M&A.

Economic operators

A large part of the issues with economic operators come from companies not understanding the concepts of ‘placing on the market’ and ‘making available’. This is the result of simply not reading the Blue Guide. “Does an importer need to physically touch the products?” – no, it says so clearly in the Blue Guide. “Does an importer need to own the products?” – it says so clearly in the Blue Guide. I’ll happily trade advice for money because that’s sort of my business model as lawyer, but you can really help yourself as well and I love more complex questions than this. So dare to be wise and read the Blue Guide.

Other concepts that companies do not seem to understand is that economic operators under the MDR and IVDR cannot be appointed (except for the authorised representative, who is mandated). The MDR and IVDR define roles, and company fits this role or it does not, regardless of how much appointing you do. Unless the appointment itself changes the fact pattern in a way that the company fits the economic operator definition concerned (e.g. importer by changing the supply chain in a way that that the entity that a manufacturer would like to be importer also becomes importer.).

How does it work if the manufacturer ships directly to customers in the Union? This is more tricky, and a business model of many companies. Companies sell direct to the Union customer and deliver the device via a fullfilment service provider in the Union. This is not a clearcut scenario under the MDR or IVDR, but it is clear cut under the Market Surveillance Regulation (Regulation 1020/2019), which is applicable as of 16 July 2021 and supplements the MDR and IVDR in terms of market surveillance on the points that the MDR and the IVDR do not address (like the above example). It requires that for supply scenarios in which there is no importer in the Union another economic operator must take responsibility (in our example the fulfillment service provider) for the product in order for the product to be placed on the market lawfully. In other words, happy times negotiating with your fulfillment service provider or other economic operators, because otherwise they cannot place the products on the market lawfully. And there is more, as I have explained before.

Transitional regime

One of the biggest favors you can do yourself is under the transitional regime in article 120 (3) MDR. Why? Well, it’s complex and many others in the devices field don’t understand it either. Like they say: in the land of the blind the one-eyed man/woman is absolute monarch. The transitional regime still holds many interesting questions, mostly as regards obligations relating to legacy devices (do articles 6, 7 and 11 to 18, 22 and 23 MDR (distance sales, claims, importers, distributors, PRRC, repacking, reprocessing, implant card, systems/procedure packs and parts/components) apply to them or not? – I think so, but there are others that disagree), and many interesting surprises that can really ruin your day as a company (see below for example under Mergers and acquistions). More detail on this subject in a podcast with Gert Bos and me via Qserve.

Also interesting to keep in mind that the only really detailed guidance we have for the transitional regime comes from the CAMD, which incidentally has no formal role under the MDR and IVDR and no formal competence to issue MDR or IVDR guidance. Only the MDCG has this role under the MDR (see article 105), but the MDCG never issued such guidance.

Many countries that award a special status to the CE mark in their national market access procedures have difficulties understanding the transitional regime as well. Quite a few of these countries start to treat MDR certificates different and to refuse legacy devices certificates as a basis for registration locally. You may claim that your legacy certificate is just as valid as an MDR certificate, to which you will get the reply that it’s not just as good for outside of Union purposes. And outside the Union not as valid, because that is not a matter of EU law but of local law. The Commission is said to have done a roadshow at some point to explain this, but it has not convinced everybody, that’s for sure.

Mergers and acquisitions

One area where all the problems with the transitional regime and economic operators come together to create a complex and tricky stew that can invalidate the underlying assumptions for any M&A deal if poorly understood.

One the most wide-spread misunderstandings is that you can transfer CE marks, because you cannot. Either you transfer shares in the entity that has a CE certificate (share transaction), or you apply for a new CE certificate with the same or another notified body (asset transaction). Now this is where it gets interesting when you structure a transaction in a way that a new CE certificate must be issued to a new legal entity in an asset deal or a deal that is part asset deal. We know from Team NB that most of the manufacturers have gone all out in MDD and AIMDD certificates that will expire somewhere in the grace period between 26 May 2021 and 26 May 2024 in reliance on article 120 (3) MDR, with most expiring right at the back of this period:

But what has two thumbs and cannot be reissued after a significant change during the grace period? Indeed, your (AI)MDD certificate that has undergone a significant change because of the way you implemented the transaction or because you thought that you could transfer the CE mark as a asset (which you cannot) and then needed to have a new one, which cannot be issued during the grace period. You are stuck with needing to obtain an MDR certificate instead, which will cost you at least a year even if you are able to get on board at a notified body during this incredibly busy time. If you were relying on the company staying on the market during that period, the joke’s on you and your acquistion’s financial model has completely changed for the worse. And it was completely avoidable!

But there are other ways in which an M&A transaction as described in the management presentation can result in a siginificant change, even if you do not try to transfer a CE mark (because you cannot). The management presentation will often state things these days that are not possible because they would result in a significant change if they were to take place. In other words, management presentations occassionally claim things that cannot be true for the EU market, and should be written more carefully for companies relying on (AI)MDD certificates for (part of) the grace period.

For example, say I want to sell a medical software company that has several software medical devices, some on a CE certificate as class IIa or IIb, and some self certified class I. The company has kicked the MDR can all the way down the road with CE certificates expiring on 25 May 2024, has a plan to have MDR CE certificates in Q1 2024 and has a valid declaration of conformity for the self declared software, allowing this to also benefit maximally from the grace period. The management presentation states that the company will expand its software functionalities signifcantly for the class IIa and IIb software in the next two years to capture a specific service market before the competitors do. The company will also will port its self declared software to other operating systems. Would you believe this if you read it? You should at the very least have some very big question marks as to whether this is even possible. All of these plans will most likely consitute significant changes in the meaning of MDCG 2020-3 on significant changes. Implementing these changes will invalidate the company’s CE certificate(s) and the declaration of conformity for the self declared software, necessitating the company to have CE marks under the MDR well before it planned to during the busiest period for notified bodies. In other words: if the company implements this commerical strategy, it will not have access to the Union market for considerable time, while it scrambles to make its notified body issue the MDR CE certificates earlier than planned (which it is under no obligation to do and will likely not have time for). Thus, the commercial strategy in the Union depends on regulatory understanding of the constraints posed by an MDR strategy that relies heavily on the grace period. So would you now still pay the same amount for this company? Probably not, because now you understand why this company is actually overpriced and the management presentation presenting a strategy that the company will not be able to execute.

So, this is how you should read management presentations of devices companies with CE marks these days. Also, where possible: don’t rely on ‘transfers’ or need to re-issue (AI)MDD certificates in the name of a new manufacturer during the grace period – because you cannot. This should impact the content of management presentations and structuring of M&A transactions in the medical device sector. If it does not, now you know how to read them.

For wider context on M&A and MDR/IVDR transitional regime, check out the Medical Devices Made Easy podcast, which will soon feature a podcast in which Monir and I discuss M&A and transitional regime.

Brexit, Swixit and Turkxit

We are in a Union for medical devices that shrinks faster than it grows these days. It makes my European heart sad. For context, see my recent presentation at the Select Sciences webinar about commercial readiness for the IVDR:

Swixit is happening next month. It can now safely be said that Switzerland and the EU will not be aligned on the Institutional Framework Agreement before the date of application, which mean that Switzerland is out of the Union for the purpose of the MDR next month. Swiss Medtech has made a convenient overview of what this means and recommends that everyone plan for a Swixit.

Out of the MDR Union, but not yet out of the IVDR Union – the transitional regime in the MRA keeps covering the last remaining year of the IVDD until 26 May 2022. If the IFA has not been signed by May 2022, we will have another Swixit but this time for IVDs as well.

Things are not going well between the EU and Turkey, with as most recent sad events sofagate and Turkey canceling the Istanbul Convention about domestic violence and equality for women. The relationship with Turkey is getting less and less stable, more defined by political opportunism and Turkey is clearly on a path of less and less endorsing European values, which makes it harder and harder to have it as part of the Union market. Turkxit looks exactly like Swixit from a legal perspective: by 26 May 2021 general medical devices exit, by 26 May 2022 IVDs exit. Plan for Turkxit to happen too, as it is a realistic scenario.

Brexit happened in the mean time. Yet, I still see many companies that have not understood that it actually means something when a country leaves the EU – it’s back to WTO level relationships. It means a lot of extra work to access this much smaller market, having to complete a lot more formalities to also be on the market in the UK, essentially a duplication of compliance infrastructure with associated costs. It means new trouble in Northern Ireland. That’s what Brexiteers would call progress.

IVDR applicable sooner than you think – you may already be too late for a timely CE mark

Companies with IVDs are waking up to the fact that the IVDR is on the horizon. This is sad, because many are too late already to get on board with a notified body in order to obtain a timely certification under the IVDR. Although this has been more than made clear you would think, companies still don’t seem to understand the quantum leap that people have been warned for for a couple of years now. The IVDR does not grandfather and does not contain the additional options for grace period that the MDR has been amended for end 2019. So if you have a currently self-certified IVDD IVD that is not class A under the IVDR, you must have a CE certificated under the IVDR by 26 May 2022. If you are going to start this process only now, you are most likely already going to miss that deadline. Well, it’s only core business as I routinely say to companies. Why make timely plans for effective market access in one of the biggest markets in the world, right?

For IVDRs we did receive some guidance on transitional provisions for class D devices (MDCG 2021-4), which answers the usual questions that you get if the roll-out of a new regulatory system is severely delayed but the system will still be applicable. In this case it’s about the delayed IVDR expert panels and reference laboratories needed for the approval of class D devices.

An important point made in the guidance is the confirmation that

“During the transition period, as long as no EURL has yet been designated for that specific device, category or group of device, the notified bodies may accept applications for a class D IVD and issue the corresponding certificate(s).”

When the class D device is re-certified after expiry of the initial certificate the reference lab procedure needs to followed. While this looks helpful to get class D devices on the market, it creates a big what if when the reference laboratory does not agree with the work of the notified body for the initial certification cycle.

The book

So what have I been been writing if I haven’t been writing on this blog? I have been writing my ‘Enriched MDR and IVDR’ book, which I started in 2017. It is now good enough for publication and has gone to layout. I am self-publishing it electronically as of half May 2021 (also next month, conveniently just before the date of application of the MDR), so watch this space. It will be available as a watermarked pdf and ePub format. I’m still exploring options for distribution platforms and would welcome tips from other self published authors. Further details will be announced on this blog and I’m not taking any pre-orders for the moment.

The book is an enriched version of the MDR and IVDR as per the state of art end of March 2021, meaning that it consists of an introductory chapter discussing the MDR and IVDR generally, a mostly annotated MDR (clause by clause annotation of most articles and recitals, which was a lot of work) and a mainly annotated IVDR (clause by clause and recitals too, but with a lot of references back to the MDR because there is so much overlap).

Here is a sneak peak of two of the proofing pages for the lay-out concept (don’t mind the typos please – they’re proofing pages):

The book also contains a number of convenient tables to show overlaps between the MDR and the IVDR, the MDR/IVDR clincal investigation regime and the medicines clinical trial regulation etc. It contains many flowcharts (I love flowcharts) and graphics. And it can be yours for the price of just a couple of ISO or IEC standards (the exact number depending on where you buy them, as the price can differ considerably – I say give it up for the Estonian Centre for Standardisation and Accreditation that will never overcharge you for a European harmonised standard).

The second edition, which I’m planning for Q1 2022 now, will feature more IVDR content and of course additional MDR content as we are about to learn a lot about the MDR over the rest of 2021 when it will be applied in practice.

Finally remote initial audits, or not (yet)?

When the Commission recently published the Notice on the application of Sections 2.3 and 3.3 of Annex IX to Regulation (EU) 2017/745 and Regulation (EU) 2017/746 with regard to notified bodies’ audits performed in the context of quality management system assessment on 11 January, there was much rejoicing in the medical devices community. Yay!

It looked like one of the big stumbling blocks of hold up of issuance of MDR certificates was finally cleared. But, this is actually not the case. Or, it depends how you look at it. More precisely, it depends how the member states authorities look at it.

What was the problem again?

What was the problem again? There is this COVID pandemic going on, which tends to cause a lot of restrictions in the movement of persons as a result of national measures to prevent it from spreading. At the same time the MDR and the IVDR require site visits as a condition for the notified body to grant an MDR or IVDR certificate (see sections 2.3 and 3.3 of Annex IX in either regulation). No travel is no site visit, and no site visit is no MDR or IVDR certificate. As the epidemic persists and the date of application of the MDR and IVDR creep closer, you don’t need to be a rocket scientist to see that this will create a big problem.

In 2020 the MDCG had already issued guidance on remote audits (discussed on this blog here about MDCG 2020-4 that was further clarified in MDCG 2020-17), but this did not (fully) cover the MDR and the IVDR and moreover it did not cover initial audits, which are the audits everybody needs for their first MDR and IVDR certificates. So, too bad so sad – no remote audit for you in case of an initial application until the auditors can physically travel again.

In the mean time in the medicines field

In the mean time the authorities for medicinal products were surprisingly more lenient and practical in allowing first GMP audits. The HMA notice of 20 April 2020 on the subject (see paragraph 2.2) is quite clear about that

“For new sites/facilities in the EEA that have never been inspected and authorised, a distant assessment may be conducted in order to evaluate if the site could be authorised without a pre-approval inspection. In such cases, it should be indicated that the certificate has been granted on the basis of a distant assessment. Moreover, an on-site inspection should be conducted when circumstances permit.”

and

“For new sites/facilities in third countries where an inspection is required, and where there is no operational mutual recognition agreement (MRA) or the scope is not covered by the MRA, a distant assessment by an EEA supervisory authority may be conducted. A GMP certificate may be granted depending on the outcome of the assessment. In such cases, it should be indicated that the certificate has been granted on the basis of a distant assessment. Moreover, an on-site inspection should be conducted when circumstances permit.”

And if circumstances do not permit to do a distant assessment, there is a clock stop until they do. The notice furthermore contains some good guidance on how to make the risk assessment to determine if the circumstances so permit, for example whether the manufacturer concerned has been naughty or nice in the past, and how to actually implement a remote audit in a practical way.

The EMA Guidance on remote GCP inspections during the COVID- 19 pandemic (dated 20 May 2020) even contains a complete template and roadmap for how to set up a functioning remote audit and also contains more detail on the risk assessment of the manufacturer audited.

So the Heads of Medicines Agencies in the EU and the EMA are very aligned on this, and had no issues in drafting a pretty clear notice that applies across the board. Enter the world of devices, in which things are completely different for no apparent reason.

The MDR and IVDR notice

The notice of the Commission is really kind of a non-notice. It turned out this way because it is very clear that the member states could not agree on this like they were able to do for medicines. Because, you know, medicines are really important. Ventilators, IC beds, COVID tests, who needs those in these times – right? Like in the Brexit agreement that fails to address devices but does address medicines also with respect to remote audits the lack of ambition on the part of member states is striking. It’s like member states still haven’t discovered devices as the crucial pillar underneath the healthcare system that they are. If the member states would have been aligned, we would have had MDCG guidance, which would apply across the board. But they are not, and here we are.

So what does the notice really say? You can see that the Commission had a difficult situation to work with, and tried to do the best it could under the circumstances. The notice reiterates legal requirements and the needs for remote audits under the circumstances, but then goes on to state that this is really a member state game, because

“the national authorities responsible for notified bodies shall monitor the notified bodies established on their territory and their subsidiaries and subcontractors, to ensure on-going compliance with the requirements and the fulfilment of obligations set out in the medical devices Regulations.”

which is legally completely correct. In other words, because the member states can’t align between themselves in the MDCG, it’s every member state for itself for as long as they cannot agree. This means that, as we are seeing, some member states are willing to allow remote audits, and others do not.

While the Commission does give outlines of a framework for determining if a remote audit can take place in the notice, this is a lot less practical than the HMA and EMA guidances discussed above for medicines. Personally, for the life of me I cannot see why this could not be harmonised better. In many member states the authority for medical devices and IVDs is even the same as the one for medicines. Not everywhere, I know that, but even then they can talk to each other you would think. So what the [beep] is the major malfunction here?

The Commission ends the notice with a call on the member states to at least keep the Commission involved of what they are doing and how they implement this. That’s the best that could be achieved under the circumstances, apparently.

What to do now?

This weird situation means that the possibilities will differ from one notified body to the next, depending on how the notified body fills in the broad criteria, which in turn is based on what the notified body’s notifying member state is willing to allow. EU harmonisation at its finest! Team NB is working on at least seeing if it can align its own members in this respect, and aims to have this done by end January. Let’s see what this brings, but in the mean time the clock is relentlessly and mercilessly ticking towards the date of application.

So what can you do as manufacturer? You do what Brian Boytano’d do: you make and plan and you follow through. Be proactive, and engage with your notified body about how whether and how it will apply this because you cannot assume that there will be aligned standard practices across notified bodies (except maybe if they are notified by the same member state). If they are waiting for alignment via Team NB, indicate your willingness to receive a remote audit. Look at the criteria in the Commission notice and in the HMA GMP and EMA GCP inspections notices, think about how you can demonstrate why a remote audit would be justified and that your case passes the required risk assessment, and think about what you can offer the notified body to make the remote audit practical (what would they want to see in normal circumstances, and how can you show this remotely in a way that they can consider it audited sufficiently?).

In terms of legal recourse you could, in extreme cases, consider taking legal action against a member state that does not allow its notified body/ies to do remote audits or imposes disproportionate measures compared to other member states or compared to the medicines notices.

You might find yourself in a situation that the certificate really does not arrive in time and new products can no longer be placed on the market, under which you could be forced to consider a local exemption or article 59 MDR based exemption, although the criteria for the latter option are very strict.

Try to stay positive

Personally, I am not rejoicing very much in view of this development and have a hard time staying optimistic about it. I had a spike of enthusiasm when I saw that a notice about this had been published. And then the disappointment came. Now I’m just trying to stay positive and hope this sorts itself out for the best. Maybe there will be alignment after all in the last months before the date of application – oh, wait. Thats where we are already.

To me it seems we need a change of culture in the EU because this non-notice shows how the member states are failing the patients, failing them badly. This is low hanging fruit. There is a precedent in medicines. What more do you need?

If there is one thing that the COVID epidemic has shown that one the one hand member states are ill-equipped to deal with bigger healthcare challenges by themselves, but on the other hand are too stubborn to equip the Commission with the tools to at least create aligned policies. This goes back to article 168 TFEU, which provides that medicines and devices are basically to regulated as widgets in the internal market, with secondary healthcare aspects. But otherwise the EU should stay off of any real healthcare policy (this is a bit simplified, but essentially what it comes down to). Yes, there is some movement with joint vaccine procurement and a very general healthcare policy, but this is not very much and certainly not a revision of article 168 TFEU.

At the same time we see member states under-resource national competent authorities for medical devices because we have European laws and a system that sort of took care of itself historically, right? This leads to the terrible situation where the lame (the Commission with insufficient competences to make a difference) has to herd the blind running all over the place doing their own thing (the member states that don’t see the need for a coordinated healthcare policy and underresource national devices authorities) – which is not productive at all. And how can this be explained to patients? That’s quite a challenge if you ask me. The reality now is that for example German restrictions on their notified bodies may lead to Swedish patients not having access to certain essential devices. That is the reality of the internal market and the reason why this problem is bigger than any single member state. By necessity, this means that the solution must also be bigger than any single member state, and that, unfortunately, requires a culture change that I have been advocating for a long time.

The notice contains an almost cynical closing statement by the Commission in relation to a request for member states to at least inform the Commission:

“In particular, given the difficulties to fully quantify the extent of the problem in advance, namely the need to recourse to extraordinary temporary measures in order to ensure continuous availability of devices and prevent the potential risk of shortages, it is vital to carefully follow how these measures are applied in practice.”

So, member states, please show some ambition here and know your limitations. If the problem is bigger than you can handle yourself, enable action at EU level. Europe is supposed to have the best healthcare system in the world, but looking at this mess you would really not think that. Nothing to be proud of, especially since a proven solution is right in front of you.

But before I get too cynical (this epidemic takes its toll on everyone including me these days) let’s see how things develop. The best thing to hope for is quick alignment between member states after all, and a very clear and detailed MDCG guidance. If the member states can agree about this stuff for medicines, why not for devices?

Let see if we can make this work for the better, rather than have it disfunction for no apparent reason.

Outlook for 2021 – and happy new year!

Something new for the end of the year: a new year’s vlog with my rough 2021 outlook.

This outlook is far from complete and not comprehensive at all, and it leaves out many other important things. Make sure to stay informed (or as Kant the philosopher said: dare to be wise)!

If you like this vlog and would like more vlogs instead of text, be sure to let me know.

Happy 2021, put it to good use, stay safe and stay sane!

Links to content discussed in the vlog:

Team NB paper on expiring certificates

MHRA medical devices regulation page

My post on the brexit deal

My post on Schrems II and GDPR

My post on the Market Surveillance Regulation

My post on the urgency with the IVDR

My post on to-dos for class I devices manufacturers

The Brexit ‘deal’ – what’s (not) in it for the medical devices industry?

Spoiler: at the moment basically nothing except more paperwork and trade barriers. It’s still a hard Brexit with a little sugar on top, essentially.

Or, if you are a more glass half full kind of person: at least not all the way back to WTO rules but a just one step above that.

After a long, slow process with many twists and turns the Brexit deal finally dropped the day before Christmas. This ‘deal’ is nothing less than a somewhat controlled full reset of the entire EU-UK relationship because this was the best parties could achieve under the circumstances.

In my view this ‘deal’ and the negotiation process represent every problem that the EU was set up to solve, so in that regard it will be an interesting experiment to see what life is like on the outside for a former member state. Unfortunately history is too kind these days for people that stake their country’s economy on the roulette table of populism for short term electoral purposes (my strong personal opinion about root cause here), so I don’t expect this experiment to yield any reliable conclusion in the end because nobody is going to admit this was a terrible idea, even if everyone agrees that it was.

Mainly goods, mostly not services

The deal is mainly about goods, and almost not about services (a little bit about financial services though). If you provide services additional to devices, there’s basically nothing in it.

General principles about trade in goods have been agreed, but need to be firmed up over time. More specifc arrangements have been made for medicines for example, but not for medical devices. These facilitations for other specific products of mutual interest, such as automotive, wine, organics, pharmaceuticals and chemicals do not include medical devices. Medical devices are part of the ‘general’ arrangements for all CE marked goods, which means that as of 1 January (when the extended transition period after the UK’s leaving the EU on 31 January 2020 ends) medical devices trade between the EU and the UK is fully subject to the  general goods regime in the new agreement. 

What this means has been painfully clear from the very beginning: the UK may choose to accept CE marked devices on its market (and has announced it will do so because it has no choice), but the EU will not do the reverse. Consequently, all UK established devices businesses will be working with double regulatory standards as of 1 January, and with the formalities that go with that situation (see here for a rundown of the UK MHRA for regulatory formalities and transition on the UK side). In that sense the situation set out in the Commission’s January 2018 notice on trade in industrial products, restated in 2020, has now materialised.

In more detail – what could the future look like?

An important part of the Brexit negotiations were about who has the final word on (regulatory) standards. Positions taken in this regard will set the boundaries for future cooperation. 

For the EU, mutual recognition arrangements are only possible if the European Court of Justice has the final word about the interpretation of EU law exported via the mutual recognition agreement. Since export of regulatory standards is a major source of power for the EU, this will not be negotiable. However, this is precisely not what the current UK government wants (‘take back control’), which means that the UK is far removed from a Switzerland-like mutual recognition agreement and even further from more seamless cooperation (like the EEA agreement). The UK seems to have landed on ‘Canada plus’ as a result of the specifics of the agreement on customs formalities (although no customs union) and tariffs.

Unless that changes, the future will be one of separate regulatory silos, with some basic rules on tariffs and customs formalities. For the moment, UK businesses (and international companies doing business in Europe via UK businesses) are stuck with having to accept standards in the EU that the UK has no more influence over and hoping that the UK does not diverge in its own standards to the point that it will become costly to comply with the additional regulatory system created by the UK for itself. Politicians will try to sell this as progress. Sure, diverging standards might give UK businesses an edge, but only for the UK market. In the end the devices developed will still need to meet standards outside the UK too: the UK will still follow international standards like ISO and IEC in order to be able to sell its products abroad. Also, diverging to the point that it would lead to unfair competition would lead to unilateral EU countermeasures.

For those that like to look for themselves: devices go in the ‘trade in goods’ bucket under Part Two, Heading One: Trade, Title One: Trade in Goods (there will be basic goods trade just above WTO standards), Title X Good Regulatory Practice (there will be regulatory cooperation on a voluntary basis) and Title XI Level Playing Field (subject to EU precautionary principle). As you can see, there is not much there compared to the acquis of internal market regulation. 

Notified bodies

For the remaining UK notified bodies for devices the Brexit now means that they lose their notification for the EU directives and new regulations and that their remaining certificates are invalid as of 1 January, unless timely re-issued by an EU-27 notified body. It also means that these bodies will not be able to do surveillance for directive certicates after the date of application of the MDR (and later IVDR) because the certificates have become invalid. This writing has been on the wall since early 2018

Placing on the market

For companies in regulatory problems understanding the concept of placing on the market again becomes paramount.

Devices placed on the market in the EU by 31 December 2020 (which still includes the UK until that date) will be able to circulate in the internal market freely. Device placed on the market as of 1 January will be faced with the new situation: no free movement between the UK and the Union. Also this writing was on the wall for a very long time already and will be or have been relevant if your company has a supply chain running through the UK.

Data protection for data processing devices and services

For devices companies that process personal data in the meaning of the GDPR in the UK, note that the adequacy finding for the UK has been explicitly been excluded from the agreement. That means that by 1 January the UK is fully in the Schrems II boat as a non-EU jurisdiction: you will need a transfer basis like standard contractual clauses but with additional due diligence / upgraded standard contractual clauses or explicit consent for non-structural transfers.

Update 14 January 2021: I had initially missed the 6 months transfer provision in the Brexit agreement, meaning that until 30 June 2021 transfers between the EU and the UK do not count as third country transfers. If there is no adequacy decision about the UK data protection regime by that date (which is not unlikely at all) then as of 1 July 2021 these transfers are third country transfers, as clarified in the European Data Protection Board’s updated note of 13 January.

Conclusion for the moment

The analysis in this blog is far from complete as I haven’t been able to read the complete package yet that forms ‘the deal’, so stay tuned for more (for example on the complex situation of Northern Ireland).

Also, the ‘deal’ is a deal between negotiators. This is a stage where we’ve been before just over a year ago and then the UK parliament decided that it had sent a negotiator without sufficient mandate, which set back the process enormously. This could happen again.

From the EU side, the whole formal ratification mechanism still has to take its course. So far I am very impressed by the degree of organisation and unity on the part of the EU and its Member States, which is usually very different in other dossiers. 

The EU Court’s Schrems II judgement – urgent revisiting of international personal data transfer mechanisms required

IMG_1549Wasn’t the MDR about More Data Required, and the same for the IVDR? Aren’t more and more devices running software that processes patient and user data? Isn’t the medical devices industry a very international business? Indeed – so the ability for companies working with the MDR and IVDR to transfer personal data internationally for all kinds of purposes MDR and IVDR related such clinical investigations, PMCF/PMPF, usability testing, trouble shooting / support, registries, communication of dimensions of custom implants, training of AI, cloud storage of patient data, linking patients to samples, eHealth and mHealth solutions, moving of IVD test results from one place to the other – basically anything involving clinical data that is personal data – is an important thing.

Since data is the blood pumped around in the MDR and IVDR architecture, I address data protection issues on this blog to raise awareness (for example here (about data subject damages), here (about cybersecurity) and here (more general about MDR/IVDR and GDPR)). I find in practice that companies and service providers in the medical devices industry often can do a much better job at data protection compliance and do not design their products and services with data protection principles of privacy and security by design in mind. The MDR and IVDR require you to manage risks with safety principles in mind, and the EU’s General Data Protection Regulation (“GDPR”) is no different: like the MDR and IVDR it requires risk management as a design factor. For EU purposes both physicial integrity and privacy are fundamental rights of patients and users of devices, which is reflected in the requirements in the MDR and in the GDPR. This is why I advise companies to integrate design processeses under the MDR and IVDR with those under the GDPR and not treat devices RA/QA and privacy as different silos in the company. The MDR and IVDR on the one hand and the GDPR on the other hand share many important links between, so non-compliance with one of them will often imply non-compliance with the other, for example with regard to cybersecurity.

This blog is a co-production with my firm’s data protection expert Cécile van der Heijden, who wrote the biggest part of it, and it addresses the recent GDPR bombshell judgement of the European Court of Justice (“CJEU”) in the Schrems II case, of which the impact on internal transfers from the European Economic Area (“EEA”) to third countries can hardly be overstated. The CJEU press release about the Schrems II case can be found here.

International transfers and the Schrems case

The GDPR allows transfers of personal data to a third country outside of the EEA only if the transferring party has provided appropriate safeguards and ensured that enforceable data subject rights and effective legal remedies are available for data subjects. Every medical devices company or service provider to that industry that works internationally and has some kind of connection to substance outside the EEA, uses cloud services or engages service providers that transfer data outside of the EEA (for example because they use cloud service providers or entities outside the EEA) will be directly or indirectly transferring data internationally.

This is why the CJEU’s judgement of 16 July 2020 in the Schrems II case (or the second Facebook case as it is known too) was so much anticipated. The case concerns conditions for transfer of personal data out of the EEA to the United States under an adequacy decision (in this case the EU-US Privacy Shield Framework, (“Privacy Shield”)) and standard data protection clauses (“SCC”). More particularly, the Schrems II case concerns transfer of personal data from Facebook Ireland Ltd to Facebook Inc in the US for processing. The judgement was rendered in a preliminary reference procedure in which the CJEU has answered questions of the referring Irish court concerning:

  • the applicability of the GDPR to transfers of personal data to third countries outside of the EEA, focussing on the SCC laid down in Commission Decision 2010/87 (EU controller to non-EEA processor);
  • the level of protection the GDPR requires in relation to such transfer;
  • the obligations that are imposed on supervisory authorities in relation to such transfer; and
  • whether both Commission Decision 2010/87 and Commission Decision 2016/1250 (the adequacy decision concerning the EU-US Privacy Shield Framework) are valid.

GDPR applies to transfers of personal data to third countries outside of the EEA

The CJEU has confirmed in Schrems II that – unsurprisingly and contrary to what was argued in defense – the GDPR does apply to a commercial transfer of personal data between two economic operators (terminology that also can be found in the MDR), even if the personal data is also processed by the authorities of the third country in which the recipient is established for the purpose of public security, defence and national security, for example by intelligence services.

Privacy Shield invalid as legal basis for transfer

The CJEU declares the EU-US Privacy Shield framework invalid due to the absence of adequate level of data protection in the US due to the existence of extensive governmental surveillance programs that lack effective judicial review and do not protect the rights of data subjects established in the EEA. Most notably, these surveillance programs in the US concern the US Foreign Intelligence Surveillance Act (“FISA”) and US Executive Order 12333. Privacy Shield does not offer sufficient safeguards in relation thereto.

SCC valid as a legal basis for transfer, provided that country of import offers equivalent protection as GDPR

At the same time, the CJEU declares that the SCC (as laid down in Commission Decision 2010/87) are valid as a mechanism but cannot be regarded as a ‘tick the box’ exercise because  the rights offered to EEA data subjects abroad should be, at least, at an equivalent level to those guaranteed under the GDPR. This means that all transferring parties, regardless of whether the personal data is transferred by a controller or processor, have a responsibility. This requires a risk assessment by the parties involved in the transfer. They must verify on a case-by-case basis (where appropriate in collaboration with the extra-EEA recipient of the personal data) whether the laws of the third country to which the personal data are transferred offer adequate protection in line with the requirements of EU data protection law.

The way that the legal framework in the country where the recipient is established works may lead to a need to provide additional safeguards in addition to those documented in the SCC. It goes without saying that this holds relevance for all SCC adopted by the European Commission beyond those documented in Commission Decision 2010/87. As most companies transfer personal data under SCC in absence of an applicable adequacy decision, this decision of the CJEU directly impacts nearly all parties that transfer personal data to outside of the EEA.

The CJEU requires a case-by-case review whether the laws of the third country in which the recipient is established respect data subject rights at a similar level as the GDPR, including by allowing for judicial review where the authorities have access to the personal data, e.g. for intelligence purposes. Where such level of protection cannot be met, the transfer must be suspended or the agreement between the parties must be terminated.

Immediate consequences Schrems II

The primary consequence of Schrems II is that personal data can no longer be transferred to the US under the Privacy Shield, meaning that companies must suspend all such transfers until another permitted transfer measure under the GDPR has been applied. Although Schrems II only concerns the SCC documented in Commission Decision 2010/87, the criteria set for the use of SCC have broader applicability. As a result, all transfers under SCC, regardless of the exact country to which the personal data are transferred, require a thorough and adequately documented review of the legislation of the recipient country for the transferring party to be able to demonstrate a lawful transfer.

Schrems II shows that general legislation that allows processing of personal data in as far as is necessary in a democratic society to safeguard, inter alia, national security, defence and public security which is subject to effective judicial review is acceptable. However, far-reaching processing of personal data by public authorities (i.e. through intelligence surveillance programs) in a third country that is not subject to effective judicial review does not offer the required level of protection to EEA data subjects. For example, the US Ombudsman linked to the Privacy Shield has no effective control over EEA data subbjects’ data being processd by the US intelligence services. Based on these criteria the CJEU ruled that the US does not offer appropriate levels of protection of data subjects similar to those offered in the EEA.

Schrems II has far reaching consequences for all EEA-based companies who collaborate with US businesses (e.g. for research activities or for intra-group activities, such as internal transfer of pharmacovigilance data, clinical trial data or post market surveillance data), use US-based processors (service providers) certified under the EU-US Privacy Shield (including CROs, cloud providers and providers of cookies for company websites) and for all other EEA-based companies that use SCC to transfer personal data to recipients.

While it may be difficult to perform the required review of national law of the receiving country, Schrems II has created an immediate problem in relation to transfers of personal data to the US, even where such transfers take place under SCC if no additional measures are taken. As the CJEU has determined that the US currently does not offer an adequate level of protection in line with the level of protection offered in the EU under the GDPR in relation to Privacy Shield, it is difficult to imagine how a transfer to the US under SCC will be considered adequate as these transfers will be subject to the same controls in the US. Therefore, where FISA or Executive Order 123333 are applicable to personal data transferred to the US, Schrems II effectively endangers transfers of those personal data to the US due to the lack of adequate protection of data subjects subject to the GDPR without the transferring parties adopting additional measures. While the CJEU has performed an analysis of the level of data protection offered by the US, the same would apply to a transfer to any other country outside the EEA that is not subject to an adequacy finding and where processing of personal data by the government (including for surveillance purposes) takes place beyond what is reasonably necessary in a democratic society.

There is another issue with the use of SCC: even where the assessment required by Schrems II can be conducted in practice, the SCC available do not cover all possible transfers. For example, a transfer between an EEA-based processor and a controller based in a third country is not covered by any SCC model, albeit that a solution is allowed if an EEA-based controller signs the clauses with the receiving controller.

Currently, SCC have only been adopted for transfers between two controllers and for a transfer between an EEA-based controller and a processor established outside of the EEA. While certain supervisory authorities may be convinced to allow broader use of the existing standard data protection clauses outside of their original context, this is not a universally accepted solution. Consequently, this approach requires clearing with the relevant supervisory authorities to avoid non-compliance with the GDPR.

Are other transfer measures than Privacy Shield or SCCs possible?

SCCs are not the only appropriate safeguards that can be used in absence of an adequacy decision but are (in general) the only safeguards readily available. Many appropriate safeguards require prior approval of a national supervisory authority or even the involvement of the European Data Protection Board or the European Commission. For example, the waiting time for approval of binding corporate rules by the Dutch Data Protection Authority is currently three to five years. Additionally, barely any codes of conduct have been approved thus far and can therefore not offer any solace. Such appropriate safeguards are therefore not workable for any company that is currently already undertaking transfers and wishes to continue these transfers. However, it is to be expected that application of other safeguard measures under the GDPR is held to the same standard as the use of SCC.

Where it cannot be established that national law in the country where the recipient is based offers sufficient protection to data subjects, the transferring party may be able to base the transfer on one of the derogations of article 49 of the GDPR. The EDPB considers these derogations to be exemptions from the

“general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards”.

However, as the EDPB has clarified, such transfers are limited to occasional, non-repetitive transfers and therefore offer no solution for large scale transfers.

Next steps for EU authorities and next steps for companies

It is expected that the collective supervisory authorities and the European Commission will provide additional guidance in relation to the consequences of Schrems II. We also expect the supervisory authorities to provide clarification on the exact parameters of required review of national law in the country where the receiving country is established as such extensive review will be difficult to realize for any company. The Dutch Supervisory Authority has indicated that the European Data Protection Board, in which all national supervisory authorities and the European Data Protection Supervisor are united, will soon provide guidance concerning the additional measures companies can include in the SCC. Authorities on both sides of the Atlantic need to quickly figure out what this judgment will mean for them, and how they will work with international data transfers in the future. The EU authorities will need to be more practical about what the required standard is, and other authorities will have the opportunity improve the quality of data protection regulation to take fundamental rights into account better.

We currently do not expect supervisory authorities to immediately begin enforcing Schrems II as the supervisory authorities are still reviewing the best manner to deal with Schrems II and how to apply the judgment in a practical manner. Nevertheless, we advise all companies transferring personal data to the US directly or via a (sub-) processor under Privacy Shield as well as companies using SCCs for data transfers to carefully map out any transfers that they are currently undertaking and make a best effort assessment whether the country of import offers protection of the rights of data subjects that can be considered adequate in the light of the GDPR (Schrems II does not require identical protection, but adequate protection).

Documentation is key for compliance after Schrems II. Companies should be transparent and document their analysis of national law in the country of import in detail. As a minimum, such analysis should include a review of:

  • the applicable data protection legislation in the country of import;
  • applicable legislation on surveillance by public authorities in the country of import, including in transit situations;
  • the availability of data subject rights, including judicial review of such processing activities by the public authorities in the country of import;
  • the scope, volume and application of the aforementioned measures.

Supervisory authorities or the European Commission may provide additional or different requirements for such analysis of national law in the country of import.

Regarding US transfers, there does not seem to be a way for data transfers to proceed legally in full compliance with the GDPR at the moment. To limit all risks companies may consider (temporarily) suspending personal data transfers from the EEA to the US until official guidance on the consequences of the Schrems II judgment becomes available. They should consider carefully which additional contractual safeguards can be incorporated under SCCs and have SCCs in place where they or their services providers relied on Privacy Shield. Where suspension of transfers is impossible in an individual case (for example in relation to ongoing treatment that cannot be postponed, ongoing participation in a clinical trial with an extra-EEA sponsor or manufacturing of a custom made implant outside the EEA), we advise to review whether such transfer can nevertheless take place under a specific derogation of article 49 of the GDPR. The information obligations of the transferring party in relation to the use of a derogation may increase due to Schrems II.

Where companies continue to transfer personal data under SCC or a derogation, rigorous application of the principle of data minimisation and to practice encryption may serve as a non-regulatory solution to provide a degree of technical protection against import country scrutiny of data. This would help in meeting the requirement to apply extra measures in addition to the SCC as referred to in Schrems II. Nonetheless, such measures by themselves do not constitute a legal basis for an adequate transfer in compliance with the GDPR.

Schrems II makes implementation of the basic principles of data protection in the GDPR very relevant, as this ruling emphasizes that ‘with big data comes great responsibility’. The more personal data that a company collects and exports, the more responsibility it takes on. Questions? Cécile and I are at your service.

Standardisation request for MDR and IVDR refused; now what?

No puedo con tantoA new blog post, a new step in the soap that is the non-transitional period of the MDR and the IVDR.

I have jokingly paraphrased the absurdist painter Magritte by saying “céci n’est pas une période de transition”. I’m contemplating starting a T-shirts business with memes for the MDR and IVDR, with that meme and others, like “Regulatory Cassandra” and “I worked myself into the ground to meet the MDR DoA and all I got was this one year delay which is not a delay actually”. And of course for the IVDR I’m still negotiating with the History Channel Ancient Aliens guy to use his portrait on the “Alien invasion scenario, anyone?” T-shirt for my IVD industry readers.

Not a soap, a telenovela

So what is the new episode in the soap you ask? I bet you have some idea from the spoiler in the title of this blog.

At this point I would not even call the MDR and IVDR transitional period a soap anymore, but rather a full blown telenovela. For those that think they know me: did you know I have South American roots (but contrary to popular belief am not a 65 year old Olympic sailor and Sjoerd’s twin brother)? Watching telenovelas with my thirteen year old daughter is one of my guiltiest pleasures. My predicament at the moment is that Netflix still has not released the last season of Jane the Virgin in the Netherlands. Not cool, Netflix – it’s been available elsewhere for a long time already.

Telenovelas are characterised by convoluted subplots involving three or four different settings and involve set archetypical scenarios with surprising plot twist using classic style figures, but overall narrate a set story arc. Contrary to soap operas, which normally have an open end and can last theoretically forever, a telenovela is planned for a specific period unless extended by unforeseen circumstances (such as pandemics, alien invasions or unexpected success).

Sound a lot like the MDR and IVDR transition, right? Let’s zoom in on the subplot of standardisation, since I already gave that much away in the title.

The standardisation sub-plot in the MDR / IVDR telenovela

As I mentioned in my last blog, the standardization bodies CEN / Cenelec would decide on the standardisation request for the MDR and IVDR by 17 June. I also mentioned that not everyone was happy with the request as it went in. It contained references to standards that would be outdated by completion (or even already were at the date of the request), the request was not complete, the request was (way too) late, etc. Those that did not openly critise the request were probably thinking an imperfect and late request was better than no request.

So 17 June came and went last week and we heard nothing. At least, not publicly. However, I was able to confirm from various sources by the end of last week that the request had in fact been rejected by CEN / Cenelec on 16 June (this was confirmed by the Commission in the MDCG subgroup on standards on 19 June and posted by a Commission official on LinkedIn) – they are not going to embark on this project and, procedurally, a new (amended) request will be necessary. This leaves the standardization project under the MDR and the IVDR without legal basis for the moment.

Schermfoto 2020-06-20 om 13.08.28

The background of these things is always kind of political but it seems that the main reason for rejection of the request can be found in the persisting tension between the Commission and the standardization bodies about the outcome of the standardization process: the Commission wants standards that are as close to what it sees as European requirements, and the standardization process delivers standards that are state of art according to the experts involved in the standardization process. As a result of EU court case law case the Commission has been on a mission of greater influence over the interaction between standards and regulations. So, my dear readers, as you will understand: this tension is only to be expected because relationship drama is a necessary ingredient of any telenovela.

We did learn that another iteration of harmonised standards under the directives is under preparation, likely to arrive end of this year. You can already put that on your planning. What? You disbanded your whole MDR transition team already and have no resources for this? Not so smart after all. 

What now?

Like in a telenovela, this is obviously a plot twist. As a company with some sense you had already planned (or finalized) your technical documentation without relying on a presumption of conformity against MDR harmonised standards, because this was a likely outcome of the scenarios that you had been planning for (if haven’t read the ISO 31000 standard, it’s still not too late). This is not your first telenovela, right?

If you’re in IVDs, maybe not count on harmonised standards being available in time – that’s a likely scenario. Why not you say? May 2022 is still far away? As you will have read in my last blog on this subject for the IVDR, it totally is not. And I guarantee you that we will not have harmonized standards under the IVDR before you need them this summer and autumn.

This means that under all circumstances anyone having to file a conformity assessment application under the IVDR or MDR soonish will not have harmonized standards to rely on, and can therefore not rely on a presumption of conformity under the MDR and IVDR.

Back to state of art – for the moment

Dios mio! No presumption of conformity! Why do we even have standards then? 

This development does not mean that you cannot rely on international standards at all. Actually, not relying on them at all will make things much more complicated because you lose a common frame of reference with your notified body.

What you will need to do is go back to basics for your GSPRs, as GSPR 1 both for the MDR and IVDR sets out: you will be ‘taking into account the generally acknowledged state of the art’. This means that for each of the standards you reference you will have to draft rationale that the requirement referred to in that standard is state of art for the GSPR that you reference it for. While you may think that the latest standard adopted necessarily reflects state of art, I recommend not to presume this. Check this approach with your notified body before you deploy it across the board. Notified bodies may have had other marching orders from their competent authorities, because those latter ones look at what they think are requirements, and may not necessarily agree that the latest adopted standard reflects those correctly. 

Notified bodies position?

It would be fantastic if notified bodies could be explicit publicly about whether they endorse the approach of ‘latest standard adopted = always state of art’ across the board, because that would make life a lot easier. It would be a kind of de facto presumption of conformity that companies can operate on until the harmonization request does yield harmonised standards.

Good news: it seems that there are ongoing efforts in that direction. Bad news: if that happens you may need to revisit your technical documentation for the Z annex gaps defined in the harmonized standards if and when these are finally adopted. I would recommend to keep thinking about what a Z annex might look like for a given standard, and how its adoption would affect the technical documentation.

Common specifications anyone?

We are in the telenovela space, so plot twists are always a possibility (as I tend to say: scenario anyone?). In the presentation to the MDCG standards subgroup the Commission seems to be hinting (or maybe making a veiled threat, depending on how you see it) at development of Common Specifications  (CS) under the MDR.

Schermfoto 2020-06-20 om 13.09.26

I must say that this is one of the options that came to mind for me as well when I heard the first rumors that the request had been rejected. However, if we look at the Commission’s less than stellar track record on adopting the only two CS that we actually must have under the MDR (one for reprocessing of single use devices and one for the non-medical Annex XVI devices) then the Commission and its chaotic family member the MDCG do not really seem capable of drafting and adopting the scope of the standards in the request plus the work that the HAS consultants would still need to do to draft the Z annexes to define the gaps between the standards and the requirements in the short term. I would chalk this option up to theoretically possible, but not likely.

More likely would be adoption of several targeted CS for some of the requirements under the MDR and IVDR where the EU is not happy with the available standards as being ‘insufficient’, which is exactly what the CS were intended for in the first place. So I would not dismiss the CS option altogether.

As is the rule with telenovelas however, you don’t find out the truth until the last five minutes of the series’ finale. COCIR predicted a decline in harmonised standards for medical devices, so it would not be surprising if this gap would be bridged with CS. 

¿Qué es lo siguiente?

What will be next in this riveting rollercoaster? So many sub plot options! The relationship drama between the standardization bodies and the Commission might take an unexpected turn with CS replacing standards, although this is not so likely I think. There may be lots of drama though as they sort things out. After all, this is a telenovela.

The Commission will go back to the drawing board and will work on a new request now, and will have to discuss with CEN / Cenelec how to arrive at a new request that can work for all involved. Since the drama between the standardization bodies and the Commission is in Annex III of the request, which describes the general and specific requirements for the harmonised standards, this is where the magic will need to happen:

Schermafbeelding 2020-06-20 om 13.42.35

I expect that this magic will include, specifically, some developments in the “information on the relevant applicable requirements or parts of the relevant applicable requirements that are not covered by it” (Annex III, part A sub 2) – the Z annex gaps – and in the way that the Commission thinks standardization for devices is supposed to function under the MDR and IVDR. Since telenovelas normally revolve around a family secret, we will also have to live with the thought that we will likely not get to the bottom of this completely as the family secrets are unfortunately never transparent.

The Commission may have to be a bit more like Rogelio in Jane the Virgin when he learned that Xo was pregnant with his arch nemesis’ baby: supportive of whatever choice she would make about it because it was her choice to make and not his. If you’re in it together because you are a public-private partnership, be part of the solution to make it work – a presumption of conformity, after all, does not define the legal standard as such. But, as Rogelio said himself: “If you knew anything about telenovelas, you’d know that everything is supposed to be dramatic!”

%d bloggers like this: