BREAKING: EU agreement on new MDR and IVDR

FullSizeRender.jpgAfter almost four years after the initial proposals the Dutch presidency has shepherded the proposals for the MDR and IVDR across the finish in the trilogue negotiations, as was announced just now today.

This was a quite unexpected result as the first time we expected (or hoped) to hear about this was the EPSCO Council meeting next month.

The current agreement has been reached in the trilogue negotiations and still has to be formally approved by the Council and Parliament ( Council’s Permanent Representatives Committee and of the Parliament’s ENVI committee). But that will be a formality unless one group of delegates exceeded its mandate.

This means that we finally have new regulations, which normally will enter into force this year.

More to follow when the agreed texts become available, because the press release does not tell us very much news.

This does mean that everybody will need to start preparations if they were not doing so already. As I write this I just returned from giving a day long workshop on MDR and IVDR preparedness, but now it is ON – for real. What will all of that involve? See my recent webinar for Advamed members for a general overview:

Product liability for devices under MDR and IVDR

25537210With the MDR and IVDR nearing completion in the trilogue negotiations the final outline of these two statutes become more and more clear. It looks now like the regulations will be agreed upon during this Presidency, which means they could be published in the Official Journal and enter into force this autumn. I’m referring to “they”, although there are some rumors now that since the remaining political difficulties are in the IVDR, it might be that the IVDR delay is adopted at a later stage.

These are rumors however, I’m not sure at all if this will actually happen. Also, if it would that would mean that the IVDR is would already be fixed in all the overlaps it shares with the MDR (which is a lot). It looks like one of the big items that the IVDR is stuck on is the genetic testing proposal of the Parliament, which I believe the EU does not even have constitutional competence to impose in the first place. Yet, political wishful thinking causes amendments like this to be pursued anyway.

Wishful thinking on liability for defective devices

Another amendment in that vein of political wishful thinking is the liability insurance regime that seems like it will make it into the MDR and IVDR. With the PIP breast implants scandal in mind it’s an ardent political wish of the Parliament and the Council that these regulations feature some kind of language regarding liability for defective devices, even if there is a perfectly good EU Product Liability Directive to deal with this – which is already interpreted very broadly by the EU Court in relation to medical devices by the way.

Will it blend?

But as professionals that have to work with these rules for decades to come we have to ask ourselves: “Will it blend? Will this serve the persons it is intended to serve and is it put together in a way that it actually achieves its objectives?”. As you will see in my below presentation yesterday at the Q1 Conference on the MDR and IVDR in Brussels this will not be the case:

As a result of the quite unclear formulation of the text, the disregard for how these clauses relate to the existing EU Product Liability Directive and the potential for making litigation so much more complex and long nobody will stand to benefit from this proposal, if it is adopted. It will make medical devices more expensive because the cost of insurance and disputes must go somewhere and it does not add any value over the existing Product Liability Directive regime.

I am pretty sure that there has been a lot of face palming among the highly qualified people in the Commission’s legal service that is usually asked after the fact whether such a proposal makes any sense legally in the first place. As you will see in my presentation, the proposal sticks together that badly. The text may be under discussion in the trilogue negotiations but the text in the Council’s general approach is really nothing to be enthusiastic about.

In addition, an impact assessment has not been made for this proposal that stands to add enormously to the costs of compliance for all involved.

Authorised representative liability

The liability of authorised representatives for costs associated with defective devices of manufacturers they represent is a unique feature in EU CE marking law and will pit these two parties against each other mercilessly. It will result in a situation where the interests of parties are diametrically opposed. Currently an authorised representative can rely on the exclusions in the Product Liability Directive to not be product liable, because it was not involved in design or placing the product on the market. That will change if this proposal is adopted.

The result will be that authorised representatives will be very skittish and quick to terminate agreements with costs going through the roof (insurance). Manufacturers, for their part, will be seeking to manage this by setting up their own authorized representative in empty legal entities in the EU staffed with an external consultant that meets the new authorised representative criteria. The more parties are potentially liable, Will that improve legal recourse for patients? Of course it won’t.

More costs, nobody benefits

So what will be the net result? Confusion Everywhere and more costs to the system. Patients spending years and years being sent from one party disclaiming liability to the other. Small companies will not be able to afford being the market of higher risk devices, whether they are manufacturer or authorised representative. And politicians claiming that they effectively legislated for ‘effective redress’ for the benefit of the patient. That is my impact assessment of this proposal.

Wearables – a seminar about legal and regulatory aspects

imageWearables are getting more and more popular and start to move more into the healthcare field by tracking all kinds of data concerning physiological processes and performance. Some companies explicitly want their wearables to be medical devices, others prefer their wearables to stay out of that.  Some companies plan their data protection compliance for personal data concerning health, while others stick to treating data from their wearables as ‘normal’ personal data (or maybe not even that).

The variety of wearables also becomes more and more diverse: wearables are not just watches and wristbands but also footwear, clothing, hats, patches, ankle band, gloves, earpieces, monocles, glasses, contact lenses and so on.

Wearables hardware is typically supported by software that also processes data and may perform all kinds of operations on the data that might make the software itself a medical device or an accessory to the wearable (if that is a medical device). Also, data protection considerations apply to the software or end-to-end solution that the wearable is part of, especially if the company instead to aggregate the data from the wearable and maybe use it for purposes additional to providing feedback to the user.

Wearables are also deployed for a variety of purposes that may be very sensitive from a data protection angle, like for example monitoring health risks in employees.

In this mix we see a continuous stream of either nasty or happy surprises for companies with regard to the rules that apply to their product and associated services. To help reduce confusion we decided to organise a seminar about this subject on Wednesday 20 April, featuring the following presentations:

  • Regulatory and legal aspects of wearables
  • Practicalities on CE marking your wearable and software
  • A showcase of wearable development by Microsoft

As you are used from us, the seminar is free and you can bring as many colleagues and friends as you like (just please let us know many so we can plan for it – see in the below invitation for the RSVP email address) and feel free to spread the word! It’s in Amsterdam center on the waterfront, there’s ample parking underneath the venue and we will have drinks and snack afterwards at our office. Hope to see you there!

If you cannot attend and want to receive copies of the presentations, you’re welcome to let me know too.

160420-Wearables_edited-1

Medical devices M&A – data protection

Schermafbeelding 2016-03-07 om 20.21.36Lately I have been doing a lot of work in medical devices M&A projects, some very big, some quite small and some in between. Everybody seems to be merging with everybody else these days as the bigger companies divest branches to reposition and smaller companies put themselves up for sale.

These projects are invariably highly international and it seems that with respect to the EU we always run into the same issues that cost either the buyer or the seller (or both) money, because of delays, extra amounts in escrow, additional reps and warranties and so on. I would like to share with you some of the issues I run into and my views on them, so others may avoid them or deal with them more effectively.

Today we discuss data protection. Planned next posts include transferability of CE marks (spoiler: you cannot transfer them – which tends to cause problems if you structure a transaction based on the assumption that you can).

What follows below is just a selection (so not an exhaustive treatise) of EU data protection related issues that I routinely run into in M&A scenarios. That is of course the worst moment to run into them because they will impact the deal and value of the company adversely, so what follows can also be seen as a list of things to do or not to do with respect to EU data protection with respect to medical devices.

No joke

Data protection is no joking matter in the EU. Since the EU put protection of personal data in its charter of human rights it is a fundamental right in the EU, which means that there can be no merchandising with it. This has translated to a very strict policy in the field of data protection by the various national data protection authorities in the EU (there is no EU central agency for that).

At the same time personal (health) data is becoming more and more the fuel for business models in the medical devices sector, e.g. because the product is an end to end solution comprising of software and hardware. Often aggregation of personal data is a crucial part of companies’ business models.

What I find in practice is that small and midsize companies that are for sale have invariably neglected this area, because they tend to focus on compliance in the device field first, which is logical because it allows them to place product on the market and to scale. However, data protection compliance is another important field of compliance that companies cannot afford to neglect.  For example, EU data protection legislation imposes privacy by design obligations, which also apply to medical devices if the devices themselves process personal data. That will be the case for basically every connected medical device, especially if the device itself is software.

Expansive definition of personal data

What companies often fail to understand is that the EU has a very expansive definition of what constitutes personal data. This means that a lot more data is covered than companies think because they are not aware that any data that makes a person directly or indirectly identifiable constitutes personal data. To put it in the words of the EU guidance document Opinion 4/2007 on the concept of personal data, a must read for everyone embarking on the protection of personal data in the EU, on the subject:

“Recital 26 of the Directive pays particular attention to the term “identifiable” when it reads that ‘whereas to determine whether a person is identifiable account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.’ […] The criterion of “all the means likely reasonably to be used either by the controller or by any other person” should in particular take into account all the factors at stake. The cost of conducting identification is one factor, but not the only one. The intended purpose, the way the processing is structured, the advantage expected by the controller, the interests at stake for the individuals, as well as the risk of organisational dysfunctions (e.g. breaches of confidentiality duties) and technical failures should all be taken into account. On the other hand, this test is a dynamic one and should consider the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed. Identification may not be possible today with all the means likely reasonably to be used today. If the data are intended to be stored for one month, identification may not be anticipated to be possible during the “lifetime” of the information, and they should not be considered as personal data.”

This means that any set of data that a company has, which – if combined with other data or technical means in possession of another party – can at some point in time be used to single out individuals (whether you know who these individuals are or not) constitutes personal data and has to be treated as such. It is never – ever – enough to just strip some of the identifying fields out of personal data (like name and address) if the individual can still be singled out in a group of individuals, see my picture below.

Erik anonymous

You cannot identify me because I’m anonymized

It would be like saying that Mr X is not identifiable, even if you know that he lives across the street from you, has a beige Toyota Camry from May 2010, a black labrador dog and a Ragdoll cat, this specific router IP address and has psoriasis.

Companies that process personal data under the working assumption that it is not personal data will normally infringe national law and may be subject to fines and enforcement, because they are acting illegally. This of course goes directly to the reps and warranties that are given in the frame of a transaction. Common remedies includes that the company double times into becoming compliant between signing and closing, and that indemnities are given for any post closing costs needed to complete that process as well as possible fines and damages resulting from disruption of business operations caused by enforcement.

Personal data concerning health

Devices companies will almost always process personal data concerning health – they’re into medical devices right? Personal data concerning health is subject to the extra strict regime under EU data protection law, the “no, unless”-regime. This means that you are not allowed to process that kind of data at all, except when an exemption applies. From the perspective of enabling healthcare in the 21st century this is in my view a very outdated approach but you have to keep in mind that the EU’s data protection legislation stems from 1995, which means that it was conceived in pre-internet and eHealth times. The exemptions available are informed consent by the data subjects concerned and the situation “where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.”

This means that unless medical devices are used to process data concerning health under the medical privilege of a healthcare professional a company is stuck with having to obtain informed consent from the patients concerned (see below for more about that). The problem is that the scope of the medical privilege is not harmonised in the EU (that would probably be contrary to article 168 TFEU as intervening in the national practice of medicine). This means that in practice each member state will have its own view of to what extent processing by a medical devices company for a hospital or HCP is still covered under medical privilege. Where a company relies on this exemption, due diligence should reveal a well thought-out plan and argumentation why this exemption applies in each individual member state of the EU in which the company is active.

Furthermore, like with the concept of personal data as such (see above) the concept of data concerning health is potentially very expansive. According to EU guidance, personal data concern health when

  1. The data are inherently/clearly medical data (duh, but actually not that simple in practice);
  2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person (see: raw data, without necessarily having a person’s name attached to them, since they make the person that is measured identifiable);
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).

Health is certainly not limited to ‘medical’ data only. Nike recently found that out the hard way when the Dutch Personal Data Authority enforced against it for processing data concerning health in its running app and platform without being compliant for processing of such data. Nike was operating on the assumption that sports performance data did not constitute data concerning health, but the authorities argued in line with above point 3 that it was possible to draw conclusions concerning a user’s health status from the aggregated data based on activity patterns etc., which meant that the data constituted data concerning health from the start.

In due diligence you would therefore look for evidence that the company has given due consideration to the regulatory status of the data it processes and that it has acted on those conclusions. That consideration would normally be embedded in or follow from a Privacy Impact Assessment (more about that below).

Informed consent

Informed consent is in practice the ‘silver bullet’ of data protection in the sense that as long as the data subject gives informed consent, you can basically so what you want with the data. That sounds nice, but in practice legally informed consent is a tricky and high maintenance basis for processing data concerning health, or any personal data for that matter – see more about this in the Article 29 Working Party opinion on the definition of consent. Why? For several reasons:

  • informed consent has to be given for specific goals – that means you cannot be vague or open ended in the privacy policy. If you are, with statements like “we may collect personal data and may share this with selected third parties to improve the quality of the service provided” this is too vague. Use of the word “may” is not considered specific enough. For an informed consent to be valid you have to be precise about what data are processed, by whom (also their subcontractors), why the data are processed, for how long they are kept, how they are secured, etc. That means that you have to have a pretty good idea of your own business model for the future and how the use of the data collected fits into this. Not being specific enough means that the data subject’s consent will not be considered to have been given on an informed basis (regardless of whether the data subject signed the form, ticked the box or clicked the “i understand and agree”-button). The result is lack of informed consent, non-compliant (so illegal) processing and a worthless database, because it’s an illegal database. Consequently, a company must give consideration as to the description of the goals of collection and processing, both now and in the future. Otherwise the result of scope creep or vagueness in the company’s goals that the data subject is informed about may make it be necessary to go back to the data subjects for additional consent.
  • informed consent may be subject to formalities, and these formalities may differ from member state to member state and between ‘normal’ personal data and personal data concerning health. For example, Italy requires that consent to process personal data concerning health must be given in writing and on paper.

Consequently, due diligence will focus on the formalities of informed consent and on whether the privacy policy is specific enough. More often than not will privacy policies have been written far too unspecific or there has been a bad case of scope creep on the part of the company that is collecting the data. Never assume that a single global privacy policy will do the trick. Don’t copy your US compliant privacy policy just like that – it will not be compliant in the EU. If you’re an EU based company, don’t copy someone’s US style policy even if it looks good – it will just be non-compliant. I see so many issues arise from ‘penny wise, pound foolish’ thinking in relation to privacy policies. If personal data is important to your business model, your privacy policy and (embedded) informed consent should be very important to you.

Security

EU data protection law (Directive 95/46) obliges companies to

“implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”

Unfortunately, what exactly constitutes such security has not been harmonised in the EU, which means that different data protection authorities can have different views in this regard. Generally speaking implementing the ISO 27001 will cause a company to be close to compliant, but member states typically start to require additional or diverging idiosyncratic stuff when it comes to healthcare.

Compliance with local security requirements is therefore an important part of any due diligence. The seller should be able to show a thought out plan of how to comply with respective local security requirements.

Why no PIA?

Like you would engage in risk management for a medical device data protection law in the EU requires de facto that a company makes a risk management plan for its processing of personal data by conducting a so-called Privacy Impact Assessment (PIA). This is currently not yet mandatory, but is seen as a state of the art measure for a company that has its things in order. It will be mandatory under the GDPR, new EU data protection rules that will enter into force shortly (see for more about that below). Make sure your PIA model is a good one, the Article 29 Working Party was critical yet supportive of some industry proposed models, e.g. its opinions regarding smart meters and grids and RFID applications contain valuable insights.

Conducting a PIA is a good idea under all circumstances because it will provide the company with a comprehensive perspective on its data processing, enabling the company  to implement the necessary controls to be compliant and will help the company decide what is required for its privacy-by-design obligations. If there are design requirements under different sets of rules (medical devices law and data protection law) you have to map overlaps and gaps carefully and precisely. For that reason the company’s PIA is an important document to investigate for the purpose of due diligence, because it will provide a valuable picture about the company’s operations in relation to personal data.

The absence of a PIA will be an indication for the buyer that the company may have significant blind spots and associated compliance gaps. As a result the buyer will have to rely on reps and warranties more and may want indemnities for the inevitable skeleton that will topple out of a closet post-closing.

International transfers

When a company operates internationally it will often transfer personal data outside of the EU. That is however only allowed if the country to which the data is transferred is subject to a Commission adequacy finding (in other words, the Commission has found that the level of protection of personal data is sufficient in that country, see here for a list of them) or if the transfer is subject to a specific instrument that legitimizes the transfer. Such instruments are standard contractual clauses (an EU model contract between the exporting and importing party that implements principles of data protection and gives the data subject third party rights) and binding corporate rules (a company’s international data protection manifest approved by a data protection agency in the EU). In addition consent of the data subject is available as a ground for transfer, but in that case you need to go back to all the data subjects concerned and obtain new or additional informed consent. With consent being a shaky ground for mass transfers of personal data, as discussed above.

The US safe harbor cannot be relied upon at the moment after the Commission’s adequacy finding for the safe harbor was invalidated in the Facebook judgement of the European Court last year, because it was established that the safe harbor was not so safe for the personal data of EU data subjects after all. As a consequence companies still relying on the safe harbor have had to resort to standard contractual clauses as a remedy because binding corporate rules take a long time to agree with a data protection agency. The EU data protection agencies have announced that companies still relying on the safe harbor will soon be enforced against.

The EU and US are in the process of agreeing a replacement for the safe harbor – Privacy Shield – but this has not been finalized yet and is still subject to scrutiny by the EU authorities.

In due diligence of an international company the compliance with requirements for international transfers is obviously very important so this is a high priority. Where a company relies on standard contractual clauses it is important to investigate whether the scope and path of the transfers as set out in the documentation match the reality of things.

GDPR = data protection on steroids

The new GDPR (General Data Protection Regulation) that will enter into force for the EU soon will be like current EU data protection legislation, but on steroids. It will raise the regulatory bar for processing of personal data concerning health considerably and stakeholders in the healthcare industry have lobbied vehemently with respect to its significant collateral damage in the healthcare industry. One example is that registry studies will become more than problematic (see also here), which can put a serious dent in medical research in the EU.

To give you an idea of what the regulation will entail, see my below embedded presentation at the Regulanet yearly conference last week:

As you can see, the GDPR will change a lot for companies. Unfortunately we don’t yet know how exactly the final text on some of the important points for healthcare will look like, because these provisions have not been established in the just finished trilogue negotiations. When this becomes clear, I will update you of course.

What is certain is that the fines that may be imposed under the GDRP in case of non-compliance with respect to illegal processing of personal data and personal data concerning health are quite astronomical – up to 4% of a company’s annual worldwide turnover! That’s your whole profit margin, globally, down the drain – the EU thought that this was the only way to make extremely big companies like Google and Facebook take this seriously. But even if you’re smaller this is not the kind of exposure you want when you’re selling your company. That is why data protection will become very serious business under the new GDPR.

In due diligence it is therefore interesting to find out what a company is already doing in terms of getting its act together for the GDPR, like for example doing a PIA, appointing a privacy officer, examining its current processing of personal data under the GDPR proposal and defining gaps. If a company is not already doing this, the learning or adaptation curve will be very steep when the GDPR enters into force.

So

Data protection is serious stuff that deserves attention from a compliance perspective since it goes directly to the business model and company value, because more and more a devices company’s value is in the data that it collects and processes. And that is just the economic consideration. How about a company’s social responsibility?

And then there is much I have not even touched upon in this blog, like national geofencing requirements for particular data (usually data concerning health), national accreditation requirements for companies that process personal data concerning health (like in France), requirements for contracts with third parties that process data for you (like hosting companies), etc., etc.

Neglecting data protection compliance can seriously mess up your valuation as a target, and in addition cause disruptions in your business in case of enforcement. Better get it right from the start, and as early as possible. A good structure set up from the start will scale with you, but neglecting compliance from the start will put you in a compliance minefield – bad for M&A.

 

New white paper on MDR (and where is the MDR anyway?)

Schermafdruk 2016-02-17 11.34.07.pngWhen Gert Bos and I wrote BSI’s white paper on the impending EU medical devices regulation and the IVD regulation, the white paper was received very well but we also received requests to write something more detailed and practical.

Here it is

So we did just that. And here it is – the next BSI white paper on the MDR, written from the perspective of a medical devices manufacturer that is faced with the MDR on the horizon and has to figure out what to do.

Chapter by chapter

We’ve taken the MDR and annexes apart in their constituent chapters and have described for each chapter what it means for the manufacturer and what the manufacturer can do to prepare for compliance before, during and after the transitional period following the entry into force of the MDR. The “do’s” are set out in convenient tables per chapter and in the overview version of a consolidated table in the back of the white paper.

Of course things may still change because the text of the MDR is still not final yet and the different versions of proposals by Commission, Parliament and Council differ considerably on some points. Where that is the case we have used our best judgement on where we think that particular item will likely land in the final text.

Did we miss anything?

We have tried to be as practical as possible but of course it is not possible to cover every permutation in the white paper. Also, we’re just legal and regulatory nerds with our own perspective on things that might be different from yours (although our valued reviewers helped us a lot in that regard). If you feel that we have left out anything important we would love to hear from you so we can take it on board in an updated version so everybody can benefit.

In the mean time: where is the MDR?

The short answer is:”it’s complicated”, still. From what I hear these are some of the distinct forces that slow down the trilogue:

  • Germany defending reprocessing of single use devices;
  • France and a coalition around them as well as the Parliament want centralisation of market access controls in some kind of EU competence (EMA like agency, special notified bodies), while other member states do not want to delegate more power to Brussels;
  • the European Parliament attaches great importance to lifestyle testing issues and genetic testing (IVDR issue) and wants an expanded definition of what consitutes a medical device;
  • there is a strong Parliament political commitment to a mandatory product liability for medical devices manufacturers and authorised representatives
  • Parliament has plans to radically change  CMR rules to something that goes beyond labeling (meaning a complete short term phase out, as they proposed)

Then the transitional period has become a policital issue because as result of intensive lobby the politicians are starting to realise that three years is a very short transition period if there is no grandfathering whatsoever. So now there is a lot of discussion about how to make this more workable, e.g. by allowing certificates to be issued under the old rules until the end of the transitional period with full 5 years validity (which is not possible in the initial Commission proposal).

The Dutch presidency is aiming for a ‘second reading agreement’ in by June 2016, resulting from 3-5 political trilogue meetings and more than 10 technical meetings. The Dutch are planning to have a dialogue that is as inclusive as possible and act as ‘honest broker’ for all member states. The Commission, in the mean time, seems to be getting increasingly impatient  and may even start to think about putting the option to revoke the proposals altogether on the table. When that happens the Commission could start again with a new proposal at the status quo of what it knows works for the Council and the Parliament or just propose incremental improvements to the existing directives instead.

Horse trading patterns are difficult to spot at this point because of the way the trilogue works and because all involved are keeping a very tight lid on things. If, at the end, one of the actors is not happy with the way their scored items add up, they can still refuse to accept the result unless they get this or that and it’s at that point where the real horse trading starts.

My expectation

My expectation is that there will be a lot of difficult meetings increasing the pressure towards the end, and there may be a surprise (like the Council general approach at the end of the Latvian presidency).

But there also may not be, and what happen then depends on (1) if the Commission is getting fed up enough with the way things are bogged down then and (2) on if the institutional actors are numb enough to come to quick agreement in the following Slowakian presidency. Who knows, the central European presidencies have caused the biggest breakthroughs so far.

 

End of year bonanza

1002004000089774.jpgNormally one looks back at the end of the year, but I also like to look ahead because there are a lot of developments in EU law that will affect the medical devices industry next year: new rules on cybersecurity, data protection, mHealth and business compliance will put their mark on 2016, additional to the never-ending story of the MDR and IVDR.

Look back: the never-ending wheelbarrow of frogs

OK, small look back – we can  summarize 2015 very succinctly: in 2015 we had the drafts of the MDR and IVDR hang over the market and the year was characterized by two presidencies trying to kart the never-ending wheelbarrow of frogs that the Council and the trilogue processes are across the finish of the legislative process. Although it looked promising that the trilogue would have completed in 2015, allowing the regulations to enter in force halfway 2016, this will not be realistic now that the trilogue did not complete this year. The MDR and IVDR will continue to hang over the market at least six months longer.

General Data Protection Regulation

One of the projects that was competing with the MDR and IVDR for the record of being stuck in the legislative tract the longest ever is the General Data Protection Regulation (GDPR), a regulation of epic consequence that will determine what EU data protection regulation will look like for the coming decades. This regulation replaces the directive from 1995 (that’s right, from when there was no real internet yet) and quantum leaps companies into a straight jacket / minefield of regulation as a result of the very prescriptive and detailed requirements for collection and processing of personal data that has a nexus with the EU. The GDPR did complete its trilogue and is now fast on its way of becoming law for Europe. The negotiated text that was agreed on in the trilogue still is not complete. For example, the exemption provision for processing of personal data concerning health (article 81) has not been agreed yet and that will be subject of further voting in Parliament and the Council.

I will blog in more detail about its consequences when we have a full text ready, but I will point to an earlier post touching on the GDPR. In short, we know now that

  • the current article 29 Working Part opinions will become law
  • there will be strict privacy by design and default requirements affecting your device design and any (eHealth/mhealth) service that collects and processes personal data
  • data subjects will get data portability rights, from which it looks that medical devices and related services are not exempted (i.e. people will have a right to the data in their pacemakers)
  • new definitions of personal data concerning health and genetic data will be adopted
  • your company can be fined up to 4% of its global turnover for non-compliance
  • more controls on profiling and monitoring, which are the things a company normally needs to do in order to provide effective healthcare services
  • and a lot more

A broad coalition of associations (including Eucomed, COCIR and EFPIA) has raised severe objections against the consequences of the GDPR for clinical research, especially retrospective research. These objections have been largely ignored, but we will not be sure until the final text of article 81 has been established.

NIS directive

Also the NIS Directive that I wrote about before has completed its trilogue. While a complete text is not available yet, we do know that the healthcare sector is not exempted from it and that the directive will affect “digital service providers”, which in earlier versions of the directive was defined as to include all end-to-end digital solutions in eHealth and any services relying on processing of health data in the cloud. Since no text is available yet I’m not able to give a detailed and full analysis, so watch this space.

mHealth code

The EU mHealth Code, one of the actions that DG Connect of the European Commission took in follow up of the Green Paper on mHealth, is nearing completion. This was established at the last mHealth Stakeholders Group in Brussels on 7 December. The substantive part of the code is more or less finished, providing for a good how-to guide in privacy by design and default for mHealth apps, much like set out in the Article 29 Working Party’s opinion on apps. The procedural part still needs work (there is no enforcement mechanism or body, nor is there agreement on what party will ‘own’ the code). Finally, the intention of the Commission is to have the code blessed by the Article 29 Working Party in order to give it more official status. I’m curious how that will go, looking at the case studie of the C-SIG code of cloud providers that started this process considerable time ago and so far has little to show except a resounding “no”. A number of the points raised by the Article 29 Working Party in relation to the C-SIG code also affect the mHealth Code as it is presently drafted (as was confirmed by the French Data Protection Authority at the 7 December stakeholders meeting). The drafting committee aims to have the mHealth Code finished in Q2 of 2016. More on this code too when the text is final.

Medtech Europe’s new code

Then there is Medtech Europe’s new code, adopted on 2 December and entering into force for their members on 1 January 2017 for the substantive part. 2016 will therefore be the year of implementation of the new code for MedTech Europe members, as the members have committed to transpose the new code  internally between 1 January 2016 and 31 December 2016 at the latest.

This code will modernise and consolidate the Eucomed and EDMA codes and provide for an overarching comprehensive complaint mechanism on EU level, which was lacking so far. In practice this means that the EDMA members (IVD sector) will be subject to much more specific and detailed requirements than was the case.

The new Code will set the minimum standard by which industry members operate across Europe, Middle East and Africa (EMEA).

New elements of the code are for example that MedTech Europe members will cease all direct financial and in kind support to individual HCPs to cover the costs of their attendance at Third Party Organised Educational Events as of 31 January 2017 at the latest. After that date members may provide financial or in kind support to Third Party Organised Educational Events only through Educational Grants or other types of funding in accordance with the rules of Chapter 2: Third Party Organised Educational Events and Chapter 4: Charitable Donations and Grants.

The new code comes into force as follows:

  • PART 2: The Dispute Resolution Principles shall enter into force on 1 January 2016; and
  • The balance of the code [i.e. Introduction, PART 1 and PART 3] shall enter into force on 1 January 2017.

During the transposition period 1 January 2016 to 31 December 2016, no material or activity will be regarded as being in breach of the code if it fails to comply with its provisions only because of requirements which this edition of the code newly introduces.

More details about this code will follow too.

So happy holidays

with all these new developments. I wish you good luck and wisdom with all the homework ahead for the medtech industry operating in Europe in 2016.

Trilogue MDR/IVDR will probably not complete this year

this-trilogue-will-finish-somehow-sometimeWith the end of the political year in Brussels in sight I though it would be a good idea to give you an update on process (if you can call it that) in the trilogue for the MDR and IVDR.

Work on implementation by delegated and implementing acts

Let’s start with the good news:  a lot of work is going on behind the scenes with regard to implementation: the delegated and implementing acts. The Commission seems to have realized that there are a lot of those acts needed to even make the regulations work at the date of entry into force (see here for my analysis). The Commission has admitted that they have limited capacity and can churn out about five of them per year, so preparation seems to be key. So far the Commission has been denying that they were working on these acts because the legislative process was not finished yet.

Trilogue will likely not complete this Presidency

It seems more and more that likely by now that the parties in the trilogue will not be able to arrive at an agreement that would allow a final text to be published during or right after the Dutch presidency first half of 2016. The Parliament and the Council still have differences of opinion that are are still very pronounced.

Also, as I have blogged before, the member states themselves are not a united front with especially Germany trying to secure its points (like reprocessing, which many other member states are less enthusiastic about). The other member states are under pressure from their capitals to come up with results in this legislative dossier.

The process runs on two levels, political and technical. The pace, especially during the technical meetings, is said to be very low.

A problem with the trilogue negotiation process is that nothing is finally agreed until everything is agreed, which means that results that have seemingly been reached can shift all of a sudden. At the end of the negotiation each party will take stock of whether they have scored enough points and can always revisit points when they feel that they came up short. This is why the outcome of the trilogue is always difficult to predict. The Luxemburg presidency had organized the trilogue in four blocks with a decision to be taken at the end, but sources close to the process tell me this is not going to happen before the Christmas holidays. The Dutch presidency is now planning to finalize the trilogue and has already planned for that. That means that the latest planning of a final text end of the first half of 2016 will move up 6 months at least. That means that there seems to be extra room for lobbying on the dossier.

Remaining political issues

What makes that the trilogue progress so slow and contentious? There are still many issues that the member states and the Parliament see as political points. The most important remaining political issues that draw out the process seem to be (see also my previous post):

  • genetic testing (mainly IVDR rapporteur Peter Liese’s plan to do something with lifestyle tests, which was never constitutional in the first place)
  • CMR substances (the Parliament is intent on doing something to make the MDR and IVDR look more environmentally and patient friendly by banning CMR substances even if this is already covered under other EU legislation and regardless of the risk/benefit ratio of individual devices that depend on the use of such substances)
  • reprocessing (Germany wants this, the Parliament may want it less now than under the previous rapporteur Roth Behrendt (“single use labeling is like printing your own money“) and many member states do not want it)
  • (mandatory) liability insurance of the manufacturer and authorized representatives (the current proposal flies in the face the face of the Product Liability Directive in every way)
  • scrutiny / special notified bodies
  • transitional periods (member states seem to start to realize that the transitional periods for both regulations will ‘interesting’, although the three years for the MDR is not up for discussion – it seems likely that a solution will be found in the duration of certificates granted under the old rules (currently max 2 years after end of transition period). This makes it more and more important for manufacturers to set up a good plan on when which of its devices transition to the new regime).
  • classification rules (rules 6 (reusable surgical instruments automatically class I), 19 nanotech (new, so scary and therefore risky) and 21 substance based devices (all in class III))
  • clinical investigations / clinical performance studies (especially with regard to IVDs the clinical endpoints that studies have to prove are not agreed yet)
  • in-house manufactured medical devices (Parliament does not like it, while member states see possibilities because they have hospitals)
  • resources at member states and notified bodies (currently the EU notified bodies combined have about 100 people qualified for IVDs, which would need to process all IVD certifications coming out of the quantum leap (80% to 20% self-certified IVDs) – this will be not be possible)
  • etc.

Now what?

I think we should slowly start to get used to the thought that we will not have new regulations around the middle of 2016, but at best towards the end of 2016. Unless, of course, a miracle happens.

Follow

Get every new post delivered to your Inbox.

Join 4,650 other followers

%d bloggers like this: