What Europe’s proposed Data Act means for device manufacturers: A deep dive
AgencyIQ took a deep dive into the proposed European Data Act, reviewing the requirements and interactions with other European legislation, with an eye toward what it means for medical device and diagnostics companies manufacturing connected devices.
The European strategy for data
- The European Commission created its Strategy for Data to ensure Europe remains competitive in a digital world while “putting people first in developing technology, and defending and promoting European values and rights in the digital world.” The intent is to create a single market for data, establish common European data spaces, and allow the companies that generate the data to keep control and maintain trade secrets. The benefits may “improve health care, create safer and cleaner transport systems, generate new products and services, reduce the costs of public services, [and] improve sustainability and energy efficiency.”
- A public consultation in 2020 asked for input from the gamut of stakeholders. Regulators wanted input on questions related to data access and re-use, to inform its legislative framework on common European data spaces. Questions asked about the general strategy, data governance and secondary use of data, high-value data sets and regulatory considerations for cloud computing. Most respondents agreed that more data should be available, it should be easier to share data, and that the E.U. needs to invest in technology and infrastructure. Respondents did want control over their own data and tended to favor consent prior to use. Nearly all felt the E.U. should establish a list of high-value, free-of-charge datasets. Responses were more mixed on cloud computing – though many used (traditional) cloud services, nearly half had experienced problems and two-thirds felt there could be future risks.
- Two intertwined proposals have been laid out – a regulation on data governance and the proposed data act. These work in conjunction with the General Data Protection Regulation (GDPR; Regulation (EU) 2016/679). These intend to legislate data governance and access and re-use, and also to make high-value public datasets more widely available. The government plans to invest two billion euros on data processing infrastructure and sharing tools, as well as governance and “trustworthy cloud infrastructures and related services.”
- Both of these pieces of legislation are horizontal, meaning they cross sectors. So while not specific to medical devices and diagnostics, parts of the regulations will affect healthcare products and their legislation – the European medical device (MDR; Regulation (EU) 2017/745) and diagnostics regulations (IVDR; Regulation (EU) 2017/746). And while the Data Governance Act becomes applicable this week, the proposed Data Act is still in process, though the European Commission and the Council of the EU announced in late June that European Parliament and the Council of the EU had come to political agreement.
- The Data Governance Act “seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data.” Part of the goal is to set up common European data spaces “in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.” The Data Act, which entered into force on June 23, 2022 and is applicable as of September 24, 2023, clarifies “who can create value from data and under which conditions.”
- At a high level, the Data Act would give users the ability to share data and public sectors to access it in times of need. Users would be able to access data generated by connected devices and related services, while manufacturers’ trade secrets would be protected. Public sector bodies would be given access to certain data in public emergencies, and customers would be able to switch between cloud data-processing service providers in conjunction with interoperability standards for data sharing and processing.
AgencyIQ took a close look at the March proposal. Here’s what is most likely to affect medical device and diagnostics manufacturers
- Scope and definitions: The proposed Data Act would harmonize rules for making product and product-related service data available to the user of that connected product or service, as well as making data available from data holders to public sector bodies in the case of “exceptional need.” It would also ensure the ability to switch between data processing services while introducing safeguards against unlawful third-party access to non-personal data. Lastly, it intends to develop interoperability standards for the access, transfer and use of data.
- Types of data covered include personal and non-personal, including data on the performance of connected products and services, private sector data used on a contractual basis between businesses, and private sector data subject to statutory data-sharing obligations. The Act would apply to manufacturers of connected products and related services on the E.U. market regardless of the location of the business. It also applies to users and data recipients in the Union and data holders and providers of data processing services regardless of where they are located if their data is made available to data recipients in the Union.
- The proposed law is subsidiary to Union and national laws on the protection of personal data, privacy and confidentiality (e.g., GDPR) and “is without prejudice” to the laws on protection of intellectual property (2001/29/EC, 2004/48/EC and (EU) 2019/790). It adds obligations on cloud switching to Regulation (EU) 2018/1807 on the free flow of non-personal data in the E.U.
- Important definitions come both within the proposed law and from other Union legislation. These definitions come from the GDPR: Personal data, consent, data subject. Open interoperability specifications and harmonized standard come from Regulation (EU) No 1025/2012 (on European standardization). Data intermediation service is defined in Regulation (EU) 2022/868. Finally, definitions for trade secret and trade secret holder come from the direction on the protection of trade secrets (Directive (EU) 2016/943). A host of general and technical terms are defined in the proposed regulation, including “data,” “data holder/recipient,” “digital assets,” “metadata,” and many more.
- The proposed act includes an obligation to make product and related service data accessible to the user. The act would require that connected products and related services be designed so that product data, related service data and metadata are directly accessible to the user (free of charge, easily, securely, and in machine-readable format). Before engaging in a contract, the seller or renter (which may be the manufacturer) must provide information about the type, format and volume of product data that the connected product will generate, whether the data is generated continuously and in real-time, where the data is stored (on device or remote server) and for how long, and how the user accesses and deletes the data. If the data from the connected product or related service isn’t directly accessible, the data holders must make the data and metadata readily available “without undue delay.” Where requested by a user, the data holder would be obligated to make readily available data and its metadata available to a third party (without delay, free of charge and of the same quality). If the user isn’t the data subject, the data can only be made available where allowed by the GDPR.
- Regarding rights of users to share with third parties and third-party obligations, the act provides that where requested by a user, the data holder would be obligated to make readily available data and its metadata available to a third party (without delay, free of charge and of the same quality). Third parties must process the data according to the conditions of a written agreement and only for those purposes. They must also delete the data once the purpose is fulfilled, unless otherwise agreed with the user. Third parties can’t use the data for profiling (a GDPR restriction), or make the data available to another third party unless agreed by the user, and then only if the other third party agrees to protect trade secrets.
- Both the data holder and user need to “take all necessary measures” to protect trade secrets before they are disclosed. Either the data holder or trade secret holder need to identify trade secrets and their metadata “and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data” (e.g., contractual terms, strict access protocols). If the two can’t agree, or the user doesn’t abide by the requirements, the data holder can suspend sharing but must substantiate their decision and provide the reasoning in writing to the user, as well as notify the national competent authority. If a trade secret holder can show it is “highly likely to suffer serious economic damage” from the data sharing despite measures taken by the user, it can refuse access to that data on a case-by-case basis but needs to substantiate that decision and notify the designated competent authority.
- Data can never be used to make competing products or gather sensitive financial and business information of the data holder. Small and medium-sized enterprises are exempt from certain obligations under the proposed Data Act.
- Obligations of data holders to make data available (chapter III): The data holder cannot discriminate among categories of data recipients (i.e., SMEs) and may be asked to demonstrate this non-discrimination upon complaint from a data recipient. Data holders can’t provide data to a data recipient unless requested by a user, and any obligations to provide data to a data recipient do not “oblige the disclosure of trade secrets.” Any compensation must be reasonable though it “may include a margin.” Costs would include formatting, storing and disseminating data and any investment in collection and production of data – the Commission will adopt guidelines for calculation of “reasonable compensation.” The calculation needs to be transparent to the data recipient. The Commission would set up certified dispute settlement bodies in the case of disputes between users, data holders and data recipients. Data holders can protect data using encryption and smart contracts, as long as these don’t hinder the user’s right to access the data or provide to third parties; the latter may not remove or alter the protection.
Public sector use of data based on exception need
- Where Union bodies demonstrate exceptional need for data (including metadata), the data holder “shall make them available upon a duly justified request.” The need must be limited in time and scope and must either be necessary to respond to a public emergency (with no alternative ways to obtain the data) or (for non-personal data) is acting on the basis of Union or national law and is lacking data allowing it to fulfil specific tasks that are in the public interest and has exhausted all other means to obtain the data (including purchasing it at market rates). The requesting public or Union body, Commission or Central Bank must specify what data is required (including metadata), explain the purpose and duration of use of the request, specify when the data will be deleted by all parties, justify the choice of data holder, specify any other public sector bodies the information will be shared with, and demonstrate that it meets the exceptional need criteria. If personal data is requested, the Commission or other public or Union body needs to specify the data protection measures (e.g., level of aggregation, pseudonymization). The requesting body needs to commit to protecting trade secrets and respect the aims, cost and effort of the data holder in making the data available. Data holders have to make the data available quickly, though they have five working days to decline or ask to modify the request for public emergencies, or 30 days in other cases of exceptional needs.
- Obligations of the public sector bodies: The aforementioned bodies (Central Bank, etc.) can’t use the data “in a manner incompatible with the purpose for which they were requested” and must protect the confidentiality and security of the data and safeguard the rights of the data subjects. The public requestors must erase the data when no longer necessary. Data holders excluding small and medium-sized enterprises (SMEs) will make data requested in public emergencies free of charge, in exchange for public recognition. If not a public emergency but all other avenues to gain the data have been exhausted, the data holder is entitled to payment to cover technical costs incurred to comply with request (e.g., anonymization, aggregation) plus a reasonable margin (this provision also applies to SMEs). The public bodies can share data with research organizations conducting the studies according to the data request as well as with national statistical institutes and Eurostat that produce official statistics. When the public bodies do share this data with these organizations, they must notify the data holder immediately. If the data holder disagrees with the data sharing, it can complain to the competent authority.
- International transfer: Data processing service providers must have adequate measures to prevent international and third country government access and transfer of Union non-personal data, if the access conflicts with Union or Member State national law. Third country decisions or judgments requiring transfer or access of non-personal data falling under this regulation will only be enforceable if based on an international agreement.
- Essential requirements for interoperability of data spaces: The participants of the data space must sufficiently describe (in machine-readable format where applicable) the dataset content, use restrictions, licenses, data collection methodology and quality. They must also describe the data structures and formats, classification schemes, taxonomies and code lists “in a publicly available and consistent manner” and provide means to access the data (e.g., app interfaces) automatically and through bulk download where technically feasible. Any participants offering data and data services that comply with harmonized standards “shall be presumed to be in conformity with the [applicable] essential requirements.” The Commission will commission standards and develop common specifications to support the essential requirements. Specifications and harmonized standards must address the following interoperability aspects: cloud and transport, syntactic and semantic data, behavioral and policy. Smart contracts have to meet the essential requirements of having access to control mechanisms, a high degree of robustness, mechanisms for safe termination or interruption, data archiving, continuity, and consistency with the data sharing agreement.
- Implementation and enforcement: Each Member State must designate one or more competent authorities to enforce this regulation; these may be new or existing authorities. Member States will define tasks and powers of these competent authorities by ensuring data literacy, handling complaints of infringement (especially around trade secrets), and investigating complaints while keeping the complainant informed. They will impose financial penalties, monitor technologic and commercial developments on the use of data, and additionally cooperate with other Member States, the Commission and the European Data Innovation Board to apply this regulation. Any entity under scope of this regulation that offers data or data services in the Union that doesn’t reside in the Union must designate a legal representative in a Member State to act on the entity’s behalf and cooperate with competent authorities to ensure compliance with this regulation. The regulation enters into force 20 days after publication in the Official Journal of the E.U. and applies 20 months after it enters into force.
MedTech Europe published lengthy thoughts about the proposal and its intersection with the MDR and IVDR
- MedTech Europe’s response to the data act highlights several key issues. At a high level, the trade association outlined potential issues with the interaction between the proposed Data Act and other Union legislation, including GDPR, MDR and IVDR. There also appear to be conflicts of definitions between different pieces of legislation. Questions included wondering about the interaction between the European Health Data Space (EHDS) and the Data Act, and what legislation takes precedence when there are conflicts. MedTech Europe highlighted the horizontal nature of the data act across sectors, including healthcare, but asserted that application of the requirements to healthcare “brings unique and highly complex challenges with it.” The trade organization noted that the data generated by connected medical devices (inclusive of in vitro diagnostic medical devices) are already regulated by sectoral legislation – MDR and IVDR. These data “are primarily, and often exclusively, used and interpreted by healthcare professionals” in support of healthcare decisions, the association observed. Any software used to process the data is also regulated by MDR and IVDR, which have “strict requirements for clinical data collection and evidence generation.”
- MedTech Europe identified areas of unclear scope and definitions that may not be consistent with existing legislation. These include the definition of data, which the association considers overly broad, leading to lack of clarity on whether the concepts of device- and user-generated data are separated from derived or inferred data. Here, MedTech Europe thinks the definition should be narrowed to data created through user actions only, and exclude data generated without any user action, “as such data may be subject to legal requirements relating to trade secrets and intellectual property rights.” And while the proposed Data Act includes personal data in the definition of data, this act has no legal basis to share personal data, per the GDPR. Data that should be excluded from scope include data not publicly accessible (encrypted data, data locally processed on a device, technical data, personal data, and trade secrets). “The final regulation should clearly identify data holders based on the notions of actual/real control and ability to make data available,” according to the trade association.
- Other definitions that may require clarification: MedTech Europe doesn’t believe it’s clear if a user is the HCP, patient or hospital. Even data read by patients is already interpreted by device algorithms created by the manufacturer. “Considering the patient as the ‘user’ of the connected device (e.g., as regards implanted devices) and hence the recipient of the ‘raw’ data may come with” unanticipated consequences due to the proposed act, according to the position paper. Second, who the data holder? Hospitals can control data, while manufacturers process data. Next, it’s not clear how to distinguish a product from a component or service. Another overly broad definition is public health emergency, where MedTech Europe believes a healthcare-specific definition should be considered, proposing “an exceptional situation negatively and suddenly affecting the health of the population of the Union, a Member State or part of it.” The Act should also define exceptional need, which the trade group says should be when a public authority “has exhausted all existing legal parameters in the pursuit of the appropriate data required to contribute to the mitigation of a public emergency.” If connected product were defined by specifying what hardware and interface criteria classify a device as a connected product, it “would allow for a more accurate demarcation between products regulated under the Data Act” and those used to collect data for clinicians. Other suggestions include defining competing product and service and related service.
- Data accessibility and sharing obligations may lead to safety concerns on the diagnosis and treatment of patients. MDR and IVDR set out obligations for “patient safety, security, protection against unauthorized access and availability of service,” and the software within any product is also regulated by those sectoral regulations. MedTech Europe pointed out. Patients and HCPs don’t have access to the algorithms that process medical technology data and won’t be able to interpret the raw data. Sharing of the data may create cybersecurity risks, counter to already existing legislation. Finally, manufacturers don’t know the identity of patients who use their products, says the position paper: “Secure pathways for patient identification must be clarified before mandating the transmission of data in order to enable the data flows mandated in the proposed Act.”
- Technical feasibility: MDR and IVDR already set out conformity requirements for product design, and in MedTech Europe’s view, the Data Act duplicates and, in some cases, contradicts the sectoral requirements. The trade association provided examples of raw data that wouldn’t be appropriate to share with users and third parties for a variety of reasons, including needing to be processed and translated by software algorithms and then interpreted by HCPs before having any meaning. Finally, “making all data directly accessible (including continuously or in real-time in a machine-readable format) would require significant processing power and hence come with significant concerns regarding early battery depletion, leading to (much earlier) device replacement (e.g., for implantable devices).”
- Design changes required under the Data Act may force re-certification under MDR and IVDR. To be compliant, manufacturers may need to alter designs. Notified Bodies are already in short supply, and this may exacerbate bottlenecks. The trade association believes that the data accessibility and data sharing provisions generated by devices regulated under MDR/IVDR shouldn’t apply if “it compromises the above-mentioned principles of safety, security and performance of medical technologies or protection of patient data required under existing EU legislation, namely the MDR, IVDR and GDPR.”
- Protection of IP and trade secrets: While the Data Act explanatory note explains that it doesn’t affect existing IP rules, Article 4(1) would allow users access to information within scope of the Trade Secret Directive (Directive (EU) 2016/943). While the proposed Data Act promises that trade secrets will only be disclosed to third parties where strictly necessary, “it is unclear by which measures and how effectively any trade secrets will be protected in practice, particularly when the data holder and the user or third party failed to mutually agree on the necessary measures to preserve confidentiality…especially with no rules to govern neither compliance nor breach.” The trade organization also noted apparent conflict in Articles 5 and 6 vs. Article 8(6), where one “suggests that there is no obligation to disclose trade secrets, whereas the other articles seem to indicate that under specific conditions, there can be an obligation for the data holder to share trade secrets.” Trade secrets should be exempt in the final regulation, according to the trade organization.
- The Database Directive (Directive 96/9/EC) protects databases in two ways, both via copyright and by the sui generis database right. However, the proposed Data Act, in Article 35, suggests “the rights of users to access and use data from databases containing data obtained from or generated by the use of a product or a related service” is outside of the sui generis database right. The organization pointed out the substantial investment in these databases in order to meet regulatory and patient safety and protection requirements; therefore, “rather than weakening the sui generis database right altogether, we suggest amending the proposal and clarifying that it cannot be invoked to hinder the effective exercise of rights provided for in the Data Act, therefore ensuring the protection to the substantial investments,” which may need to be defined.
The trade organization also noted potential interactions with other legislation
- GDPR: Because of the complexity of healthcare settings, it’s not clear who would be the data holder. “If hospitals are considered data controllers, manufacturers would be data processors acting upon instructions of hospitals when it comes to the processing of personal data. This could mean that the Data Act would provide an access right from the patient directly to the medical technology manufacturer, a situation that would conflict with the provision under the GDPR, where a medical technology manufacturer qualifies as a “data processor.” MedTech Europe further notes that the manufacturers frequently aren’t the data holders and don’t control the data, whether personal or non-personal. For example, who is the “user” for patients wearing medical technology where the data is only accessible to the HCP? The Data Act should have better alignment with GDPR around the concepts of data controller, data processor and data subject, MedTech Europe summarized.
- Certain other final and proposed regulations: The proposed Data Act needs to align with the EHDS Regulation, Data Governance Act, Artificial Intelligence Act, Cyber Resilience Act and NIS2 Directive, and Product Liability Directive (under revision). “MedTech Europe supports the approach taken in the EHDS proposal, prioritising selected patient data to be made available in the electronic health records (EHR) of natural persons via secure ways to share this data,” wrote the organization. It also pointed out the lack of common data standards for raw data (as opposed to interpreted data that offers clinical insight).
- Sharing data with public sector bodies is outlined in Chapter V of the proposed Data Act, which mandates sharing data with public sector bodies in public emergencies. MedTech Europe proposed narrowing the definition of public health emergency, providing a definition for exceptional need and providing objective criteria for the type, timeframe and magnitude of the expected public impact. The group is also concerned that the public sector bodies are allowed to share data with research and analytics group, who may not be regulated.
- Interoperability and data portability: MedTech Europe highlighted the already-existing best practices and international consensus standards that already exist, and proposed these would be more useful than Europe-specific common specifications “to accurately reflect state of the art, particularly with respect to cybersecurity.” Data portability is an area of concern, since switching providers may entail transferring configuration parameters, security settings, access rights, and logs, all of which may constitute company trade secrets. A maximum termination period of 30 days “is technically unfeasible and would considerably undermine the competitiveness of EU actors’ cloud offerings,” the group wrote.
- International transfers, enforcement, application: MedTech Europe’s main concern around transfers is that the proposal requirements for international data access and transfer would impose data localization, which could cause other jurisdictions to counter with their own data localization requirements. Secondly, Member States may designate different authorities under the data act than the Data Protection Authorities or others (e.g., AI Act) and divergent approaches “could lead to serious compliance challenges for medical technology companies. The date of application should change from 12 months to 48 months to give time to comply and to renegotiate existing data sharing agreements.
- The proposed Data Act would provide a way to share and use industrial data, as well as a way for users to control their data. The act lays out responsibilities and obligations, as well as rights, of various players, including the consumer, the user, the data holder and the data recipient, as well as data processing services and public sector bodies needing access to data during a public emergency.
- The Commission issued a press release on “political” agreement between European Parliament and the Council of the EU on the Data Act at the end of June, though the next step is formal approval. The regulator believes the Act will
boost the EU’s data economy by “unlocking industrial data, optimising its accessibility and use, and fostering a competitive and reliable European cloud market… [while ensuring] that the benefits of the digital revolution are shared by everyone.”
- A common refrain from stakeholders is overlap or conflict with other regulations, as outlined by MedTech Europe here for the data act, or here for the proposed Artificial Intelligence Act (AI Act). In fact, many of the themes of response to these two proposed acts are the same – the need for alignment with existing laws, the need to clarify definitions and the need for a clear data governance framework. The trade group’s observations that the MDR and IVDR already cover data generated by connected medical devices, as well as any software used to process those data. Additionally, the group points out that the need to share data could even impact the performance of a medical device with a limited battery life, where accessing data more often could shorten the lifespan.
- Outside the medical device sector, the concerns are similar. According to POLITICO, the proposed act “is a response to the untapped potential of industrial data in Europe as 80 percent of machine or device-generated data is never used.” Calling the proposed Data Act the “’industrial sidekick’ of the GDPR, lobby groups have already voiced their concerns about how both laws will work together and have even claimed that provisions in one bill clash with provisions in the other,” the article noted. POLITICO also point out the threat certain health manufacturers see in the proposed act, especially around the requirement to share raw data, which could lead to reverse engineering of proprietary technology.
- International data transfer may become a problem: The U.S. International Trade Administration recognizes the potential challenges for global companies to transfer industrial data outside the E.U., as well as the prevention of data sharing with large online platforms.
- Formal approval between European Parliament and the Council of the European Union comes next, followed by publication in the Official Journal of the European Union.
Key Documents and Dates
- Data Act (proposed) – Amendments adopts by the European Parliament on 14 March 2023 on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (COM(2022)0068 – C9-0051/2022 – 2022/0047(COD)), March 14, 2023
- Policy and legislation – Data Act: Proposal for a Regulation on harmonised rules on fair access to and use of data.
- A European Strategy for data