EU Court decides TÜV Rheinland / PIP breast implants case

eu-court-460_998658cIt has been sort of hanging over the medical devices market for quite a long time: the TÜV Rheinland case about the PIP breast implants. This case is the direct result of the PIP breast implants scandal, which had a profound influence on the new EU MDR in the making.

We had the Advocate General’s opinion in this matter from 15 September 2016, which was already a very good pointer on where things would land at the EU Court.

The EU court delivered its much awaited judgment on 16 February.

Since the outcome is unsurprising in the light of the AG opinion and EU law as it currently stands, I feel comfortable starting this blog with a blatant spoiler.


For all the effect it has had on the MDR process, its outcome is in my opinion unsurprising, and I have predicted it from the start:

  1. a notified body is not under a under a general obligation to carry out unannounced inspections, to examine devices and/or to examine the manufacturer’s business records. However, in the face of evidence indicating that a medical device may not comply with the requirements laid down in Directive 93/42, the notified body must take all the steps necessary to ensure that it fulfils its obligations within the powers it has under the MDD; and
  2. national law determines the conditions under which culpable failure by that body to fulfill its obligations under the directive may give rise to liability vis-à-vis end users.

See the European Court’s convenient press release about the case for a succinct summary.

I have never found it a realistic possibility that the Court would rule that notified bodies are no-fault (or even fault based) product liable for the products that their manufacturers make. The Court has merely convinced that they have to exercise their duties diligently within the mandate that the law imposes on them.

But, I admit, crazy stuff has happened before with regard to product liability (product batch liability, authorised representatives jointly and severally liable with the manufacturer for product liability under the MDR), so you cannot be certain what to expect these days. Even if it’s unlikely.


What was this about again? French breast implant manufacturer PIP at some point decided that it was going to use industrial silicone rather than surgical grade silicone in its breast implants. The Court found that TÜV Rheinland, the notified body that granted the CE certificate for the breast implants concerned,

“in the course of its involvement during the period 1998 to 2008, […] made eight visits to the manufacturer’s premises, all of which were announced in advance. During that period, TÜV Rheinland never inspected business records or ordered that the devices be inspected.”

In 2010, the competent French authority established that the manufacturer in question had produced breast implants using industrial silicone which did not comply with quality standards.

The case that led to the referral to the EU Court was brought by a German citizen that had the implants concerned fitted in Germany end 2008, and had them removed in 2012. She claimed that TÜV Rheinland was liable for her damages (material and immaterial). She alleged that TÜV was liable because  it had not fulfilled its obligations satisfactorily, since (she claimed)

“an inspection of the delivery notes and invoices would have enabled TÜV Rheinland to ascertain that the manufacturer had not used an approved form of silicone.”

Her claims were rejected by the first and second instance courts in Germany because the purpose of a notified body’s activity is not to protect patients nor was TÜV culpable because TÜV Rheinland had made regular announced visits, which must be deemed sufficient in the absence of any suspicion of improper production practices. The second instance court did however refer questions of law to the European Court concerning the scope of a notified body’s duties

“in particular with regard to the level of supervision and scrutiny required of that body when it carries out inspection visits at the manufacturer’s premises”.

The questions referred by the German court were (essentially) as follows:

1)      Does a notified body, in the event of a culpable infringement of its obligations, have direct and unrestricted liability towards the patients concerned?

2)      Does a notified body have a general obligation to examine devices, or at least to examine them where there is due cause?

3)      Does it follow from the aforementioned sections of Annex II to Directive 93/42 that, in the case of Class III medical devices, the notified body responsible for auditing the quality system, examining the design of the product and surveillance is subject to a general obligation to examine the manufacturer’s business records and/or to carry out unannounced inspections, or at least to do so where there is due cause?’

All these questions were asked in the context of a class III medical device under Annex II, so also in the frame of the MDD obligations for these devices.

Duty to examine devices and/or to carry out unannounced inspections?

During the crazy wings on fire period of the MDR being amended by the European Parliament especially European Parliament members expressed surprise and indignation about the notified body not even inspecting the produced devices and not performing unannounced inspections. The ensuing political outrage resulted in the Commission recommendation for unannounced audits and the member states making notified bodies do this.

The Court found that while notified bodies must periodically undertake appropriate inspections and assessments under Annex II as it currently stands, but

“the provisions of Annex II to Directive 93/42 do not impose a general obligation on the notified body to carry out unannounced inspections, to examine devices and/or to examine the manufacturer’s business records.” (point 40)

Yet, what is the scope of what a notified body must do under Annex II? All parties concerned agreed that the scope of a notified body’s discretion is broad and that a notified body may conduct an unannounced audit based on Annex II 5.4, but differed on how this translated to actual duties.


“45 […], the obligations laid down in Article 16(6) of the directive and those set out in paragraph 41 above would be a dead letter if the degree of discretion knew no limits. The notified body would not be able to fulfil its function under the procedure relating to the EC declaration of conformity if it were free not to take any steps in the face of evidence indicating that a medical device might not comply with the requirements laid down in Directive 93/42.

46      Consequently, as they are required to establish whether EU certification may be maintained pursuant to Article 16(6) of Directive 93/42, notified bodies are under a general obligation to act with all due diligence when engaged in a procedure relating to the EC declaration of conformity.

47      It follows […] that a notified body is under a duty to be alert, with the result that, in the face of evidence indicating that a medical device may not comply with the requirements laid down in Directive 93/42, that body must take all steps necessary to ensure that it fulfils its obligations under Article 16(6) of the directive, as well as those set out in paragraph 41 above [paragraph 41 mentions: pursuant to Sections 3.2, 3.3 and 4.1 to 4.3 of Annex II to Directive 93/42, first, to analyse the application for examination of the design dossier lodged by the manufacturer, which must describe the design, manufacture and performance of the product in question and, second, to ascertain whether the application of the quality system contemplated by the manufacturer ensures that the products fulfil the relevant requirements under that directive. Moreover, it is apparent from Section 5.1 of that annex that the notified body must satisfy itself that the manufacturer duly fulfills the obligations imposed by the approved quality system].”

Conclusion: broad discretion on how to fulfill obligations, which makes it difficult in practice to determine if the notified body did or did not meet its obligations. Especially by national first instance judges in general courts who are not experts in these matters and never deal with this kind of case.

Direct liability vis-a-vis patients?

The Court makes some important points here that I have made myself before: the Member States have responsibilities with regard to market surveillance, but certification by notified bodies under the MDD is to ensure protection for the health and safety of persons too. That means that notified bodies do not work for manufacturers alone, they have a larger task in the overall protection of public health.

But, that does not make them liable vis-a-vis patients on the basis of the MDD just like that. It was already EU case law that:

“it does not necessarily follow from the fact that a directive imposes surveillance obligations on certain bodies or the fact that one of the objectives of the directive is to protect injured parties that the directive seeks to confer rights on such parties in the event that those bodies fail to fulfil their obligations, and that is the case especially if the directive does not contain any express rule granting such rights” (point 55)

The Court reiterated that the MDD does not contain any express liability regime and the Product Liability Directive allows for the application of other systems of contractual or non-contractual liability based on other grounds, such as fault. This is nothing new and we knew this from the Court’s quite steady case law in the field (see for example here in relation to the Court’s specific view on additional national liability rules concerning medical devices). Ergo, it’s a national matter said the EU Court, subject to the principles of equivalence and effectiveness. This case is now going to be decided on a national level with the Court’s guidance in mind.

Why did the claimant go after the notified body in the first place and not after the manufacturer for product liability? Product liability quickly became an irrelevant pathway to pursue as PIP, the manufacturer, quickly went bankrupt.

This means that for TÜV this case is way not finished – we have a lot of member states in the EU in which PIP implants were used. We also have a lot of national laws that have their own theories of culpability / fault based liability. This case can therefore play out differently in different member states. The various claimants in national cases will change tack insofar necessary (and if they have not already done this) and will pursue fault and/or lack of diligence based claims against TÜV in national courts, as was happening in the current case.

The current EU Court judgement may be helpful to those national cases to a point because it gives some guidance on the scope of MDD mandated tasks of notified bodies and the level of diligence they are to exercise in the fulfillment of these tasks, and in that notified bodies also have work for the public good, which includes the patients and end users. The national court will now need to look into whether TÜV was sufficiently diligent given that on the one hand

“the notified body is not under a general obligation to carry out unannounced inspections, to examine devices and/or to examine the manufacturer’s business records”

but that on the other hand

“in the face of evidence indicating that a medical device may not comply with the requirements laid down in Directive 93/42, the notified body must take all the steps necessary to ensure that it fulfils its obligations under Article 16(6) of the directive and Sections 3.2, 3.3, 4.1 to 4.3 and 5.1 of Annex II to the directive” (point 48).

Did TÜV take all necessary steps to ensure that it fulfilled its obligation? This may play out differently in different member states in which TÜV is being sued (which include France and Germany in any event). Hopefully the harmonisation of notified body requirements as a result of the joint assessment project and the more detailed requirements under the MDR will contribute somewhat to harmonisation of fault based liability of notified bodies. Is this liability new? Not in my view. It was never harmonised on EU level and therefore always existed in member states that provided for this. If notified bodies did not insure for this liability yet, they may have to and costs will increase. Notified bodies will seek to pass on these costs.

When the outcome of notified body fault based liability in member states will differ considerably from one member state to another this will have consequences.

Effects on the MDR

This case had profound effects on the MDR, but will not change the text anymore now the judgment been rendered. However, as far as I can see it did have a profound impact on the MDR in a number of ways. One of them fundamentally, others more specific.

How much did it change the MDR fundamentally?

An unknown effect is how much the PIP scandal in the end changed the MDR, which the Commission initially intended to be a modest mid-life update, because the MDD was performing very well and outcompeting other jurisdictions left and centre in time to market. This we will probably never know, because the Commission had to change tack on the double when the political outrage about the PIP scandal started. The result was the initial proposal for the MDR back in 2012. But we do know that the impact on the MDR must have been profound, for example because of ideas to get rid of CE marking altogether and just make medical devices pre-market access EMA competence.

I would go as far as saying the EU (and its member states) have finally started to see medical devices as an industry that deserves an upgrade in policy and associated resources. This however seems not to have resulted in allocation of significantly more resources on EU level. The medical devices unit at DG Growth is still woefully understaffed while the Commission’s duties under the MDR and IVDR are enormous.  It has to crank out a lot of delegated and implementing acts to even make the two regulations effective and make a plan to make sure that the process of redesignation of notified bodies under the MDR and IVDR and recertification of ALL devices on the market in the EU will not crash and burn in what looks like the mother of all transitional bottlenecks. Even competent authorities are publicly saying that this is a serious problem and that the Commission has to come up with a plan to make sure that these things unfold predictably and reliably.

Unannounced audits under MDR

One of the most direct effects on the MDR is the now hardwired obligation for notified bodies to conduct unannounced audits (article 52 and Annex VII, points 4.5.1 and 4.10 and Annex IX, point 3.4). Up to the MDR there is no real harmonised legal standard for unannounced audits except that there is a recommendation of the Commission to the Member States about what they might require from notified bodies in terms of unannounced audits.

Still, I remain unconvinced of how much the unannounced audits will do to prevent PIP type cases. Fraudsters be fraudsters, and as the Court reiterated in the TÜV case, notified bodies can ask for things if they have a suspicion, but they are not equipped nor authorised for market surveillance. If a company sets out to really go dark and hide things from a notified body, they will succeed. The first thing it will do is doctor precisely the documentation and locations that the claimant in the TÜV case argued that the notified body should have audited.

In my view, PIP remains a case that demonstrates very painfully how member states’ market surveillance failed the patients. It is disconcerting if you look at the facts of that case how little international cooperation there was between the competent authorities when the first signals of things being seriously wrong became available. That, I think, is the real scandal in this case. If you compare the resources allocated to medical devices market surveillance to those that went to medicines and other products surveillance at that time it’s not a pretty picture. And resources for surveillance are purely political choices. Blaming the notified body for doing exactly what it was supposed to do under applicable law feels a lot like wagging the dog to me.

That’s why unannounced audits still feels a bit like member states passing on the surveillance buck to notified bodies and I am not convinced at all we will prevent more PIP types cases of deliberate fraud that way. Yet, there may be some benefit. What we may achieve is that manufacturers will be more diligent in having their technical documentation and QMS in order all the time and closing out CAPAs quickly and according to plan, rather than allowing them to stay open for years because they know exactly when the next audit will be. The MDR also requires this (having all documentation in order and up to date all the time), and I think this certainly is progress.

Market surveillance under MDR

Member states have learned in the mean time and market surveillance is taken much more seriously under the MDR with more EU level capabilities and an (in theory so far) robust underlying IT infrastructure that allows competent authorities to quickly share information about infringements.

However, with all the new tools and possibilities there now are doubts about whether the Member States will be able to pony up the resources to actually staff the system and afford it. The MDR however contains a provision allowing member states to pass costs for market surveillance on to the market, as happens already in certain other industries (like financial services). I see some member states invest considerably in resources and pilot projects in view of the upcoming MDR and IVDR. A lot is happening in behind the scenes cooperation in order to get all the competent authorities at the same level.

Product liability under MDR

The PIP case influenced thinking about product liability for medical devices in the EU considerably. The only problem is that these thoughts had nowhere to go except into wishful statements.

With the political impossibility to amend the Product Liability Directive for medical devices alone (that directive is up for evaluation for a long time because is was not evaluated since its entry into force in 1985 but the project is  moving very very slowly) something else was needed for political gain. The EU legislator, motivated by ardent political wishes to ‘do something with this’ decided to include some provisions in the MDR regarding manufacturer and authorised representative product liability of which I have blogged that they are not well-thought out, see also this more recent presentation that includes a discussion of the clauses in the MDR.  Good for lawyers, bad for everybody else.

MDR status

By the way, the texts of the MDR and IVDR are still not completely final, but the agenda for adoption does not seem to have changed: still looking at entry into force this summer. However, there are still commas being moved. The fat lady still has not sung, but she’s close. When she finally has I will follow up with a blog on the last changes made before adoption. Prepare for some surprises: there are  some changes that still will affect some products considerably, like design dossier review requirements for class IIb active devices intended to administer or remove a medicinal product. This was already in the MDR for class IIb implantable devices but this has been extended to class IIb active devices intended to administer or remove a medicinal product.


An MDR and IVDR transition plan

fasten-seatbeltsThe year is off to a good start, and so should your company be with its MDR and/or IVDR transition plan.

Come again? You haven’t started looking at this yet because the MDR and IVDR are not yet final and the transitional period will run to approximately half 2020? Your management is not interested in making resources available?

Not so smart

That’s not so smart. It’s like doing a #Brexit without considering the consequences first and then hoping everybody else is nice enough to give you a good and quick trade agreement deal, because … well why not?

You may think everything can’t possibly be that complex – until you find out later that there is more to this whole thing that looked so simple at the moment when you were not really looking at it yet.

Your company may be one of the many companies expected to find out too late that some things took more time than expected, or were more contingent than they looked:

  • notified bodies that will not come online for certification of products before well after half of the transition period of three years has expired. And then they still have to start with pushing all existing medical devices on the EU market through an MDR / IVDR certification process (which is stricter than under MDD/IVDD).
  • additional clinical evidence may well be needed for your devices under the MDR. If you need to generate it in clinical trials, registries or other time consuming processes, you should know about it sooner or later. And your notified body will need to be on board with what you are going to do. Is yours already? I bet not.

These are just two contingencies that have a crucial impact on your MDR implementation strategy.

There are a lot of other dependencies too – like your suppliers that you need to control more, other jurisdictions that rely on the CE mark for your devices.

No grandfathering

Many companies think that there will be some process to slide in the devices that are already on the market and are not causing any problem, so that’s easy. There is not, so there is no easy solution there. There will be no grandfathering or similar process – any device that is not certified into the MDR or IVDR by the end of the transitional period and the various limited overrun periods can not be placed on the market any longer. It will be illegal to place such devices on the market. The only thing close to grandfathering is the five/three years period that you will have to still sell off devices that were compliant under the MDD/IVDD and were placed on the market before the date of application of the MDR/IVDR. Those can still be sold off to end users for another five/three years post date of application (so after the transition period of three/five years ends).


No placing on the market means no cash flow. No cash flow means bankruptcy sooner or later, or bought at a discount by a competitor or strategic investor. Strategic investors and acquisition driven companies are already on the prowl for companies that are candidates for not making the cut of the MDR/IVDR and will swoop in when opportune.

If you get this wrong or get it right too late your company goes off the cliff like While E Coyote, still wondering what went wrong all the way down. That’s why you need to start thinking now.

You’re into software and think you’re not placing software on the market because it’s made available as a service from outside the EU? They’ve got that covered too – if your software is a device by the new standards, it will have to meet MDR/IVDR requirements regardless of whether it’s placed on the market or not.

Transition plan – journey towards compliance

This one is for MDR transition – working on one for IVDR transition too:


Sfan-theories-coldwartart working on your transition plan – the journey towards compliance, like every journey, starts with the first step. Then you keep on going until you reach the end, and then stop. Like in the Lord of the Rings – it’s an easy journey conceptually (just take this ring to that mountain) but you’ll be slaying a lot of orcs and fighting monsters before you finally complete the quest.

By the way, even While E Coyote made plans. There’s no reason why you should be less clever than a cartoon figure.

The above picture is a single roadmap that you can put on a slide to explain to your organisation or management what the necessary steps are, where the journey begins and what you need resources for. This picture is based on the excellent General Data Protection Regulation game plan  (another project that you should be well on your way with by now  – the transitional period for that regulation ends 25 May 2018 and the GDPR has significant overlaps with the MDR/IVDR, e.g. on design requirements for devices (including standalone software) that process personal data).

IVDs largely similar

The roadmap for IVDs transition to the IVDR is largely similar, except that the transitional period is two years longer but the sell-off period is shorter.

Schermafdruk 2017-01-30 13.28.30.png

And the dependencies at the end are even more scary: the reference labs will not be appointed until four and a half years into the five years transition period. That means that there is almost no time for the highest risk IVDs to be certified into the IVDR during the transitional period.

For IVDs the chance that companies underestimate the necessary efforts are even bigger, because the large majority of IVDs are currently self certified, regardless of their associated risks. The IVDR will turn this upside down and notified body certification will be the rule for the large majority of IVDs. This is a huge quantum leap in regulatory burden. It means that for the majority of IVDs a third party will take a critical look at the underlying technical documentation and performance data for the very first time. You can imagine that not all technical documentation may be in the shape that the IVDR expects. The IVDR will require a lot more and different types of data to substantiate performance, and will require more clinical data too. Producing data costs time. It costs money. It requires planning. I cannot under-emphasize how important it is for the IVD industry to engage on this. Your company does not want to be the puff of smoke that remains if While E Coyote goes off the cliff.

Start now!

Each of the items described in the roadmap has a lot of detail to it, which leads companies to typically underestimate the effort. The gap assessment, impact assessment and remediation take a lot of time. It means you will have to more or less completely revisit each and every device that your company has on the market and in the pipeline, as Gert Bos and I have explained in BSI’s white papers on the MDR and IVDR. BSI has a good white paper on MDR transition too.

Detail takes time, and detail takes resources – don’t forget. Use the resources on this blog, use others of the plentiful resources that are available publicly on this subject.

Talk to your trade association, participate in the discussions at MedTech Europe, COCIR, Advamed, your local trade association, etc. so you know how other companies are dealing with this.

Make sure that your management does not underestimate this process. Hey, it’s only about company core products and core processes so why would that not merit the resources it needs, right? My apologies to be somewhat cynical but I see a lot of companies (also big and sophisticated ones) underestimate this completely. And if I’m wrong – tell me in a few years time and I’ll gladly apologise for crying wolf then while congratulating your company on being compliant well in time.

And, finally, my firm and its network is there. We are helping many companies wrap their head around it and will gladly help you too.

But do something now and don’t wait – at the very least start by understanding what this is about and what it will mean for your organisation. Your competitors are working on this already.

Festive alert! Change is on its way.

Change is on its way – medical devices law will not be the same again as of next year.

Panic soccer

The authorities are not your friend anymore.

Notified bodies are engaging in massive ‘panic soccer’ (Dutch expression) dropping companies like they’re hot.

If you have not implemented the new clinical evaluation MEDDEV fully by now this should have your utter undivided attention. Otherwise, count on your CE certificate for the device(s) affected being suspended without warning after the next notified body audit. And make sure to watch that your notified body does not enthusiastically suspend the entire certificate for all your devices by mistake and then runs away to hide under a rock while you can go deal with the fall-out. I’ve seen this happen already. Panic soccer – be prepared and make sure you keep your eyes on the ball.

Super nova

You should already be well into your transition work for the MDR and IVDR, or at least have a plan about what to do when. The EU will not grandfather, so do not count on this to happen. For every device on the market you need to take a decision to

  • remediate (bring it into compliance with the MDR/IVDR),
  • replace (replace it with a device that is or will be compliant the MDR/IVDR), or
  • retire the device (investment too high to phase it into the new requirements).

EU medical devices legislation will go supernova to more than six times its current size halfway 2017. Is your company prepared for that?

Data protection

Have you thought about the impact of the General Data Protection Regulation? It’s not devices law per se but its privacy by design obligations impact your new software design requirements under the MDR, just to mention one thing. You need to prepare for its data portability requirements. If your medical device or related service has any IoT functionality, it will be affected by the hateful eight that this new EU law brings. It will impact severely on your clinical data processes (as it deals with protection of personal data concerning health). It is already in effect, and its transitional period will end on 25 May 2018. Can you redesign your data processing hardware and software before that time, and do you need to? Just one of the questions you should be asking yourself now.

Busy times ahead

Yet, I wish you quiet, joyful and festive holidays for the moment (no implied warranties). Recharge, and keep your eyes on the ball in 2017.


Privacy by design and data portability

all_you_base_are_belong_to_usI’ve often warned medical devices companies that they need to start looking at privacy by design obligations under the General Data Protection Regulation, the GDPR. Engineers at a company where I gave an in-company presentation earlier this year were seriously unhappy that privacy by design obligations can affect both hard and software and that the deadline for transition expires on 25 May 2018. They were surprised, annoyed and then in panic (in that order) because of the time it takes to redesign capital equipment and clouds that these devices feed into. That’s right, by end of May 2018 all the hardware and software that processes personal data and personal data concerning health of EU data subjects must comply with these rules. If it doesn’t, it cannot be used to process that data because it’s non-compliant.

Did you know already that the maximum fine under the GDPR is 4% of the total worldwide annual turnover of the preceding financial year of a company? Happy times if you have to break the news to your boss that your department singlehandedly evaporated last year’s profit for the entire company everywhere.

Pacemaker and other device data

One example of data portability in practice is the ongoing discussion between patients and companies about if the patient can receive the data in their medical device, e.g. pacemaker or continuous blood glucose monitoring system. Manufacturers would routinely say no, but cannot maintain that position anymore when the GDPR is fully applicable in 2018. That means that by then their devices and systems must have been redesigned to accommodate requests for data portability.

Hateful eight

This is why I have dubbed data portability as one of the ‘hateful eight’ of the GDPR innovations with regards to connected health (see slide 10) because it is a nasty one to implement, and will require quite some adaptation to devices and software to make this happen in practice:

I was recently speaking again about implementation of the GDPR in relation to data subjects’ access rights in relation to clinical data for medical devices. Companies present were seeing quite a lot of problems in implementing data portability rights for data subject with respect to clinical data that related to them.

Article 29 WP guidance

The Article 29 Working Party has now issued guidance on how this should work in practice:

“As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.”

Yes, you are reading that correctly:

  • download tools and APIs;
  • personal data that are transmitted in a structured, commonly used and machine-readable format; and
  • interoperable data formats.


“Article 20 of the General Data Protection Regulation (GDPR) introduces the new right of data portability. This right allows for data subjects to receive the personal data, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance. This right, which applies subject to certain conditions, supports user choice, user control and consumer empowerment. […] The new right to data portability aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.

This is not – ahem – where industry in medical devices and connected health is orginally coming from although a lot has been improved over the last years.

Main elements of data portability

What rights will data subjects have and must your systems be able to facilitate? Even if you are not the controller, the GDPR obliges processors (which you will be then) to be able to assist the controller in implementing these rights. There are, according to the 29 WP guidance:

  • Right to receive (as complement to the right of access);
  • Right to transmit personal data from one data controller to another data controller;
  • Data portability tools that allow not only for direct downloads, but also for direct transmission to another controller.

The data concerned (the data that must be provided) is all data that the data subject provided, e.g. by virtue of the use of the device. Data that results from operations on that data (inferred and derived data) do not have to be provided, like for example a algorithmic model of the patient concerned created based on the data provided. Privacy by design would require implementing technical means to separate these data from personal data, because if this is not possible, everything must be provided.

IP rights do not as such constitute a ground for refusal, although a potential business risk might. In the words of the Article 29 WP:

“The right to data portability is not a right for an individual to misuse the information in a way that could be qualified as an unfair practice or that would constitute a violation of intellectual property rights. A potential business risk cannot, however, in and of itself serve as the basis for a refusal to answer the portability request and data controllers can transfer the personal data provided by data subjects in a form that does not release information covered by trade secrets or intellectual property rights.”


Data controllers must inform the data subjects regarding the availability of the new right to portability.

It’s the controller’s problem if the data set is large. It has to be provided within one month and in any event with undue delay.

The request can only be made subject to a fee in case of requests that are manifestly unfounded or excessive. That means that the controller is not allowed to use fees as a means to pay for the technical means it must develop to meet its obligations.

Personal data are expected to be provided in formats, which have a high level of abstraction. As such, data portability implies an additional layer of data processing by data controllers, in order to extract data from the platform and filter out personal data outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional data processing will be considered as an accessory to the main data processing, since it is not performed to achieve a new purpose defined by the data controller.

Happy redesigning!

Did I already say that all of this must be ready by 25 May 2018 at the latest? Better start if you have not started yet. And remember, whatever you implement by means of privacy by design may impact your new design obligations under the MDR (the new chapter 14 on software that applies to any software (both standalone and embedded), which addresses e.g. security requirements that may be impacted by a convenient API that allows a user to export their own data). Security requirements for data protection compliance purposes and for the new MDR software securities design requirements are another happy overlap in this respect (see the Hateful Eight presentation framed above).

The authorities are not your friend anymore; and neither are notified bodies


Have you seen Mr Robot? If not, watch that series.

With the MDR and IVDR adoption in sight (currently scheduled for Q1 2017) I see a number of developments in the market, all converging on the higher standards that will be imposed under these new regulations.

By way of update, there is movement in the dossiers of the MDR and IVDR. The first drafts of the translations have been circulated for consultation in the mean time (I have the Dutch versions for example) with final numbering (123 articles) – there may be some small additions / changes too – we’ll have to see. I will write more about this in a later post soon.

Back however to the converging developments. First, I see notified bodies do more and more ‘unexpected’ things that affect manufacturers profoundly and take them by surprise. Secondly, I see authorities get tougher on the market especially in the Netherlands, by imposing high fines without warning for easily remediable non-conformities in the documentation for class I medical devices and self certifiable IVDs.

The following is my own personal perspective, but I have heard and hear it echoed by many companies, consultants and other stakeholders in the market.

Regulators! Let’s dance

In the Netherlands we see a development towards truly punitive enforcement of medical devices regulation, specifically in the areas of software as medical device and IVDs.

The authorities in the Netherlands have decided that they are going to raise the bar and come down punitively on manufacturers. We see more an more cases in which companies are fined quite substantial amounts that can easily bankrupt an SME (we see amounts from about € 50,000 to around 150,000) for non-conformities in relation to class I medical devices and self certifiable IVDs that a notified body looking at much higher risk products would issue a non-conformity with remediation period for. That’s right: in the Netherlands it’s currently way riskier from enforcement perspective to be in class I devices and self certifiable IVDs than in the highest risk devices conceivable. A large factor here are the Healthcare Inspectorate’s guidelines for the imposition of fines, which it applies in a way that many non-conformities are subject to fine without possibility of remediation and warning.

This would not be so bad if there would not be so many formality errors committed on the part of the authorities, for example being very unclear about when inspection proceeds into enforcement. At that precise moment a company needs to be told that it is no longer obliged to cooperate. Fundamental rights and good enforcement procedure, just a small detail. It leads to situations where companies enthusiastically cooperate in incriminating themselves because they want to remedy the non-conformity observed and cooperate with the Inspectorate to that end, but are not aware that the Inspectorate is already collecting facts to fine them. And they will. A few months later, suddenly, a letter arrives in the mail stating that the Inspectorate will fine the company for tens of thousands of Euros while the company was under the impression that the Inspectorate was just being helpful. So, if you are subject to an Inspectorate visit, no matter how friendly it unfolds: make sure that you put the inspector on notice that he/she should be more than abundantly clear about when the discussion moves to fact finding for the purpose of enforcement. This is just one of the issues we currently see in enforcement in the Netherlands.

Of course companies should adhere to the law, there’s no discussion about that. I just want to raise awareness for the fact that enforcement in the Netherlands has gotten some disproportionately punitive characteristics which worry me and – quite frankly – do not serve anyone except lawyers. Like mentioned, it’s kind of strange that you can get a big penalty for non-conformities that your notified body would just allow you some time to remedy in case of higher risk products.

We are now routinely appealing these decisions, and there are more and more of them coming in. The Dutch Inspectorate has clearly decided that it is coming down on the market and enforce it into compliance with a vengeance. We are also collecting enforcement/inspection experiences of medical devices companies in the Netherlands in order to start a dialogue with the government to seek to arrive at a more proportionate policy of oversight.

Do you have experiences with the Dutch IGZ in medical devices or IVD oversight under the new penalty guidelines? Let us know.

Notified bodies – drop it like it’s hot

The notified bodies have gone through a rigorous process of joint assessments that culled already many of the notified bodies in the market for AIMDD, MDD and IVDD certification (53 left at the moment, with the number still declining). As a result the notified bodies have also been given clearer marching orders as to how to deal with customer files that their notifying authorities see as problematic, for example because the clinical evidence is not up to standards.

This situation has led to what I have started to call the ‘drop it like it’s hot’ strategy on the part of notified bodies. I see that especially smaller notified bodies often adopt the extremely nasty and onerous tactic of letting a certificate expire, and subsequently confront the manufacturer with a de novo certification against a much higher (clinical) standard, with the notified body refusing to explain where this comes from nor being interested at all in the situation that this will disrupt the manufacturer’s business severely (especially in the case of SMEs that have only one or just a few products on the market).

This typically unfolds as follows: date of recertification approaches, manufacturer sends increasingly urgent sounding messages to notified body about planning of recertification audit (which are ignored by notified body), manufacturer trusts that notified body will however not allow certificate to expire just like that, notified body does exactly that, notified body informs manufacturer he must now obtain a de novo certification against suddenly much higher standards that the notified body refuses to explain.

I think it’s a shame that authorities are not supervising this better but instead seem to just push out marching orders to notified bodies regarding clinical data requirements. It is truly frustrating to see notified bodies using their delegated state authority of certification this way, especially since there are much more proportional ways to handle this. One such more proportional way would be to re-certify with a new PMCF plan.

In this regard it is especially onerous for manufacturers that current medical devices legislation does not provide for clear legal recourse against notified bodies, nor for clear rules about transferring from one notified body to another. In practice there is little you can do against a notified body decision. Some member states allow administrative appeal, but the authorities are – in my experience – very deferent to notified bodies and give them virtually unlimited discretional power. Notified bodies, for their part, have no to little experience in exercising government authority in accordance with basic principles of rule of law. This leads to routine infringement of core principles of good administration like e.g.

  • non-arbitrary decision making (giving reasons to support a decision)
  • proportionality (imposing a measure at is least burdensome for the company, like PMCF instead of certificate expiry)

Yet, manufacturers have no effective recourse against this. The MDR and IVDR will contain a very rudimentary regime for the scenarios that a notified body ceases activities or its designation is restricted, suspended or withdrawn.

You can imagine this this will become more pressing during the MDR and IVDR transitional periods, during which the notified bodies will be under extreme pressure resource wise because not only must they themselves be re-notified, they must also hire more in-house staff and in the mean time certify all of their customers devices on the market into the new system, while dealing with the normal workload of surveillance and re-certification audits. This will become an ugly mess, and that is a big understatement.

Notified bodies – clinical evaluation circus

Another issue we see happening now is the urgency that is being put on notified bodies to push through clinical data standards that go towards the new MDR level as quickly as possible. This early summer (June 2016) we have seen the new clinical evaluation MEDDEV being adopted, without transitional period. Presently we start to see notified bodies beginning to suspend / refuse to renew certificates if they find in a surveillance or recertification audit that the clinical evaluation for the device concerned is not fully up to the standards of the new MEDDEV. Yes, immediate suspension – not a minor, not a major, but cease placing on the market with immediate effect. We have even seen notified bodies take this to the level of suspending a certificate with multiple devices on it for all devices, just because the clinical evaluation for one of them (which was not even being placed on the market anymore at the time) was not at the level of the new MEDDEV.

Once the certificate has been suspended or needs to be renewed, there is no way to make a notified body hurry up and even act quickly to correct manifest mistakes (like suspending a certificate for all products if only one product is affected by the non-conformity) or otherwise even adhere to basic principles of good administration discussed above. The lack of legal recourse here is truly disconcerting, given the enormous damage manufacturers suffer as a result.

Notified body liability is already an issue subject to appeal to the European Court in the TUV Rheinland case, but that case is about no-fault liability for damage resulting from defective products that get on the market and the notified body audits did not prevent this. Here we are dealing with other liability, in my view for negligent or unconstitutional use of delegated government power (official ability to issue certificates with legal effect). The Advocate General makes a compelling argument in the TUV Rheinland (PIP implants) case about liability in cases of notified body failing to fulfill obligations. She argues in para 39 of her opinion:

“Given the crucial role played by notified bodies in the procedure leading to the placing on the market of medical devices governed by Directive 93/42 and bearing in mind, in particular, the high level of protection to patients and users that that directive aims to provide (30) and the risks associated with the devices in relation to which they are required to carry out their examination, it seems to me entirely appropriate that those bodies should in principle be capable of bearing liability under national law to those patients and users for a culpable failure to fulfil their obligations thereunder, provided always that the principles of equivalence and effectiveness are respected.”

The AG concludes that it is therefore possible under the directive that a notified body can be liable vis-a-vis patients and users for failing to fulfill obligations. I think that the same applies with respect to manufacturers when these suffer damage as a result of a notified body failing to fulfill basic duties of good administrative law practice that a government agency would need to fulfill. Remember, notified bodies are almost like an emanation of state in how they operate and are controlled by their notifying member states. This liability will apply regardless of what the contact of the notified body says, because it would be quite something if a notified body could contract out liability for gross negligence  in the way it fulfills tasks delegated to it by law.

However, given the state of harmonization of EU medical devices law, this will be a matter for national courts to determine because the medical devices directives are silent on this point. The forum to go to is the competent court in the jurisdiction that notified the notified body concerned. It will be interesting to see what the European Court will decide. Given the complete lack of effective recourse against notified bodies under the new MDR and IVDR, this problem will persist into the future and become far worse in the messy and choppy transitional period that we have on the horizon with less notified body capacity but more need for it.

Let us know

Do you have bad experiences like discussed with your notified body? Let us and/or MedTech Europe know. We are working on collecting information to raise awareness for this at the Commission and at the national notifying authorities, but we need actual experiences to demonstrate what is happening. The more we have, the more impact we can make.

It will be interesting

to see where all of this goes. It is quite clear however that manufacturers have to pay closer attention to compliance formalities and remediate quicker, also in the lower risk product ranges. With the new MDR / IVDR associated remediation / transition and possibilities for non-conformities manufacturers need to prepare for a rough period ahead in the next years.




The MDR – where are we now?

fasten-seatbeltsThere seem to be a lot of misunderstandings in the market about the current status of the MDR. Some think it’s finished (it’s not, at least not formally) and there is a lot of insecurity about when it will enter into force.

Currently the MDR and IVDR are in the process of translation. The trilogue produced negotiated texts but these are still not perfect. Upon close reading one discovers typos and numbering issues as a result of the many amendments. When a group of people translates two very complex and partly overlapping texts in 23 languages from a negotiated text that still contains small mistakes and unclarities, there will be questions that arise about the interpretation of the texts. The texts may also require another look at them if that’s unclear. That is currently happening.

Also, the Council and the Parliament will have to give their formal blessing to the texts as follows:

  • Adoption of the Council’s first reading position end 2016
  • EP second-reading vote end 2016 / early 2017

When these approvals have been ensured, the MDR and IVDR official texts will be published in the Official Journal. These texts are final and will enter into force 20 days after publication. That will be the ‘date of entry into force’ in the regulations. And everything will unfold from there.

What were the big surprises coming out of the trilogue?

I have written a lot on this blog about how the MDR will work in general and have posted content that will provide you with a good high and even detail level of how the MDR works and what manufacturers should do to become compliant with it.

Some of the surprises in the MDR are also in the IVDR and I will not discuss them in this post (they were discussed in a previous post about the IVDR). These are:

  • advertising rules
  • competent authorities enlisted in liability cases

What then are the MDR specific items? These are the amended scrutiny procedure, a new classification rule for software and the last minute amendments to the transitional regime.

Scrutiny reloaded

The scrutiny procedure in the MDR has been revamped and is now called ‘mandatory clinical evaluation consultation procedure’. This ’new’ procedure is essentially repackaging of the scrutiny procedure and it now covers implantable class III devices and class IIb active devices intended to administer and/or remove a medicinal product for which no common specifications have been established. Article 44, which used to be the scrutiny procedure, has been rewritten into a sort of safeguard procure that the competent authorities can use if they feel that the CE marked device should not have been on the market as CE marked after all.

The final scope of devices subject to the scrutiny procedure (implantable devices classified as class III, and class IIb active devices intended to administer and/or remove a medicinal product) was also something of a surprise. Earliest versions of the text of the MDR showed a much larger scope of devices subject to scrutiny and the proposed scope diverged immensely between Commission, Parliament and Council. In that light it is actually not so surprising that the end result of the scope was unexpected.

Software classification

If your company sells clinical decision support or monitoring software, brace for impact because a new classification rule especially for that kind of software was inserted during the trilogue so we did not see it coming. Rule 10a reads as follows:

“Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes, is in class IIa, except if such decisions have an impact that may directly or indirectly cause:

– the death or an irreversible deterioration of the state of health, in which case it is in class III;

– a serious deterioration of the state of health or a surgical intervention, in which case it is in class IIb.

Software intended to monitor physiological processes is in class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations is such that it could result in immediate danger to the patient, in which case it is in class IIb.

All other software is in class I. “

Rule 10a consists of three parts that apply to three categories of software:

  1. Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes – will now always be class IIa or higher
  2. Software intended to monitor physiological processes – will be class I, IIa or IIb
  3. All other software – class I

This rule will increase the burden for software and app vendors considerably if their software is currently a class I medical device under rule 12 of Annex IX MDD and has either clinical decision support or monitoring functionality. This is the case for most clinical decision support software, which is now specifically targeted by the first part of rule 10a. This software will be classified in any of  the other available risk classes, which means that clinical decision support software will always be subject to notified body oversight under the MDR. Under the MDR manufacturers and notified bodies classifying such software will need to look at the risks associated with false positives and false negatives that the software can produce. The MDR does not define serious or irreversible deterioration in the state of health, but MEDDEV 2/12 rev. 8 on vigilance does define it. An example of a serious deterioration in the state of health is indirect harm (see paragraphs 5.1.1 and 4.11 of that MEDDEV), which may constitute of misdiagnosis or inappropriate treatment as a result of false positives or false negatives.

The second part of rule 10a is current rule 10 but then applied specifically to software. The reason for this is probably the current unclarity regarding the current rule 10’s application to standalone software.

The third part concerns ‘everything else’, so essentially current rule 12 that most of the standalone software on the market is benefiting from, minus monitoring and clinical decision support software.

I made a nice little flowchart for the application of the rule:


A surprise within the surprise is that this classification clause is not mirrored in the IVDR, because also in the IVD field decision support software (the expert system functionality mentioned in MEDDEV 2.1/6, of which a new version has just been published by the way) becomes more and more important. I would have thought that software for the support of decisions based on interpretation of various IVD results could also have different risk profiles. Software for interpreting genetic test results for life threatening hereditary diseases would have a different risk profile than software for interpreting test results for the presence of pregnancy associated hormones. With the absence of a rule 10a analogue in the IVDR stand alone software will need to be qualified not by its functionality but what test results it tests for.

If you are interested in more detail about this classification rule, check out my article in eHealth Law and Policy in which I describe the rule and its consequences in detail.

Transitional regime

As expected a ‘solution’ was found to address the constraints preventing all medical devices to be transferred into the new system before the end of the transitional period, such as lack of notified body capacity, limited remainder of transitional period after re-notification of notified bodies, etc.

To that end the MDR contains the following transitional regime:

  • There is a three years transitional period running from the date of entry into force to the date of application (article 97 (2));
  • Certificates issued by notified bodies in accordance with Directives 90/385/EEC and 93/42/EEC prior to the entry into force of the Regulation shall remain valid until the end of the period indicated on the certificate, except for certificates issued in accordance with Annex 4 of Directive 90/385/EEC or Annex IV of Directive 93/42/EEC which shall become void at the latest two years after the date of application of the Regulation (article 94 (2)).
  • Certificates issued by notified bodies in accordance with Directives 90/385/EEC and 93/42/EEC after the entry into force of the Regulation shall remain valid until the end of the period indicated on the certificate, which shall not exceed five years from its delivery. They shall however become void at the latest four years after the date of application of the Regulation (article 94 (2) 2nd paragraph).
  • Devices which were lawfully placed on the market pursuant to Directives 90/385/EEC and 93/42/EEC prior to the date referred to in Article 97(2) may continue to be made available on the market or put into service until five years after that date (article 94 (3a)).

Devices that benefit from transitional provisions that allow MDD or AIMDD covered devices on the market after the date of application remain covered by these directives as regards vigilance, registration of manufacturer and authorised representative, Eudamed contents for the devices concerned and clinical investigations with these devices (article 96). Not sure how this works in practice, especially because the MDR is not clear about whether they are covered by the MDR for the other aspects – if that would be the case, the manufacturers of these devices would nonetheless be faced with a lot of new obligations, for example the new PMS obligations. If the MDR does not apply for the other items, then these devices would exist in a relative regulatory empty space, which would be unlikely to be intended. This is one of the big known unknowns under the MDR.

When you lay it out on a timeline I think the options in the transitional regime look a bit like this:

This slideshow requires JavaScript.

In the mean time, there are also other grave concerns

Governance and surveillance

There are serious concerns (by member states themselves no less) about the ability of member states to be able to staff all the functions required under the MDR, like staffing the MDCG, looking in the EUDAMED database, doing things with information from the EUDAMED database, etc. We will need to see how this plays out. Member states have traditionally been reluctant to allocate sufficient resources to medical devices surveillance and policy, so now is the time for them to step up and put their resources where their mouth is.

Notified bodies

The notifications under the MDD will remain in place during the transitional period so notified bodies will still be able to issue certificates under the transitional rules under the MDD and AIMDD, but there is no telling what notified bodies will be notified under the MDR when. More and more are going bankrupt or just ceasing business. An application for notification will remain voluntary and while the assessment of the application is not the member state’s sole prerogative, there is also no deadline for completing the process.

Nobody has any idea how long it will take for notified bodies to be notified under the MDR – I hear estimates ranging from 12 to 18 months. This means that for one third to half of the transitional period no certificates under the MDR will be issued and that the first certificates will be issued towards the end of the transitional period. This means that the capacity of notified bodies for certificates that are planned during the transitional period will be very limited. If your company’s transition strategy revolves around this, make sure that you keep your notified body very very close in your planning and execution of your company’s transition strategy.

Transition plan

Your company should by now be planning for the transition of its products and doing a gap assessment on what is needed to go from the MDD/AIMDD to the MDR. This is not something to be underestimated, because if you do it may cause severe disruptions: certificates expiring with no new certificate on the horizon. New clinical data to be generated that is not there, new procedures to be implemented that no one knows were necessary, devices being classified in higher classes (especially software (rule 10a) and substance based devices (rule 21)).

If you don’t know where to start, start with the BSI white papers on the MDR – I’m mentioning these because I know they are good quality and have contributed to several of them. BSI recently published a white paper on how to do a transition plan, which is a good overview of what is needed. You can also visit the panel I am moderating at the Advamed Conference in Minneapolis tomorrow (2.15 to 3.30 pm), which will concentrate on this.


Missed the session? I’m working on MDR transition plans for several big and small(er) manufacturers and would be happy to help leverage that knowledge for the benefit of your company – just let me know.


Software MEDDEV ‘updated’

EU flagThe Commission issued an updated version of the MEDDEV 2.1/6 regarding standalone software on 15 July. After all the rumors around the difficult discussions surrounding the revision process I was very curious about the changes finally implemented.

Unfortunately these changes turned out to be very limited and in my view do not change the scope of the document or even bring anything new. Essentially what happened is that the Commission added some definitions and slightly amended the flow chart for qualification under the Medical Devices Directive by amending the first decision node of the flow chart.

Definitions and flow chart

The definition of software has been changed to a “set of instructions that processes input data and creates output data“. The new definition of software is used in the new question in decision node 1 in the Medical Devices Directive flow chart (“Is the product a software?”).

The MEDDEV  defines the concepts of input data (“any data provided to software in order to obtain output data after computation of this data“) and output data (“any data produced by a software“) embedded in the new definition of software. The MEDDEV provides for a non-exhaustive list of examples of input data (data given through human interface input devices, documents and data received from / transmitted by devices) and output data (e.g. screen, print or audio data; digital documents). Nothing really surprising.

The MEDDEV now includes the definition of “Software as a Medical Device” (SaMD) from the IMDRF work item on software, but the definition is not operationalized anywhere in the MEDDEV, because the document only refers to the separately defined term “software”. The definition has no apparent function in the MEDDEV other than seemingly paying tribute to the IMDRF work on software.

Mobile apps

The new MEDDEV version contain a new statement to the effect that “The criteria specified in this document apply also to mobile applications.”. Again, not surprising because we knew that already since mobile apps were always software in scope of the MEDDEV. It’s a pity though that the revised MEDDEV does not contain any actual guidance specifically for mobile apps. That means we’re left with the guidance on mobile apps in the Manual on Borderline and Classification, which looks to be further expanded on ad hoc basis as the Manual evolves.


Is this progress? Well, somewhat. However, to me it’s disappointing that the EU does not have more additional guidance to account for after four and a half years of experience with the software MEDDEV. It shows that the expert group working on the MEDDEV had a very difficult job in coming to agreement on what to put into the revised version because there are more than enough questions that could have been addressed. A missed opportunity, given the importance of the subject.

%d bloggers like this: