Lately I have been doing a lot of work in medical devices M&A projects, some very big, some quite small and some in between. Everybody seems to be merging with everybody else these days as the bigger companies divest branches to reposition and smaller companies put themselves up for sale.
These projects are invariably highly international and it seems that with respect to the EU we always run into the same issues that cost either the buyer or the seller (or both) money, because of delays, extra amounts in escrow, additional reps and warranties and so on. I would like to share with you some of the issues I run into and my views on them, so others may avoid them or deal with them more effectively.
Today we discuss data protection. Planned next posts include transferability of CE marks (spoiler: you cannot transfer them – which tends to cause problems if you structure a transaction based on the assumption that you can).
What follows below is just a selection (so not an exhaustive treatise) of EU data protection related issues that I routinely run into in M&A scenarios. That is of course the worst moment to run into them because they will impact the deal and value of the company adversely, so what follows can also be seen as a list of things to do or not to do with respect to EU data protection with respect to medical devices.
Data protection is no joking matter in the EU. Since the EU put protection of personal data in its charter of human rights it is a fundamental right in the EU, which means that there can be no merchandising with it. This has translated to a very strict policy in the field of data protection by the various national data protection authorities in the EU (there is no EU central agency for that).
At the same time personal (health) data is becoming more and more the fuel for business models in the medical devices sector, e.g. because the product is an end to end solution comprising of software and hardware. Often aggregation of personal data is a crucial part of companies’ business models.
What I find in practice is that small and midsize companies that are for sale have invariably neglected this area, because they tend to focus on compliance in the device field first, which is logical because it allows them to place product on the market and to scale. However, data protection compliance is another important field of compliance that companies cannot afford to neglect. For example, EU data protection legislation imposes privacy by design obligations, which also apply to medical devices if the devices themselves process personal data. That will be the case for basically every connected medical device, especially if the device itself is software.
Expansive definition of personal data
What companies often fail to understand is that the EU has a very expansive definition of what constitutes personal data. This means that a lot more data is covered than companies think because they are not aware that any data that makes a person directly or indirectly identifiable constitutes personal data. To put it in the words of the EU guidance document Opinion 4/2007 on the concept of personal data, a must read for everyone embarking on the protection of personal data in the EU, on the subject:
“Recital 26 of the Directive pays particular attention to the term “identifiable” when it reads that ‘whereas to determine whether a person is identifiable account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.’ […] The criterion of “all the means likely reasonably to be used either by the controller or by any other person” should in particular take into account all the factors at stake. The cost of conducting identification is one factor, but not the only one. The intended purpose, the way the processing is structured, the advantage expected by the controller, the interests at stake for the individuals, as well as the risk of organisational dysfunctions (e.g. breaches of confidentiality duties) and technical failures should all be taken into account. On the other hand, this test is a dynamic one and should consider the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed. Identification may not be possible today with all the means likely reasonably to be used today. If the data are intended to be stored for one month, identification may not be anticipated to be possible during the “lifetime” of the information, and they should not be considered as personal data.”
This means that any set of data that a company has, which – if combined with other data or technical means in possession of another party – can at some point in time be used to single out individuals (whether you know who these individuals are or not) constitutes personal data and has to be treated as such. It is never – ever – enough to just strip some of the identifying fields out of personal data (like name and address) if the individual can still be singled out in a group of individuals, see my picture below.
It would be like saying that Mr X is not identifiable, even if you know that he lives across the street from you, has a beige Toyota Camry from May 2010, a black labrador dog and a Ragdoll cat, this specific router IP address and has psoriasis.
Companies that process personal data under the working assumption that it is not personal data will normally infringe national law and may be subject to fines and enforcement, because they are acting illegally. This of course goes directly to the reps and warranties that are given in the frame of a transaction. Common remedies includes that the company double times into becoming compliant between signing and closing, and that indemnities are given for any post closing costs needed to complete that process as well as possible fines and damages resulting from disruption of business operations caused by enforcement.
Personal data concerning health
Devices companies will almost always process personal data concerning health – they’re into medical devices right? Personal data concerning health is subject to the extra strict regime under EU data protection law, the “no, unless”-regime. This means that you are not allowed to process that kind of data at all, except when an exemption applies. From the perspective of enabling healthcare in the 21st century this is in my view a very outdated approach but you have to keep in mind that the EU’s data protection legislation stems from 1995, which means that it was conceived in pre-internet and eHealth times. The exemptions available are informed consent by the data subjects concerned and the situation “where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.”
This means that unless medical devices are used to process data concerning health under the medical privilege of a healthcare professional a company is stuck with having to obtain informed consent from the patients concerned (see below for more about that). The problem is that the scope of the medical privilege is not harmonised in the EU (that would probably be contrary to article 168 TFEU as intervening in the national practice of medicine). This means that in practice each member state will have its own view of to what extent processing by a medical devices company for a hospital or HCP is still covered under medical privilege. Where a company relies on this exemption, due diligence should reveal a well thought-out plan and argumentation why this exemption applies in each individual member state of the EU in which the company is active.
Furthermore, like with the concept of personal data as such (see above) the concept of data concerning health is potentially very expansive. According to EU guidance, personal data concern health when
- The data are inherently/clearly medical data (duh, but actually not that simple in practice);
- The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person (see: raw data, without necessarily having a person’s name attached to them, since they make the person that is measured identifiable);
- Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).
Health is certainly not limited to ‘medical’ data only. Nike recently found that out the hard way when the Dutch Personal Data Authority enforced against it for processing data concerning health in its running app and platform without being compliant for processing of such data. Nike was operating on the assumption that sports performance data did not constitute data concerning health, but the authorities argued in line with above point 3 that it was possible to draw conclusions concerning a user’s health status from the aggregated data based on activity patterns etc., which meant that the data constituted data concerning health from the start.
In due diligence you would therefore look for evidence that the company has given due consideration to the regulatory status of the data it processes and that it has acted on those conclusions. That consideration would normally be embedded in or follow from a Privacy Impact Assessment (more about that below).
Informed consent is in practice the ‘silver bullet’ of data protection in the sense that as long as the data subject gives informed consent, you can basically so what you want with the data. That sounds nice, but in practice legally informed consent is a tricky and high maintenance basis for processing data concerning health, or any personal data for that matter – see more about this in the Article 29 Working Party opinion on the definition of consent. Why? For several reasons:
- informed consent may be subject to formalities, and these formalities may differ from member state to member state and between ‘normal’ personal data and personal data concerning health. For example, Italy requires that consent to process personal data concerning health must be given in writing and on paper.
EU data protection law (Directive 95/46) obliges companies to
“implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
Unfortunately, what exactly constitutes such security has not been harmonised in the EU, which means that different data protection authorities can have different views in this regard. Generally speaking implementing the ISO 27001 will cause a company to be close to compliant, but member states typically start to require additional or diverging idiosyncratic stuff when it comes to healthcare.
Compliance with local security requirements is therefore an important part of any due diligence. The seller should be able to show a thought out plan of how to comply with respective local security requirements.
Why no PIA?
Like you would engage in risk management for a medical device data protection law in the EU requires de facto that a company makes a risk management plan for its processing of personal data by conducting a so-called Privacy Impact Assessment (PIA). This is currently not yet mandatory, but is seen as a state of the art measure for a company that has its things in order. It will be mandatory under the GDPR, new EU data protection rules that will enter into force shortly (see for more about that below). Make sure your PIA model is a good one, the Article 29 Working Party was critical yet supportive of some industry proposed models, e.g. its opinions regarding smart meters and grids and RFID applications contain valuable insights.
Conducting a PIA is a good idea under all circumstances because it will provide the company with a comprehensive perspective on its data processing, enabling the company to implement the necessary controls to be compliant and will help the company decide what is required for its privacy-by-design obligations. If there are design requirements under different sets of rules (medical devices law and data protection law) you have to map overlaps and gaps carefully and precisely. For that reason the company’s PIA is an important document to investigate for the purpose of due diligence, because it will provide a valuable picture about the company’s operations in relation to personal data.
The absence of a PIA will be an indication for the buyer that the company may have significant blind spots and associated compliance gaps. As a result the buyer will have to rely on reps and warranties more and may want indemnities for the inevitable skeleton that will topple out of a closet post-closing.
When a company operates internationally it will often transfer personal data outside of the EU. That is however only allowed if the country to which the data is transferred is subject to a Commission adequacy finding (in other words, the Commission has found that the level of protection of personal data is sufficient in that country, see here for a list of them) or if the transfer is subject to a specific instrument that legitimizes the transfer. Such instruments are standard contractual clauses (an EU model contract between the exporting and importing party that implements principles of data protection and gives the data subject third party rights) and binding corporate rules (a company’s international data protection manifest approved by a data protection agency in the EU). In addition consent of the data subject is available as a ground for transfer, but in that case you need to go back to all the data subjects concerned and obtain new or additional informed consent. With consent being a shaky ground for mass transfers of personal data, as discussed above.
The US safe harbor cannot be relied upon at the moment after the Commission’s adequacy finding for the safe harbor was invalidated in the Facebook judgement of the European Court last year, because it was established that the safe harbor was not so safe for the personal data of EU data subjects after all. As a consequence companies still relying on the safe harbor have had to resort to standard contractual clauses as a remedy because binding corporate rules take a long time to agree with a data protection agency. The EU data protection agencies have announced that companies still relying on the safe harbor will soon be enforced against.
The EU and US are in the process of agreeing a replacement for the safe harbor – Privacy Shield – but this has not been finalized yet and is still subject to scrutiny by the EU authorities.
In due diligence of an international company the compliance with requirements for international transfers is obviously very important so this is a high priority. Where a company relies on standard contractual clauses it is important to investigate whether the scope and path of the transfers as set out in the documentation match the reality of things.
GDPR = data protection on steroids
The new GDPR (General Data Protection Regulation) that will enter into force for the EU soon will be like current EU data protection legislation, but on steroids. It will raise the regulatory bar for processing of personal data concerning health considerably and stakeholders in the healthcare industry have lobbied vehemently with respect to its significant collateral damage in the healthcare industry. One example is that registry studies will become more than problematic (see also here), which can put a serious dent in medical research in the EU.
To give you an idea of what the regulation will entail, see my below embedded presentation at the Regulanet yearly conference last week:
As you can see, the GDPR will change a lot for companies. Unfortunately we don’t yet know how exactly the final text on some of the important points for healthcare will look like, because these provisions have not been established in the just finished trilogue negotiations. When this becomes clear, I will update you of course.
What is certain is that the fines that may be imposed under the GDRP in case of non-compliance with respect to illegal processing of personal data and personal data concerning health are quite astronomical – up to 4% of a company’s annual worldwide turnover! That’s your whole profit margin, globally, down the drain – the EU thought that this was the only way to make extremely big companies like Google and Facebook take this seriously. But even if you’re smaller this is not the kind of exposure you want when you’re selling your company. That is why data protection will become very serious business under the new GDPR.
In due diligence it is therefore interesting to find out what a company is already doing in terms of getting its act together for the GDPR, like for example doing a PIA, appointing a privacy officer, examining its current processing of personal data under the GDPR proposal and defining gaps. If a company is not already doing this, the learning or adaptation curve will be very steep when the GDPR enters into force.
Data protection is serious stuff that deserves attention from a compliance perspective since it goes directly to the business model and company value, because more and more a devices company’s value is in the data that it collects and processes. And that is just the economic consideration. How about a company’s social responsibility?
And then there is much I have not even touched upon in this blog, like national geofencing requirements for particular data (usually data concerning health), national accreditation requirements for companies that process personal data concerning health (like in France), requirements for contracts with third parties that process data for you (like hosting companies), etc., etc.
Neglecting data protection compliance can seriously mess up your valuation as a target, and in addition cause disruptions in your business in case of enforcement. Better get it right from the start, and as early as possible. A good structure set up from the start will scale with you, but neglecting compliance from the start will put you in a compliance minefield – bad for M&A.
Your comments are always useful and much appreciated. Today’s subject underscores the value for companies to think beyond the traditional compliance boundaries in creating their quality management systems. Companies should be thinking in terms of management systems in general. The new revision to ISO 9001 points in this direction, although it is distressing that 9001 and 13485 are now so out of sync with one another.