With the EU Data Act, the European Commission has submitted a proposal for a new regulation. It is aiming to create a new legal framework for handling data that won’t just affect the US tech giants but will also affect a lot of companies that process data. Including medical device manufacturers.
This article will help you assess:
There’s no turning back the tide of digitization:
The US tech companies’ dominance threatens fair competition and European companies are finding it difficult to survive in the face of this challenge.
Users/customers of these dominant providers are left with only two options: take it or leave it. Even switching from one provider to another is difficult due to lock-ins.
Since a lot of the data is difficult to access, it is not as easy as it should be to create new applications that link these data sources and thus unlock the benefits of digitization.
Even public bodies such as public administrators do not get access to the data, which can make it difficult for them to do their job. We saw the consequences of this during the pandemic. For example, it was and still is very difficult to track hospital bed occupation or the population’s vaccine status in real time.
The European Commission believes that the EU Data Act will eliminate these difficulties and create the legal basis for a fair, efficient and effective use of data and thus for the digital transformation of European economic operators.
The draft EU Data Act is numbered 2022/0047 (COD). It has a total of eleven chapters.
A bit of good news first: the requirements of this chapter do not apply to products or related services provided by micro or small enterprises (Article 7).
According to EU Recommendation 2003/361/EC, these are all enterprises that employ fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million.
Users must be able to access the data generated by their use of products and services. (Article 4). They can even require the “data holder” (i.e., the party providing the product or service) to make this data available to a third party (Article 5).
This should be done “free of charge” and “without undue delay” or even, where applicable, “in real-time” (Article 4, 5).
For this reason, products must be designed so that these data are, by default, available quickly, easily and securely (Article 3).
Manufacturers are also subject to extensive obligations regarding the provision of information (Article 3). For example, they must provide information on the nature and volume of the data likely to be generated, whether this data is generated continuously and in real-time, and how users can access the data.
The third chapter provides guidance on how to implement the requirements of the second chapter:
The fourth chapter only contains one article. Its aim is to protect SMEs, in particular, from unilateral contractual terms.
In this context, the EU understands unfair to mean, e.g., unilateral contractual terms relating to liability, damages, obligations to provide information, contract termination, etc.
If a public authority has an “exceptional need” to access certain data, companies must make the data available to these bodies as well (Articles 14, 15). This would be the case if the data were needed to prevent or respond to a “public emergency.”
The EU has kept another back door open: if the public authority cannot otherwise fulfill its explicitly stated statutory duties, they have a right to access the data.
Chapter six changes focus. Now it is no longer a question of who has to provide which data to whom under what circumstances. Now the EU wants to ensure that data users can change their data processor as easily as possible.
To achieve this, the EU regulates, e.g.:
The seventh chapter provides guidelines on how to avoid breaching national or EU laws when exchanging data internationally. This explicitly doesn’t (just) relate to personal data.
For example, the EU requires providers to take specific measures to prevent government agencies from accessing non-personal data if such access would conflict with EU law (Article 27). It's clear who the authors have in mind.
The requirements established in Chapter 8 governing interoperability are worth noting. They affect “operators of data spaces.” The draft regulation does not define the term “data space.” However, the definition of interoperability seems to suggest it understands it very broadly:
‘interoperability’ means the ability of two or more data spaces or communication networks, systems, products, applications or components to exchange and use data in order to perform their functions
EU Data Act, Article 2
The requirements affect data storage providers, such as Amazon Web Services, among others (Article 28).
In Article 29, the Data Act extends the obligation to data processing service providers. It does define this term:
‘data processing service’ means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature
EU Data Act, Article 2
The EU wants to force these providers to be interoperable at all levels of interoperability. It gives itself the option of setting appropriate standards.
Lastly, the EU also wants to take a hard line with providers whose applications use “smart contracts.” These requirements only partially relate to interoperability, even though Article 30 is also part of Chapter Eight (“Interoperability”).
Instead, the requirements relate to robustness, safe termination of algorithms, archiving, availability, and access control.
The EU regulation remains a little vague, but gives itself the right to have harmonized standards and common specifications developed and then required.
The draft EU regulation provides for the same penalties as the GDPR: up to EUR 20 million or up to 4% of annual turnover.
The proposed Data Act covers all products. It explicitly mentions “medical and health devices” in the recitals. It applies to, among others:
This includes medical device manufacturers as well as companies that offer data processing services. The latter would include operators of apps, including digital health applications.
All the above requirements also apply to medical devices. This includes the requirement in Article 4 mentioned above:
“Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time. […]”
EU Data Act, Article 4(1)
For example, if a user enters their weight into a digital health application, they can access this information directly. This does not create an obligation for the manufacturer.
If, on the other hand, the manufacturer generates further data from the use of its product, it would have to make this data available. This would include data calculated by the manufacturer, such as:
There will certainly be discussions about what constitutes “data generated by its use of a product.” The following could be controversial or even prohibited:
The requirements of the Data Act will have a direct impact on manufacturers and their products:
As tough as many medical device manufacturers will find the requirements, they are not entirely new: other laws have also tried to make accessing data and data portability easier. These laws include the German SGB V Section 374a (data from implants), the GDPR (data portability) and the paragraphs on interoperability in SGB V.
The article on the DVPMG will provide you with some specific background information on the effects of SGB V, particularly Section 374a, on medical devices.
The EU wants to make a big impact with the EU Data Act, and it will affect the future of Europe in the field of digitization. The consequences and interventions it provides for are correspondingly significant:
The EU is targeting US tech giants with the EU Data Act. But it affects a lot of other companies as well since the SME exceptions only relate to a few articles.
It is normal for an EU regulation not to answer every question. But in the case of horizontal regulations, the intersection with vertical, i.e., sector-specific, regulations should be better clarified.
It is not even clear that the EU has managed to avoid creating contradictions with already existing regulations. We had a similar conflict with the draft of the aforementioned SGB V Section 374a, as this legal opinion from Dierks + Company, which is well worth reading, explains.
So, we still don’t know:
The EU Data Act should be another sign for medical device manufacturers that the era of isolated medical devices is coming to an end.
Digital transformation does not mean equipping the existing metal box (please take this as a metaphor) with a data interface. Digital transformation means thinking in terms of processes.
Devices can be data sinks and data sources. But if they are not able to integrate into higher-level system landscapes and processes, they will find it difficult to survive on the market, whether the EU Data Act comes into effect in its current form or another form.