Brexit GDPR MDR a Legal Update DHACA Day
Brexit, GDPR & MDR – a Legal Update DHACA Day XIII – Digital Catapult 21 June 2016 Julian Hitchcock Address: 11 Staple Inn London WC 1 V 7 QH Contact: Tel: +44 (0)20 7209 2000 Fax: +44 (0)20 7209 2001 DX 0001 London Chancery Lane
Dedicated to Life Sciences Axon Lawyers: Amsterdam Marriott Harrison: London Dewallens & Partners: Brussels Italy Legal Focus: Milan LCH: Paris Lützeler Klümper: Düsseldorf, Hamburg www. aelslf. eu 1
Legal Stuff - Disclaimer The information in this presentation is not exhaustive and is provided for information and education purposes only. While every endeavour is made to ensure that the information is correct at the time of publication, the legal position may change as a result of matters including new legislative developments, new case law, local implementation variations or other developments. The information does not take into account the specifics of any person's position and may be wholly inappropriate for your particular circumstances. The information is not intended to be legal advice, cannot be relied on as legal advice and should not be a substitute for legal advice. 2
A few developments • Data Protection – New EU Regulation to apply from 25 May 2018 • Medical Devices – New EU Regulation to apply from May 2020 • In Vitro Diagnostic Medical Devices – New EU Regulation to apply from May 2022 • Cross border healthcare – EU Directive 2011/24 3
DATA PROTECTION
The Data Protection Right • “ 1. Everyone has the right to the protection of personal data concerning him or her. • 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. • 3. Compliance with these rules shall be subject to control by an independent authority. ” Article 8 Charter of Fundamental Rights 5
General Data Protection Regulation (GDPR)* • “Natural persons should have control of their own personal data”. • Simplify regulatory environment for international businesses • Privacy by Design & Accountability • Data Processors - direct obligations • Data Protection Officers • DPA notification replaced by DP impact assessment • Regulatory oversight - European Data Protection Board (EDPB) *Regulation 2016/697) 6
GDPR - Features • Enhanced Rights – Transparency – Information and data access – Rectification/Erasure/Restriction/Notification/Portability – Objection to automated decision-making/profiling • Consent • Children • Pseudonymisation • Personal Data Breach • Genetic & biometric data 7
GDPR - Features • Extra-territorial reach if an EU resident’s personal data is processed re goods/services offered to them; or if behaviour of individuals within the EU is “monitored”. ) • Data Export from EEA (UK to leave EEA…) • Binding Corporate Rules • Huge sanctions (2 -4% total world turnover) 8
“personal data” • “any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person” (A 4(1)) • Sensitive personal data “… merit specific protection as the context of their processing may create important risks for the fundamental rights and freedoms. ” (R 51) 9
“data concerning health” • “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or health status” (A 4(11)) including • “a number, symbol or particular assigned to a natural person to uniquely identify the individual for health purposes” • “information derived from the testing or examination of a body part or bodily substance, including genetic data and biological samples” • “any information on e. g. a disease, disability, disease risk, medical history, clinical treatment or the actual physiological or biomedical state of the data subject independent of its source, for example, from… a medical device, or an in vitro diagnostic test” (R 35)
“genetic data” • “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question” (A 4(13)) • “…in particular by DNA or RNA analysis or analysis of any other element enabling equivalent information to be obtained” (R 34) 11
“biometric data” • “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images, or dactyloscopic data” A 4(14) 12
Prohibition by Default… and the Consent Exception • “… the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. ” (A 9(1)) UNLESS… • “(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition … may not be lifted by the data subject”. A 9(2) 13
“consent” • “…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (A 4(11)) • “… could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data” BUT… “Silence, pre-ticked boxes or inactivity should not … constitute consent” (R 32) • Distinguishable, revocable, not bundled: “… the data subject has given consent to the processing of his or her personal data for one or more specific purposes” • Consent to unnecessary processing cannot be a precondition of service contracts • Withdrawal 14
Clinical Exception • “(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional” AND • • “those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies”. A 9(1)&(3) 15
Public Health & Incapacity • “(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy” • “(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent” A 9(1) 16
Scientific Research “(j) processing is necessary for … scientific …research purposes or statistical purposes … based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. ” A 9(1) • Safeguards: data minimisation; further processing requires feasibility assessment & pseudonymisation (R 156) • National derogations re access, rectification, processing, notification, data portability & objection A 89(1) • “Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose” R 33 • 17
Scientific Research • “…the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective … of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. ” R 159 • “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)” A 5(1)(b) 18
DP Impact assessments • “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. ” (A 35(1); R 89). • Mandatory: “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” and “processing on a large scale of special categories of data referred to in Article 9(1)” 19
Margin of appreciation • “Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. • Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health*. • However, this should not hamper the free flow of data within the Union when those conditions apply to cross-border processing of such data. ” R 53; A 9(4)* 20
“profiling” • “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. ” A 22(1) • “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” A 4(4) • “Automated decision making and profiling based on special categories of personal data should only be allowed under specific conditions. ” R 71 • EDPB guidance… 21
Erasure – “Right to be Forgotten” • Difficult to implement if data is stored in archived backups • Risk that statistical analyses will be “depowered” as a result of such changes as result of exercise of rights (particularly in the case of orphan diseases or conditions with difficult inclusion and exclusion criteria, such as paediatric). Compromises existing registrations (let alone future developments). • (Could clinical trials and investigations be conducted outside Europe to avoid risk? ) 22
Data Portability • Data Subject right to access data includes a right to data portability – “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided” • How to comply? 23
M-Health – Commission Privacy Guidelines • European Commission Green Paper 2014 – Aim: to increase HCP confidence in the validity & reliability of patient data in the care pathway, especially with regard to links with electronic health records – Assessment criteria on quality, safety, reliability & efficacy – Voluntary, but good practice in app development – Proposed EU governance framework 24
M-Health – Commission Privacy Guidelines • A 29 Working Party Review – Must “add value” to Directive & GDPR – More detail on research purposes – Threshold: where does lifestyle become health data? – Governance – monitoring body – Practical guidance for controllers – Information, transparency and subject rights – Security (Anonymisation techniques; encryption + secure transmission) 25
What to do now to be GDPR Compliant • Prepare DP polices and practice procedures for breach • Watch out for specific Member State rules on health data etc. , including between Member States. • Build a governance framework (Protect, Sustain, Respond, Assess, Protect) • Embed “privacy and accountability by design” • Consents, DPO etc… • Confirm legal grounds for processing and storage • Review privacy notices and policies, monitor points • Prepare for subjects to exercise DP rights • Data processor obligations and costs • Review legal grounds for export of personal data. 26
MEDICAL DEVICE REGULATION
Why being a “device” matters • “Member States shall take all necessary steps to ensure that devices may be placed on the market and/or put into service only if they comply with the requirements laid down in this Directive when duly supplied and properly installed, maintained and used in accordance with their intended purposes. ” Art. 2 Medical Devices Directive & Art. 2 Active Implantable Medical Devices Directive • Risk classification 28
Why being a “device” matters • “Member States shall take all necessary steps to ensure that devices may be placed on the market and/or put into service only if they comply with the requirements laid down in this Directive when duly supplied and properly installed, maintained and used in accordance with their intended purpose. This involves the obligation of Member States to monitor the security and quality of these devices. This Article applies also to devices made available for performance evaluation. ” Art. 2 In Vitro Medical Devices Directive 29
Is it a device? • “Medical device”: “Any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of: – diagnosis, prevention, monitoring, alleviation/compensation of disease or handicap treatment or – investigation, replacement or modification of the anatomy or of a physiological process – control of conception (art. 1. 2 a MDD)…” and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means; ” Directive 93/42 on medical devices 30
Is it an accessory? Art. 1 (2) MDD: • “This Directive shall apply to medical devices and their accessories. For the purposes of this Directive, accessories shall be treated as medical devices in their own right. Both medical devices and accessories shall hereinafter be termed devices. ” 31
Is it an accessory? Art. 1 (2) MDD: • “an article which whilst not being a device is intended specifically by its manufacturer to be used together with a device to enable it to be used in accordance with the use of the device intended by the manufacturer of the device” 32
Essential Requirements Art. 3 IVDD & MDD • “Devices must meet the essential requirements set out in Annex I which apply to them, taking account of the intended purpose of the devices concerned. ” • AIMDD similar wording. • MDD & AIMDD add: – “Where a relevant hazard exists, devices which are also machinery within the meaning of Article 2(a) of Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery (5) shall also meet the essential health and safety requirements set out in Annex I to that Directive to the extent to which those essential health and safety requirements are more specific than the essential requirements set out in Annex I to this Directive. ” 33
Classification under the MDD Medical Device? Intended Use (Art. 1 MDD) Risk Classification? (Annex 9 MDD) Rules? (Part 3 Annex 9 MDD) 34
Overview Classify Active Implantable Annex 1 AIMDD Medical Device 1 2 a IVD 2 b 3 Annex 1 IVD Annex 1, MDD 35
MDD Classification Rules Part 2, Annex 9 • Implementing Rule 2. 3 – Software, which drives a device or influences the use of a device, falls automatically in the same class. 36
MDD Classification Rules Part 3, Annex 9: • Classification Rule 10 – Class IIa, if direct diagnosis or monitoring of vital physiological processes – Class IIb, if direct diagnosis or monitoring of vital physiological processes, where the nature of variations is such that it could result in immediate danger to the patient • Classification Rule 12 – Class I for all remaining active medical devices • Classification Rule 14 – in Class IIb for all devices used for contraception / prevention of transmission of sexually transmitted diseases 37
Classification under MEDDEV 2. 1/6 • MHRA comment on information systems: “Generally, Electronic Health Records software is unlikely to be considered a medical device if it is purely a record archiving and retrieval system similar to traditional paper based filing systems. However, if it includes a module that interprets or interpolates data or performs a calculation, then it is likely that this module or system may then be considered a medical device, depending on the claims of the manufacturer. ” • Consistent with definition in MEDDEV 2. 1/6 38
App as medical device • Check decision trees in MEDDEV 2. 1/6 to determine if app is in scope of “medical device” Regulatory continuum towards medical device regulation Wellness • • • search transfer move store display count • • • trend alter highlight • • • amplify analysis interpret alarms calculates controls converts detects diagnose measures monitors Medical: • Diagnostic • Therapeutic 39
MHRA Guide 2016 40
Rough Guide: Is it, or isn’t it? • MHRA – suggestive words: – Amplify, analysis, interpret, alarms, calculates, controls, converts, detects, diagnose, measures, monitors: probably medical device. • MHRA – rough categories: – Decision support/making software that applies automated reasoning (i. e. simple calculations, decision support algorithms, or more complex series of calculations), such as dose calculators, symptom trackers & clinicians guides: probably medical device – Apps acting as accessories to medical devices such as in the measurement of temperature, heart rate, blood pressure and blood sugars could be treated as a medical device (ditto programmers for prosthetics). 41
Rough Guide: Is it, or isn’t it? • MHRA – rough categories (continued): – Software that monitors a patient and collects information entered by the user, measured automatically by the app or collected by a point of care device may qualify as a medical device if the output affects the treatment of an individual. – Software that provides general information but does not provide personalised advice, even though targeted to a particular user group, is unlikely to be considered a medical device. * – Software used to book appointments, request prescriptions or have a virtual consultation are unlikely to be considered as medical devices if they only have an administrative function. – If the software /app performs a calculation /interprets /interpolates data and the healthcare professional does not review the raw data, then this software may be a medical device. 42
Rough Guide: Is it, or isn’t it? • Not a medical device, if – Entry and storage of weight data of a patient – Transfer of data to the physician for patient record – Pure documentation of data* • Medical device, if – Used within a diabetes therapy – Control of other vital parameter, e. g. blood sugar, blood pressure – Own calculations and diagnosis – Telemetric control of patient by physician 43
Rough Guide: Is it, or isn’t it? • Medical device: – Blood sugar meter – Pulse measuring – Doses calculator for pediatrics • Not medical device: – Simple BMI calculator – Simple weight record • In general, smartphones themselves do not become devices medical 44
What if it is a regulated device? • Necessary steps: – Define medical purpose – Classify according to risk: I, IIa, IIb, III – Conformity assessment procedure – Harmonized standards – Risk management – Quality management system – Clinical assessment – Validation of software – CE-marking • Changes of versions may require a new CE-certificate 45
What if it is a regulated device? • Choosing the right platform (operating system) for software medical device • Access to source code of the operating system • Software “validated to state of the art taking into account the principles of development lifecycle, risk management, validation and verification” • Instructions for Use (except Class I & IIa) • Post market surveillance – Software registration / activation systems may help trace devices distributed by third parties / app stores • Manufacturer of mobile app has to track changes to the operating system and has to assess its impacts to the mobile app • Adverse incident reporting • Misc…. (viruses, systems, social care etc. . ) 46
Medical Device Regulation 2017 • Higher criteria for Notified Bodies, with more oversight • New risk classification for IVDs • Stronger rules on clinical evidence + EU multi-centre investigations • Joint & several liability of authorised representatives + outside-EEA manufacturers • Increased EU coordination on vigilance and market surveillance • EU device database and traceability system • Tougher post-market surveillance 47
Medical Device Regulation 2017 Annex VIII Rule 11 Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes, is in class IIa, except if such decisions have an impact that may cause: • death or an irreversible deterioration of a person’s state of health, in which case it is in class III; • a serious deterioration of the state of health or a surgical intervention, in which case it is in class IIb. Software intended to monitor physiological processes is in class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations is such that it could result in immediate danger to the patient, in which case it is in class IIb. All other software is in class I. 48
MDR: “Information Society Services” & EU Coordination • Includes devices/accessories offered to persons without the parties being simultaneously present. • Article 6: “A device offered by means of information society services …to a natural or legal person established in the Union shall comply with this Regulation. ” • Devices used in medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present are not deemed to be used in an “information society service” but will be caught by other provisions of the MDR. • EUDAMED • Medical Device Coordination Group… 49
BREXIT: RISKS & OPPORTUNITIES
A few developments • Data Protection – New EU Regulation to apply from 25 May 2018 • Medical Devices – New EU Regulation to apply from May 2020 • In Vitro Diagnostic Medical Devices – New EU Regulation to apply from May 2022 • Cross border healthcare – EU Directive 2011/24 • All EU law repealed from March 2019 51
Certainty and Risk ICO [EU General Data Protection Regulation in force May 2018]. “…. international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens” MHRA: “… the ways in which the UK might continue to work technically in some of those regulatory frameworks won’t simply be and can’t simply be a read-over of all of the existing ways in which that happened ” “Playing a full, active role in European regulatory procedures for medicines remains a priority” 52
A few developments 53
Great Repeal Bill Britain to celebrate freedom from Europe by replacing all its laws with identical ones David Davis said, “… solid British laws, made right here in the home of Shakespeare, will govern our lives fairly and squarely, and by being exactly the same as the laws they replace will also allow us to trade in Europe. “This bill, which will update in parallel with all future EU legislation, promises a brave future of independence for Britain as long as we continue to meet all continental standards with regard to sale of goods and services. ” “We’ve got rid of all the human rights laws, though. They were just holding you back. ” © The Daily Mash 2017 54
The Data Protection Right • “ 1. Everyone has the right to the protection of personal data concerning him or her. • 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. • 3. Compliance with these rules shall be subject to control by an independent authority. ” Article 8 Charter of Fundamental Rights 55
BREXIT – Data Protection • Schrems and the ‘Safe Harbor’ • Article 25 Data Protection Directive (Directive 95/46) – Transfer personal data to ‘third country’ prohibited unless it provides ‘adequate level of protection’ – Commission can make an ‘adequacy decision’ • EFTA/EEA Future – UK could still receive personal data from EEA states, but at GDPR standard – No control. 56
BREXIT – Data Protection • WTO Future – UK becomes a ‘third country’ outside EU ‘safe data zone’. – Without an adequacy decision, transfer of personal data from EEA restricted. – UK companies required to adopt EU model contract clauses and/or seek ICO authorisation • Bilateral data pact? – Dubious and tricky – Would still require an adequacy decision • UK logistically awkward location for European HQs – Obstacles to receiving/hosting personal data of subsidiaries etc 57
BREXIT – Medical Device Regulation • Less damaging than to pharmaceuticals – No government pre-market review • Outside EEA: – Manufacturers established only need designate Authorised Representative – Technical file must be maintained in EEA and available for inspection. – Manufacturers conducting clinical investigations to submit notifications • No EU regulation of supply chain • Flexibility over design & operation of quality systems 58
BREXIT – Medical Device Regulation • Lost influence, impacts on research and staffing (e. g. code writers) • Pricing, reimbursement & healthcare delivery unlikely to be affected • EEA Future – Little difference • • Device companies could act as manufacturers and authorised representatives • UK notified bodies could still certify conformity of medical device and device quality systems • MDR compliance officer remain in UK EFTA (Swiss) Future – Mutual recognition – Very similar to EEA 59
BREXIT – Medical Device Regulation • WTO Future – MHRA regulates medical devices for the UK alone, subject to UK standards adopted by the UK. – Simultaneous compliance with EU rules where products enter European market – Designate authorised representative (and responsible person under MDR) in EEA – Maintain technical file in EEA – Will existing certificates from UK notified bodies be recognised? – Without mutual recognition of conformity assessments (like Turkey), will need notified body in the EEA. 60
BREXIT – Medical Device – RISK PLAN • Are you a manufacturer of medical devices (applicant for CE mark)? • Are you an authorised representative (AR) of non-EEA device manufacturers? • Do you hold technical documents to support CE-marked devices? • Have you made pre-launch registrations of devices manufacturer or AR of non-EEA device manufacturers? • Have you involved a UK-based notified body in CE-marking process? as 61
Certainty and Risk • “… the preserved law should continue to be interpreted in the same way as it is at the moment” [Real] UK Government White Paper on the “Great Repeal Bill” • Loss of rights? • The Acquis Problem. . . Either UK: • follows future EU law; or • creates UK red tape…? • Continue to follow EU laws and guidance. . . • Watch out for national laws. • Move operations? 62
Thank you julian. hitchcock@marriottharrison. co. uk
- Slides: 64