Medical devices and new technologies are becoming more and more linked one to the other in order to allow medical practitioners to continuously monitor their patients’ health conditions through eHealth remote patient management systems connected to cloud databases contributing to the growth of the Internet of Things. However such technologies lead to relevant legal issues including data protection issues.
Medical device companies should assess the legal implications of technologies allowing practitioners to review the status of their patients in real time through devices that are connected to cloud databases, which can be accessed not only to review patients’ health conditions, but also to perform clinical trials. These tools can be implanted directly in the body, as is the case with biostamp electronic tattoos and insertable cardiac monitors, which have contributed to the growth of the so-called ‘wearable technologies’ sector along with smart watches, fitness bands and smart glasses.
Data protection obligations
These new technologies trigger privacy issues because of the large amount of sensitive data on patients’ health conditions that is collected and then transferred to a database accessible by practitioners. Such data processing is subject to considerable data protection obligations.
As already prescribed by the Article 29 Working Party (a European privacy advisory body) in its opinion on smartphone apps, the company managing the software installed on the device used for the remote monitoring system is subject to the privacy laws of the country where the device/user is located; this applies even to non-European entities. It will be insufficient merely to ask for privacy consent; rather, a data protection notice must be provided that lists all information requested under the relevant privacy law. Therefore, a pop-up message displayed following the download of most apps would not meet the regulatory requirements.
Data Protection consent and notifications
The privacy issue is more complex in countries such as Italy, which requires written privacy consent for the processing of sensitive data and allows data processing only within the limits of a general authorisation issued by the data protection authority. In such cases, a case-by-case review of products will be undertaken to determine whether such regulatory restrictions might limit the exploitation of these technologies or whether a solution might be adopted to ensure privacy compliance without limiting the functioning of the app.
Data controller, processor and sub-processor
The roles of the entities involved in the handling of collected data cannot be left to the discretion of the parties; on the contrary, the data protection authorities are strict in defining these roles. In particular, hospitals are generally considered to be the sole data controllers, with sponsors acting as data processors and cloud platform providers acting as sub-processors. Sponsors will usually need to be qualified as data controllers in order to have a higher level of discretion in the processing of the data, but data protection authorities have challenged such qualifications in several instances.
Processing of biometric data
Under Italian law, the use of remote patient monitoring systems may require notification of the data protection authority. This requirement will apply if such technologies are used either to create user profiles (which might include a profile of the user’s physical features) or to collect biometric data.
Biometric data includes any data obtained from a person’s physical or behavioural features (eg, fingerprints, facial characteristics, hand geometry, and retina and iris scans). In this respect, as outlined in this post, the Italian data protection authority has issued stringent requirements as to the modalities of biometric data collection, the security measures to be implemented for data storage and the maximum term of storage.
Purpose of data processing
A common mistake of medical device companies is to assume that once patients’ data has been collected, it may be used for any purpose and belongs to the company. This is not the case, and privacy consent – specific to the purpose for which the data will be processed – must be obtained from the patient. Therefore, except in limited circumstances to be assessed on a case-by-case basis, personal data collected as part of medical treatment cannot subsequently be used in the performance of a clinical trial at a later stage without additional consent from the relevant patients. This requirement does not apply if collected data is then aggregated and anonymised. However, in this case the mere use of an identification code will not suffice if it is possible to connect a patient to the relevant code.
Transfer of data outside European Union
Data transfers outside the European Union can be the most challenging part of the assessment of legal implications, since it is necessary to know the role and location of all parties involved, as well as which servers are used to manage the platform distinguishing the roles between hospitals, sponsors and cloud platform providers. Based on the information collected, the usual solution is to implement ad hoc model clauses approved by the European Commission, but these must be tailored to the peculiarities of the case. For instance, a relevant issue is to ascertain whether the data processor that appoints the sub-processor is a European or non-European entity.
The potential privacy risks cannot be underestimated, given the fines for breach of privacy regulations prescribed by most EU countries and the criminal penalties that some countries – including Italy – impose for breaches in some cases (eg, if the breach has been performed to gain profit or causes damages). These penalties are expected to increase considerably as a consequence of the potential implementation of the new EU Privacy Regulations and should therefore be taken into account in the development of new technologies.
Medical device regulations
It is also relevant to assess whether new technologies qualify as medical devices. In this respect, it is necessary to distinguish between the software and hardware components of the device.
As for hardware, multi-purpose products such as tablets and personal computers are not usually considered medical devices, unless they are specifically assigned a medical role. This means that where the hardware component is not specifically used for the intended medical purpose, it should not be regarded as medical equipment and will not fall within the definition of ‘medical device’.
However, where the hardware component is used together with software qualifying as a medical device in such a way that the software will not otherwise run, the hardware should be regarded as a medical device. In this case, the software is a component and integral part of the medical device and is not regarded as a medical device on its own. Therefore, hardware and software should automatically fall into the same class of medical device.
Software may be considered a medical device where:
- its use falls under one of the categories listed in the definition of ‘medical device’;
- it is intended to control or influence the functioning of a medical device;
- it is intended to be used in the analysis of patient data generated by a medical device with a view to diagnosis and monitoring; or
- it is intended to be used by patients to diagnose or treat a physical or mental condition or disease.
Therefore, software that is not intended to perform any diagnosis of collected data, but that is merely used to transmit the data to a cloud database where the data is reviewed and analysed, is not considered a medical device.
Hardware or software components of remote patient monitoring systems which qualify as medical devices may hinder the timely updating and upgrade of these new technologies, on account of the formalities and regulatory obligations that must be complied with. At the same time, stringent EU privacy regulations might create a sharp distinction between European and non-European jurisdictions where light data protection regulations could allow for the faster launch of these technologies. It remains to be seen whether regulators will be able to strike the right balance between the need to protect patients and the need to promote the potential benefits for patients arising from the exploitation of these new technologies.
Following this post, I ran a webinar on the topic whose slides are available here. We will see how regulators will react to this issue and in particular it will be interesting to check the position to be taken by the Italian privacy regulator as part of its consultation on the Internet of Things covered in this blog post.