Latest developments in the medical devices industry

The Luxembourg Presidency did not meet the expectations that trilogue negotiations between the European Parliament and the Council would be finalised by the end of 2015, as initially thought. Since 1 January it has been the turn of the Netherlands to reach an agreement on the two regulations concerning medical devices and in-vitro diagnostic medical devices. There are at least three trilogue meetings on the agenda of the new Presidency, starting in early February. Extensive discussions will look at classification, scrutiny, reprocessing, genetic testing, liability insurance and transitional measures. Because of the complexity and technical specificities of the topic, the medical devices package has been discussed for more than three years.

While recently there have been no interesting developments in the revision of the Medical Devices Regulation, in contrast some progress has been made on cyber-security. Last December the European Parliament and the Council reached an agreement on the text of the Cyber Security Directive, also known as the Network and Information Security Directive, the first EU-wide legislation on this topic. According to the new rules, Member States will have to adopt strategies defining national objectives and measures in relation to cyber security. More important are the provisions requiring operators in essential services (such as energy, transport, financial markets and healthcare) and digital service providers to adopt risk management practices and to report major security incidents affecting their services. Therefore, all medical devices that interconnect and process data will have to comply with the provisions of the Directive. It is important to remember that it is a competence of Member States to identify operators in their jurisdiction who fall within the scope of the Directive. The agreed text is now under legal and linguistic review. Once completed, it will be submitted to the Parliament and the Council again for formal approval, which is expected for the first half of the year. After the Directive enters into force, Member States will have twenty-one months to implement it into national law and six more months to identify the sectors and businesses that are covered by the new rules.

There have also been advancements in the field of mobile health. As a follow-up to the Green Paper on Mobile Health (mHealth) and the public consultation of 2015, the European Commission is now working on the development of a Code of Conduct on mHealth Applications, an industry-led initiative which has the support of the Commission. An initial draft Code has been published on the Commission’s website. The focus is on the applications that process data concerning health, even when the app developer is not the data controller. The Code intends to cover privacy and security issues, at the same time facilitating the implementation of existing data protection rules. It includes provisions on consent, transparency, security measures, privacy by design and default. Nevertheless, enforcement and governance are still open issues. Stakeholders had time until mid-January to submit written comments on the draft which, once finalised, will be sent to the Article 29 Working Party for approval.

Very recently the European Commission took another initiative in order to tackle some of the challenges facing the European market for mobile health applications. It set up a working group to develop guidelines for assessing the validity and reliability of the data that these applications collect and process. The group is composed of twenty members representing different stakeholders (industry, research and civil society). The first meeting of the group is scheduled for March and the guidelines are expected at the end of 2016. In order to enhance the quality of health applications, in the 2016 Rolling Plan for ICT Standardisation the Commission has also proposed a European standard on quality criteria for the development of health applications. Transparency, safety and reliability remain consumers’ main concerns.

Another piece of European legislation that will affect the medical devices industry in the near future is represented by the new set of rules on data protection. After nearly four years of debates and negotiations, the Council and the European Parliament reached a political agreement on the proposed General Data Protection Regulation which is expected to be formally adopted in the first half of 2016. The Regulation will broaden the scope of application, will contain a new definition of personal data concerning health and will provide for significant fines of up to 4% of total worldwide annual turnover for non-compliance. In addition to this, processors will be subject to direct legal obligations and a specific obligation to appoint data protection officers is also foreseen. Organisations collecting and using health data will have to obtain, in specific circumstances, explicit consent from the individual in order to process their data; there will also be strict privacy by design and default requirements. The draft Regulation contains a two-year transition period and should therefore become applicable in 2018.

Finally, the European Commission intends to invest more energy and resources in in-ternational cooperation. A consultation will run until 15 March, with the aim of collecting interesting input for the finalisation of the Roadmap on EU-US cooperation on eHealth. At the end of last year the European Commission and the United States Department of Health and Human Services agreed to boost innovation in the health IT industry, ensuring better connections between the two sides of the Atlantic.

Further reading: Medical Devices Revision - possible agreement on outstanding political issues only under the Dutch Presidency; On-going negotiations on the Medical Devices Regulation; Federal Court of Justice (also) rules on product liability for medical devices exhibiting an increased risk of failure