Normally one looks back at the end of the year, but I also like to look ahead because there are a lot of developments in EU law that will affect the medical devices industry next year: new rules on cybersecurity, data protection, mHealth and business compliance will put their mark on 2016, additional to the never-ending story of the MDR and IVDR.
Look back: the never-ending wheelbarrow of frogs
OK, small look back – we can summarize 2015 very succinctly: in 2015 we had the drafts of the MDR and IVDR hang over the market and the year was characterized by two presidencies trying to kart the never-ending wheelbarrow of frogs that the Council and the trilogue processes are across the finish of the legislative process. Although it looked promising that the trilogue would have completed in 2015, allowing the regulations to enter in force halfway 2016, this will not be realistic now that the trilogue did not complete this year. The MDR and IVDR will continue to hang over the market at least six months longer.
General Data Protection Regulation
One of the projects that was competing with the MDR and IVDR for the record of being stuck in the legislative tract the longest ever is the General Data Protection Regulation (GDPR), a regulation of epic consequence that will determine what EU data protection regulation will look like for the coming decades. This regulation replaces the directive from 1995 (that’s right, from when there was no real internet yet) and quantum leaps companies into a straight jacket / minefield of regulation as a result of the very prescriptive and detailed requirements for collection and processing of personal data that has a nexus with the EU. The GDPR did complete its trilogue and is now fast on its way of becoming law for Europe. The negotiated text that was agreed on in the trilogue still is not complete. For example, the exemption provision for processing of personal data concerning health (article 81) has not been agreed yet and that will be subject of further voting in Parliament and the Council.
I will blog in more detail about its consequences when we have a full text ready, but I will point to an earlier post touching on the GDPR. In short, we know now that
- the current article 29 Working Part opinions will become law
- there will be strict privacy by design and default requirements affecting your device design and any (eHealth/mhealth) service that collects and processes personal data
- data subjects will get data portability rights, from which it looks that medical devices and related services are not exempted (i.e. people will have a right to the data in their pacemakers)
- new definitions of personal data concerning health and genetic data will be adopted
- your company can be fined up to 4% of its global turnover for non-compliance
- more controls on profiling and monitoring, which are the things a company normally needs to do in order to provide effective healthcare services
- and a lot more
A broad coalition of associations (including Eucomed, COCIR and EFPIA) has raised severe objections against the consequences of the GDPR for clinical research, especially retrospective research. These objections have been largely ignored, but we will not be sure until the final text of article 81 has been established.
Also the NIS Directive that I wrote about before has completed its trilogue. While a complete text is not available yet, we do know that the healthcare sector is not exempted from it and that the directive will affect “digital service providers”, which in earlier versions of the directive was defined as to include all end-to-end digital solutions in eHealth and any services relying on processing of health data in the cloud. Since no text is available yet I’m not able to give a detailed and full analysis, so watch this space.
The EU mHealth Code, one of the actions that DG Connect of the European Commission took in follow up of the Green Paper on mHealth, is nearing completion. This was established at the last mHealth Stakeholders Group in Brussels on 7 December. The substantive part of the code is more or less finished, providing for a good how-to guide in privacy by design and default for mHealth apps, much like set out in the Article 29 Working Party’s opinion on apps. The procedural part still needs work (there is no enforcement mechanism or body, nor is there agreement on what party will ‘own’ the code). Finally, the intention of the Commission is to have the code blessed by the Article 29 Working Party in order to give it more official status. I’m curious how that will go, looking at the case studie of the C-SIG code of cloud providers that started this process considerable time ago and so far has little to show except a resounding “no”. A number of the points raised by the Article 29 Working Party in relation to the C-SIG code also affect the mHealth Code as it is presently drafted (as was confirmed by the French Data Protection Authority at the 7 December stakeholders meeting). The drafting committee aims to have the mHealth Code finished in Q2 of 2016. More on this code too when the text is final.
Medtech Europe’s new code
Then there is Medtech Europe’s new code, adopted on 2 December and entering into force for their members on 1 January 2017 for the substantive part. 2016 will therefore be the year of implementation of the new code for MedTech Europe members, as the members have committed to transpose the new code internally between 1 January 2016 and 31 December 2016 at the latest.
This code will modernise and consolidate the Eucomed and EDMA codes and provide for an overarching comprehensive complaint mechanism on EU level, which was lacking so far. In practice this means that the EDMA members (IVD sector) will be subject to much more specific and detailed requirements than was the case.
The new Code will set the minimum standard by which industry members operate across Europe, Middle East and Africa (EMEA).
New elements of the code are for example that MedTech Europe members will cease all direct financial and in kind support to individual HCPs to cover the costs of their attendance at Third Party Organised Educational Events as of 31 January 2017 at the latest. After that date members may provide financial or in kind support to Third Party Organised Educational Events only through Educational Grants or other types of funding in accordance with the rules of Chapter 2: Third Party Organised Educational Events and Chapter 4: Charitable Donations and Grants.
The new code comes into force as follows:
- PART 2: The Dispute Resolution Principles shall enter into force on 1 January 2016; and
- The balance of the code [i.e. Introduction, PART 1 and PART 3] shall enter into force on 1 January 2017.
During the transposition period 1 January 2016 to 31 December 2016, no material or activity will be regarded as being in breach of the code if it fails to comply with its provisions only because of requirements which this edition of the code newly introduces.
More details about this code will follow too.
So happy holidays
with all these new developments. I wish you good luck and wisdom with all the homework ahead for the medtech industry operating in Europe in 2016.