Wearable technologies change due to new medical devices regulations

Wearable technologies change due to new medical devices regulations

Wearable technologies, eHealth and telemedicine might significantly change due to two newly adopted European regulations on medical devices.

I have already discussed about the privacy issues as well as the issues relating to the qualification as a medical device of wearables in this blog post. But this is an article from my colleague Sara Balice (initially published on IPTItaly) that outlines an interesting development of the matter.

The new European regulations on medical devices

In the market of medical devices the exploration of wearable technologies is growing at a rapid pace and regulations need to adapt accordingly.

To meet this need, on 5 April 2017 two new EU regulations on medical devices have been adopted:

  • Regulation (EU) 2017/745 on medical devices, and
  • Regulation (EU) 2017/746 on in vitro diagnostic medical devices (“IVDR“)

Both regulations have been published a few days ago on the Official Journal of the European Union (available here).

The new Regulations

will help to ensure that all medical devices – from heart valves to sticking plasters to artificial hips – are safe and perform well

according to what stated by the European Commission in a press release.

They will provide significant changes in the concerned sector and they will have an impact also on wearable technology in medical devices.

How wearable technologies qualify under the new medical devices regulations?

Directive 2007/47/EC (amending Directive 90/385/EEC and Directive 93/42/EEC concerning, respectively, active implantable medical devices and medical devices) already clarified that software, when specifically intended by the manufacturer to be used for one or more of the medical purposes is a medical device, whilst software for general purposes when used in a healthcare setting is not a medical device.

Medical purposes are

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or a disability,
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception.

The Medical Devices Regulation goes further and specifies that software shall also be deemed to be an “active device“, i.e.

any device, the operation of which depends on a source of energy other than that generated by the human body for that purpose, or by gravity, and which acts by changing the density of or converting that energy”.

The Medical Devices Regulation also provides rules for software classification as medical devices. The classification of medical devices is a progressive risk-based system, taking into account the potential risks associated with the devices.

Under the regulation, software are generally in class I, i.e. less critical devices. However,

  • software which provides information used to take diagnostic / therapeutic decisions is in class IIa, except if such decisions can have a serious impact on patient health, in which case the classification will be class III or IIb; and
  • software intended to monitor physiological processes is in class IIa, except if intended to monitor vital physiological parameters, where the nature of variations is such that it could result in immediate danger to the patient, in which case it is in class IIb.

Depending on classification, software medical devices, including wearable technologies, are subject to stricter safety rules and conformity assessment.

The impact of the wider definition of “accessories” on wearables

The Medical Devices Regulation broadens the scope of the definition of “accessories” including articles which, whilst not being themselves medical devices, are intended by their manufacturer to specifically and directly assist the medical functionality other medical devices in their intended purpose. And the regulation specifies that accessories shall be treated as medical devices in their own right.

Software of wearable technologies may therefore qualify either as a device or an accessory, with the consequence of being subject to the rules set forth by Medical Devices Regulation.

What are the next steps?

Medical Devices  Regulation and the Regulation on in vitro diagnostic medical devices shall enter into force on the twentieth day after their publication in the Official Journal of the European Union and will be applicable, respectively, in three and five years.

So no immediate actions are required for manufacturers and supply chain operators. However, changes are significant and manufacturers and other participants in the supply chain should be aware as of now of the new rules and their respective responsibilities in order to be able to adapt in time.

How the Internet of Things changes Financial Services

How the Internet of Things changes Financial Services

The Internet of Things is going to change the models of business of the financial services sector, unveiling new legal issues.

I have already discussed about how the new models of business of the Internet of Things (IoT) are going to be disruptive, placing companies in front of legal problems that they had never experienced before. And the same rule is valid with reference to financial service sector.

The new models of business of the Internet of Things in the financial services sector

According to an estimate of BI Intelligence, there are at the moment 7 billion IoT devices, but the number is going to quickly climb to 22.5 billion by 2021. I don’t like this kind of estimates, but there is no doubt that according to analysts Internet of Things devices (i.e. connected technologies) will be anywhere around us, in any business, in any device, in any network and even on any individual.

This scenario is expected to create the so called “Bank of Things” that relies on the collection customers’ data from any of their devices in order to offer different services to them.

The chart below better outlines the some of the data flows and the services that can be offered by banks as well as the modalities in which banks can exploit collected data

Internet of Things

  • Banks can collect data from any device/machine. This includes both personal data from devices used by their customers (e.g. smartphones, but also wearable technologies) and M2M data collected directly from devices as it happens in the case of sensors installed in their industrial plants;
  • Such data can be used to
    • not only provide services their customers that are better tailored on their needs, but also to grant them benefits linked to their behaviour or for instance on the basis of the maintenance status of their industrial plant, as in the case of better pricing options linked to the specific scenario applicable to them, rather than being based on merely static data. The matter will become even more relevant with the coming into force of the Payment Services Directive 2 (PSD2) that, as covered in more detail in this blog post, will turn banks into “platforms” where third party suppliers will be able to plug in their services. The increase of number of service providers will inevitably increase the volume of data that can be collected, but the actual ability to exploit such data will depend also on the contractual arrangements with such third parties;
    • gain savings since the analysis of data can enable banks to adjust their business to its actual needs. For instance based on data collected from ATMs, it is possible to understand which areas need more ATMs than others and therefore change their location or change the number of branches that are open in a specific district; and
    • create a marketplace of data to be exploited by third parties. This is the most interesting (and less explored at the moment) line of business. If sensors are embedded on any device/machine/plant, banks would obtain a massive amount of data that can be a very valuable resource for their business clients which are interested to run any type of business.

New models of business = new legal issues

As it happens with almost any change in the way businesses are run, this leads to new legal issues that can be summarised as follow:

1. Privacy issues become bigger

Banks have always processed large amounts of data and had to face privacy issues. However, Internet of Things technologies will increase the size of the issue since

  • data will no longer be collected only from bank accounts, home banking technologies, branches etc., but from any device, car, plant and
  • will be used not only to ensure the proper performance of financial transactions, but to provide services, gain savings and share data with third parties.

This change takes place with the wrong timing because of the upcoming EU General Data Protection Regulation, which, among others, will

  1. increase fines up to 4% of the global turnover of the breaching entity;
  2. lead to higher risks of claims from customers, since it introduces the principle of accountability which places the burden of proving privacy compliance on the investigated party;
  3. generate a higher risk of claims from shareholders because of the size of potential fines and claims; and
  4. keep the existing criminal sanctions and orders of deletion of data.

Also, the current draft of the ePrivacy Regulation extends its scope also to M2M communications and therefore the perimeter of privacy rules might apply also in case of processing of non-personal data.

Privacy compliance will no longer rely just on the proper arrangement of documents, but will depend on

  1. the ability to map and control data;
  2. the implementation of organisational procedures that can ensure the proper processing of personal data both internally and with reference to third party suppliers/agents; and
  3. the adoption of technologies able to minimise the risk on illegal access to data and identify unlawful treatments in order to timely react to them.

2. Cyberthreat gets more serious

A larger amount of data collected from different sources inevitably causes also an increased cyber risk. I already discussed in this blog post that Internet of Things technologies, as any technology, cannot be 100% secure.

Companies need to put in place the measures to limit the risk of cyber attacks and in case of their occurrence being able to prove their compliance with principles of ordinary diligence. This measures include, among others,

  1. the adoption of a cyber risk policy, inclusive of a procedure to handle a data breach;
  2. the subscription of a cyber risk insurance policy;
  3. the implementation of a security and privacy by design approach;
  4. the appointment of a data protection officer.

3. Agreements with third parties need to be “adequately” managed

Given the size of privacy and cyber risks, agreements with third parties that provide services as well as with those that intend to exploit data shall be drafted in a way that

  • ensures the minimisation of risks deriving from third parties, but at the same time
  • guarantees that in case of data breach or unlawful processing of personal data, uncapped indemnity claims can be brought against banks.

4. Different legal basis shall be considered to ensure data ownership

I discussed the matter in a previous webinar whose recording is available here. The European Commission is currently considering different options in order to ensure ownership of IoT data, but the current viable routes are the following:

  1. data is linked to the device. This is more a factual status than a legal basis, but technology providers tend to structure their platforms/devices so that they keep control on processed data;
  2. data can be protected under copyright law, but this would require an “intellectual effort” in their collection/organization/analysis;
  3. data can rely on the European database sui generis right that is broader than copyright;
  4. data can be considered trade secrets or can be protected under antitrust regulations, making its exploitation an unfair competition conduct.

The European Commission is considering to introduce new rights to protect IoT data, but the above are the most frequent available options.

5. Data can be “stolen” through the data portability right

The new data portability right introduced by the EU General Data Protection Regulation is both a resource and a risk for a business. I thoroughly covered the issue in this blog post.

6. Data needs to be used

It seems obvious, but currently a number of companies are collecting data without actually using it, just to create their own database. Such conduct would not only be in breach of privacy regulations, but also might lead to misleading advertising if an expectation of getting an actual benefit from the provision of data is created in customers.

Interesting opportunities for the financial services through Internet of Things technologies, the challenge will be to properly exploit them in order to avoid to lose market share…

If you found this article interesting, please share it on your favorite social media.


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

How outsourcing changes with IoT and Artificial Intelligence

How outsourcing changes with IoT and Artificial Intelligence

Outsourcing agreements might considerably change with the usage of IoT and artificial intelligence technologies.

The battle on liability clauses of outsourcing agreements

A few years ago I published a blog post on liability clauses in outsourcing agreements, defining their negotiation as the “battle“. And indeed, according to my experience, negotiations on such clauses as well as on service levels and the liquidates damages/penaltiestriggered by their breach take almost half of the time of a whole contractual negotiation.

The position of the parties is that

  • the supplier cannot accept a liability cap that is excessively high since otherwise the agreement would represent a disproportionate risk for its business, if compared to the price received for the services, while
  • the entity receiving the services does not want contractual limitations in case of suffered damages and wants to be able to quickly recover the suffered damages.

The matter is somehow “facilitated” in countries like Italy where limitations of liability for cases of gross negligence and wilful misconduct are null and void. This means that there is not even scope for negotiations on these scenarios since any restriction to claim damages under such circumstances would not be valid.

How the battle changes with the IoT and artificial intelligence

The IoT and artificial intelligence are able by definition to predict any malfunctioning and either avoid their occurrence or limit the negative consequences on the business of their occurrence.

Sensors embedded in industrial plants can provide a clear picture at any time of status of the machines and in some cases of the whole line of production, ensuring that necessary maintenance activities are performed before a negative event takes place. At the same time, artificial intelligence systems, but also machine learning technologies, are able to have a much better understanding of potential forthcoming downtimes and of the measures to be adopted to prevent them from happening.

But, if despite of the above technologies a malfunctioning takes place, there is a risk that very large damages occur since it means that a massive incident happened.

The above means that

  • service levels might become considerably higher than those currently agreed because the likelihood of occurrence of a downtime will be much lower and in case of occurrence of a downtime the artificial intelligence system will be able to immediately identify the most appropriate remedy; while
  • liability caps might also become higher since if a malfunctioning takes place, much larger damages are expected to be generated.

It is likely that the scenario above will happen in a medium/long term since it requires that Internet of Things and artificial intelligence technologies become the backbone of provided technologies. At the same time, there might be a “transitional” phase when still suppliers will not be able to justify to their insurers and shareholders the reason why high liability caps can be accepted because of the employed technologies.

What is your view on the above? I would be happy to discuss, and if you found this article interesting please share it on your favourite social media.


Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

Top 5 Internet of Things predictions for 2017

Top 5 Internet of Things predictions for 2017

The Internet of Things experienced a massive acceleration in 2016, but what are the predictions for 2017? What should we expect?

After the success of the 2015 and 2016 predictions on the IoT, below are my personal top 5 predictions on the legal issues that will affect the Internet of Things in 2017.

1. The Internet of Things is not just a technology, but will change the models of business

I have already discussed about it in several instances. The general understanding is that Internet of Things technologies just rely on sensors which can lead to predictive maintenance and additional efficiency. However, this is only part of the picture. It is happening a major shift from a model of business based on the provision of products to

  1. a model of business based on the offering of services and
  2. in case of B2B transactions relating especially to Industry 4.0 technologies to a profit sharing approach.

This shift has considerable legal consequences. Indeed, sensors enable to obtain a very large number of information about customers not only in terms of personal data, but even of trade secrets and confidential information, leading to new legal issues (previously never experienced) on, among others, data protection, intellectual property, cyber security and product liability.

2. Banks and insurance companies will adopt Internet of Things technologies to survive

Connectivity, telematics and digitalisation are not an option for banks and insurance companies. If they want to “survive“, they will have to innovate and – according to estimates – do it fast. FinTech and InsuranceTech are on the agenda of all these companies, but they require also an expeditious change in the approach to the business by the whole company.

But, as I mentioned in a previous blog post, “you cannot do I(o)T alone“. The Internet of Things requires the setting up of partnerships which need to enable interoperabilities between technologies of different suppliers. This might lead to major cyber security issuesthat shall be handled by means of appropriate technical and legal measures such as the implementation of a cyber security policy in order to test products and a cyber risk procedure to react to cyber attacks as well as through the implementation of a privacy by design approach and the performance of privacy impact assessment.

Also, when FinTech and InsuranceTech meet the IoT, new legal issues arise as outlined in this post. These issues are often addressed very late by banks and insurance companies, even because they put their legal department out of their “comfort zone“. This is why both the management and the legal department of those companies need to evangelised about the new legal problems deriving from these technologies.

3. Privacy by design will protect IoT businesses

The EU General Data Protection Regulation (GDPR) poses considerable new risks on Internet of Things technologies especially in the current uncertainty as to the allocation of the responsibilities between the different parties involved and the regulatory obligations. At the same time, as showed by the recent cyber attacks that exploited IoT technologies, it is not possible to be 100% protected from potential cyber risks.

The matter cannot be underestimated given the potential fines provided by the GDPR. Also, the new principle of “accountability” prescribed by the EU Privacy Regulation places the burden of proving compliance with the regulation on the investigated party, leading to what is commonly known as “probatio diabolica” (evidence of the evil…).

The implementation of a privacy by design approach, accompanied by the performance of a privacy impact assessment, enables companies to prove the adoption of whatever was required by applicable data protection laws putting businesses in a much safer position. However, their implementation requires a continuous review in order to be a valid defence. This review shall follow not only the launch of new services and functionalities, but also the development of technologies and security requirements.

And the matter is even more complex in the case of usage of artificial intelligence technologies that will pose not only data protection and liability issues, but also new ethical issues.

4. Industry 4.0 technologies will lead to a battle on data ownership

Companies are reaching a higher level of awareness as to the value of data. This is relevant when it comes to personal data for which it is necessary to identify techniques aimed at preserving their value for the business collecting it enabling at the same time to ensure privacy compliance.

But the matter is becoming exponentially prominent when it comes to industrial data generated by Industrial Internet of Things technologies. Suppliers and exploiters of Internet of Things are assessing the best placed legal basis to protect its data. Long negotiations are expected on who is the owner of data generated by the usage of Industry 4.0 technologies. Is it more relevant to keep control on data or to have it aggregated to big data in order to ultimately gain a better service?

The above is happening during a period when European regulators are planning to expressly expand data protection and copyright regulations in order to cover that generated/collected by IoT technologies.

5. Blockchain is a resource for the IoT, but the market is still hesitant

The blockchain technology is very useful for the exploitation of IoT devices as outlined in this article. But, also because of some negative publicity around Bitcoin, there are still considerable concerns about its usage.

Companies might not be able to afford risks associated to a technology which might get out of control of its exploiters leading to issues as to the allocation of the relevant responsibilities. However, the adoption of “closed” blockchains might vanish the high level of security ensured by an open blockchain. I wonder whether the right balance will be identified in 2017.

If you found this article interesting, please share it on your favourite social media!


Follow me on LinkedIn – Facebook Page – Twitter – TelegramYouTube –  Google+

The IoT needs a cybersecurity “gold standard” to tackle data breach fears

The IoT needs a cybersecurity “gold standard” to tackle data breach fears

No software is 100% secure, and Internet of Things technology is no different. However, because of public perception it is even more important for the IoT industry to find “adequate” safety standards to meet businesses’ and consumers’ cybersecurity needs. Continue reading

Top 5 Internet of Things predictions for 2016

Top 5 Internet of Things predictions for 2016

The Internet of Things market has seen substantial changes during the last year, but what legal issues shall be faced in 2016? What might hinder the growth of the IoT? 

After the success of the 2015 predictions on the IoT, below are my personal top 5 predictions on the legal issues that will affect the Internet of Things in 2016.

1. Big Data will not mean collecting ANY data through Internet of Things devices

In relation to IoT technologies there has often been the tendency to collect all the possible data about its users since it might become useful in the future with the development of technologies.  The stringent approach adopted by privacy regulators and theupcoming EU privacy regulation with fines up to 4% of the global turnover will force companies to considerably change their approach to privacy compliance.

Some operators have the impression that users’ consent might grant them the right to collect ANY data about them. But unfortunately for them this is not the case. Only data relevant for the purposes for which the consent was given can be processed. And a deep review of practices might be necessary by the industry. Also the new EU privacy regulation will need a major change to privacy compliance that should be started now to be ready when the regulation comes into force.

2. We will have a law for the IoT

The European Commission declared that it plans to adopt by mid-2016 a set of laws on how to regulate the Internet of Things. The IoT is not currently “unregulated” as for instance rules governing consumer protection, privacy, telecommunications are product liability are applicable also to the technologies of the Internet of Things.

However, as previously discussed, regulations drafted for a world without IoT might become a relevant barrier to the growth of Internet of Things technologies. IoT laws are necessary, but need to be drafted after a thorough discussion with the industry including associations like IoTItaly.

3. Privacy by design will be a “must have” for the IoT

As previously discussed, in a regulatory environment where the applicable privacy obligations in relation to Internet of Things technologies are still uncertain, the implementation of a privacy by design approach is the sole solution to protect a company for possible claims and damages in case of data breach.

This principle is even more valid with the EU Privacy Regulation that will introduce the accountability principle obliging entities processing personal data to prove their privacy compliance.

4. Cyber risks will call for standardization

The cyber attacks occurred in 2015 will oblige companies to implement a privacy by design approach, to adopt a cyber risk insurance policy, but also to work on standards of cyber security.

Such standards shall be industry driven as it is happening in the US with connected cars, but will need to be approved and validated by Governments as otherwise they cannot be considered a valid defence in case of claims.

5. The IoT will be in workplaces, but with what risks?

The usage of Internet of Things technologies on workplaces is already happening quite frequently. However, the need to make industrial procedures more efficient will lead to a growth in their usage.

Recent changes to the Italian Workers’ Statute make the usage of these technologies easier. But they still leave some blurred areas where the right balance between the protection of employees and their data and the need to improve the industrial efficiency.  This balance shall be identified through a review of the technologies and of the data processed through them.