Adapting to the new EU Data Act: implications for medical devices and other health devices

In recent years, the European Commission developed a European data strategy, which aims to create a single European market in which data can circulate freely. As the European Commission has emphasized repeatedly, the creation of such a single market is essential in the healthcare sector because data enables faster development of medicinal products and medical devices, assists healthcare professionals in making diagnoses and supports the decision-making of clinicians. Therefore, the European Commission recently took several legislative initiatives, some of which apply to all sectors (e.g. the Data Governance Act and Data Act) and others that are sector-specific (e.g. the European Health Data Space proposal for the healthcare sector).

The Data Act, which will enter into force on 11 January 2024, sets rules for all sectors that aim to facilitate access to and the use of Internet-of-Things (IoT) product data by consumers, businesses and governments. In a previous Law-Now article, we discussed the data sharing obligations contained in the Data Act, as well as the conditions and restrictions attached to it (available here).

In this article, we take a closer look at the application of the Data Act to medical devices and other health devices, and the potential issues that arise in this context.

1. Applicability of the Data Act on medical and health devices

The Data Act lays down harmonised rules on data generated by the use of connected products or product-related services available by data holders to the user of the connected product or service, to third parties authorised by the user, and to public-sector bodies.

Since the Data Act covers any connected physical product that obtains, generates or collects data concerning its use or environment (i.e. IoT products), this includes medical devices and other health devices, such as pacemakers, continuous glucose monitors and smart insulin pens, wellness wearables and fitness trackers, ingestible sensors, MRI and X-ray scanners.

1.1 Medical device and health device data

The data-sharing obligations and rights under the Data Act apply to data generated through the use of a connected medical device or other connected health devices (i.e. data that the user intentionally records, such as inputting meals into a diet app), data that indirectly results from the use of the medical device or other health device (i.e. generated automatically by sensors or embedded applications, such as heart rate in a heart rate monitor), but also data generated when the user is inactive, such as when the device is on standby or even switched off (which provides data on battery life). Both personal and non-personal data are covered.

The data sharing provisions relate only to data that has not been substantially modified, more specifically raw data and data that has been pre-processed to make it understandable and usable (e.g. temperature, heart rate, glucose level, etc.). It also includes metadata, such as basic context and timestamps. In contrast, what is excluded is any derived information that is the outcome of additional investments into assigning values or insights from the data (e.g. diagnoses, tests, medical treatments, correlations between certain lifestyle factors and diseases, etc.). For example, a glucose measurement app that alerts when a glucose level is abnormally high and advises on what actions the user should then take would require sharing the glucose level, but not the conclusions regarding the high level or the actions to be taken.

1.2 Users and data holders of medical devices and other health devices

The rights and obligations of the Data Act rest mainly on the users of medical devices and other health devices and on the holders of connected medical devices’ and connected health devices’ data:

• Users are natural or legal persons who own the connected product or have a temporary right to use it (e.g. by renting or leasing it). In the case of medical devices and health devices, users can be individuals (i.e. patients but also healthy consumers), hospitals, healthcare providers or healthcare research facilities, etc. Think, for example, of doctors monitoring their patients’ data in real-time on a hospital computer, specialists monitoring their patients’ records on a smart device or even the patient herself monitoring vital signs on a smart device.
• A data holder is any natural or legal person who has the right or obligation under EU or national law to use or make data available. In many cases, this will be the manufacturer of the medical device or health device.

As healthcare value chains can be quite complex, there is a risk that the roles of the different actors are not always clear. For example, it is conceivable that a medical device is purchased or leased by a hospital but de facto used by a healthcare provider. It is unclear whether the healthcare provider may request access as a user or whether only the hospital may do so. Another factor of complexity is that the same actors can assume different roles. For example, a hospital or healthcare provider may be a user vis-à-vis the manufacturer of the medical device, but a data holder vis-à-vis the patient wearing the medical device.

The concepts of "user" and "data holder" should not be confused with the concepts of "controller", "processor" and "data subject" under the GDPR. When processing personal data, data holders are usually data controllers. And "user" does not necessarily equate to "data subject". Think, for example, of a hospital buying a medical device and implanting it in a patient. In this example, the hospital is a user vis-à-vis the manufacturer while the patient is the data subject. In such cases, it is important that the user – who is not the data subject – cannot request access to personal data without a valid legal basis under the GDPR (e.g. consent).

2. Data access and sharing obligations

The Data Act requires manufacturers to design and manufacture connected medical devices and related digital services as well as other connected health devices in such a way that data generated by their use are, by default, easily and securely free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user. The design requirements only apply to products and related services placed on the market after 12 September 2026. Connected medical devices and related digital services as well as other connected health devices that have already been placed on the market before that date won’t require modifications to make the data directly accessible. The obligation to provide users with direct access raises some questions, for instance in the area of cybersecurity and in terms of increased processing power that may lead to a shortened battery life prompting faster replacement of essential products, such as pacemakers.

If data are not made “directly accessible by default”, the user of a connected medical device or connected health device may require that the data holder provide indirect access to the data without undue delay and, where applicable, continuously and in real-time. Additionally, the user has the right to share and transfer such data to a third party for purposes specified by the user. There are, however, some restrictions on what purposes should be permissible: notably, that the data may not be used for the development of competing products.

Data holders are not only required to give access to and share data, but their own use of data is also regulated. In particular, data holders may not use non-personal data unless a contract has been entered into with the user of the medical device. Although "use" is not defined in the Data Act, the most logical interpretation seems to be "use for one's own purposes". Prior to the conclusion of such a contract, the data holder will also have to provide the user with certain information such as the purposes for which the data holder will use the data.

A more detailed look at the obligations under the Data Act can be found in our previous Law-Now article (available here).

3. Interplay between the Data Act and the MDR/IVDR

The sharing of connected medical devices’ data is not only covered by the Data Act, but also by other pieces of legislation such as the General Data Protection Regulation (GDPR), the Data Governance Act (DGA), the draft AI Act, the European Health Data Space proposal (EHDS), the Medical Devices Regulation (MDR), the In Vitro Diagnostic Devices Regulation (IVDR), and the NIS1 and NIS2 Directives. These laws, however, are not always aligned with each other and in some cases give a different interpretation to the same concepts or impose conflicting obligations, creating legal uncertainty. Below we will briefly discuss the impact of the Data Act on the MDR and IVDR.

The MDR's and IVDR’s principal objective is to guarantee the safety and effectiveness of medical devices and in vitro diagnostics while bolstering the safety of patients and users. They contain stringent rules and requirements for entities engaged in the medical device supply chain, including manufacturers, importers, distributors, and other relevant stakeholders. The MDR and IVDR apply to a wide range of devices, such as in vitro diagnostic devices and include implants, diagnostic apparatus and tests, surgical instruments and software designed for medical use. Under the MDR/IVDR, (in vitro diagnostic) medical devices must undergo a conformity assessment procedure and meet strict safety criteria before being introduced to the market. Depending on their risk classification, manufacturers can either self-certify their products or must involve a designated "Notified Body”. Once the conformity assessment process is successfully completed, a CE-mark can be applied to the medical device or in vitro diagnostic device.

As we mentioned above, the Data Act requires manufacturers to design and develop their medical devices in order to allow users direct access to user-generated data. This requirement may pose cybersecurity risks and thus undermine the manufacturer's obligations under the MDR/IVDR. Moreover, the obligation under the Data Act to make (additional) data points available to the user or authorised third parties may seriously impact the functioning of the device and may require design modifications when these functionalities were not part of the original design. If such modifications are considered “substantial changes” under the MDR/IVDR, the (in vitro diagnostic) medical device may have to be subjected to a new conformity assessment and certification. This can create substantial additional costs and delays if not performed in a timely fashion, and properly planned and addressed.

4. Charting the path ahead

The application of the Data Act to connected medical devices and other connected health devices does not come without difficulties. Firstly, ambiguity still exists about the application of certain concepts in the Data Act to the medical device and health device industry. Secondly, the data access and sharing obligations entail far-reaching consequences for the sector and may complicate or even hinder compliance with other sector-specific regulations, such as the MDR and IVDR.

At this stage, we recommend that manufacturers of connected medical devices and other connected health devices (and other potential data holders) do the following:

• Assess whether their products and digital services fall within scope of the Data Act and, if so, whether and how they must modify these products and services in order to comply with the data access and sharing obligations;
• assess whether in the context of product modifications new conformity assessments and certifications will be required;
• update their for-customer documentation;
• prepare documentation (including template terms and conditions) for data sharing with third parties;
• set up processes and procedures for sharing data with users and with other data recipients;
• assess whether controls are needed to protect their trade secrets and intellectual property rights;
• prepare and implement the necessary operating procedures, which appears to be a challenging exercise, given the many other regulations that also apply to medical devices’ and health devices’ data sharing.

The Data Act provides for a transition period of only 20 months, which could pose a significant challenge for many data holders due to the substantial workload required to align themselves with the requirements of the Data Act.

For more information on the Data Act and its impact on the life-science and healthcare industry, contact your CMS client partner or these CMS experts.