1. How to Manage IT,
Telecommunications
Personal Data Rules and
Software Regulatory
Requirements in the EU and
Global Environment,
including Case Studies
Erik Vollebregt 25th Annual
Partner EuroMeeting
4-6 March 2013
Axon Lawyers RAI, Amsterdam
Netherlands
2. Disclaimer
The views and opinions expressed in the following PowerPoint slides are
those of the individual presenter and should not be attributed to Drug
Information Association, Inc. (“DIA”), its directors, officers, employees,
volunteers, members, chapters, councils, Special Interest Area
Communities or affiliates, or any organization with which the presenter is
employed or affiliated.
These PowerPoint slides are the intellectual property of the individual
presenter and are protected under the copyright laws of the United
States of America and other countries. Used by permission. All rights
reserved. Drug Information Association, DIA and DIA logo are registered
trademarks or trademarks of Drug Information Association Inc. All other
trademarks are the property of their respective owners.
2
3. Introduction
• EU political and regulatory context
• (health) data protection regulation
developments
• Regulation of software as medical device
• Reimbursement, licensing
• Liability
• Case studies
3
4. EU political background
• eHealth Action Plan 2012 – 2020
– struggles with Lisbon competences (“EU
action shall respect the responsibilities of the
Member States for the definition of their
health policy and for the organisation and
delivery of health services and medical care.”)
• Pretty big changes in
– regulation of medicinal products and medical
devices / IVDs
– regulation of collection and processing of
health data
4
5. Health data protection
• Currently in flux with General Data
Protection Regulation proposal
• Horizontal approach to all data causes
excessive collateral damage in healthcare
sector
– What we hate in marketing and social media,
we actually want in healthcare (e.g.
monitoring, profiling, further processing,
traceability)
5
6. General Data Protection Regulation
• Data protection as fundamental right
• EU approaches data protection from the angle of fundamental right – this means
less attention to pure internal market interests and more to data subject interests
• Definitions & scope
• Implementation of Art 29 WP opinions on scope (“singling out”, unique identifiers,
pseudomisation, “reasonably likely means”)
• Consent requirements
• New disqualifiers: imbalance and consent to process data and necessary for
execution of the contract
• Impact assessment
• Mandatory sign-off national authorities prior to processing but no methodology /
standards and no deadlines
• Impact assessment for each individual instance of processing
6
7. General Data Protection Regulation
• Privacy by design
• Prior approval of impact assessment of each act of processing
• Literally – Parliament proposes that software and devices have to be
designed and built as to enable GDPR and data subject’s rights by default
• Intelligible explanation of automated processing logic
• Exemptions for processing of health data without consent
• With uncertainties around concept of ‘consent’ derogations for “public
health” and “scientific purposes” become crucial
• Exemptions not suited for outsourced processing in eHealth / mHealth
services and not drafted for regulatory clinical data obligations
• Technical standards
• Commission can issue technical standards related to implementation of
GDPR requirements
7
8. General Data Protection Regulation
• Data subject’s rights
• Right to correct, information, be forgotten and of erasure problematic in
clinical context
• Right to request interoperable and open source format copy of processed
data
• Company burden
• Mandatory privacy officer
• Large fines
• Many open ends still that are subject to implementation by
implementing act or regulation by delegated act
• Commission is not obliged to use these powers and EU legislator may
change the scope or revoke power, which increases uncertainty
8
9. Regulation of software as MD / IVD
• MEDDEV 2.1/6 on standalone software,
currently under revision
• Differences in interpretation of what
software constitutes a medical device
• EN 62304 standard
• Lack of harmonised
interoperability standards
9
10. Reimbursement
• Directive 2011/24/EU on the application of
patients' rights in cross-border healthcare
– Member State of affiliation shall ensure that
the costs incurred by any insured person
receiving cross-border healthcare are
reimbursed, if the healthcare in question is
among the benefits to which the insured
person is entitled in the Member State of
affiliation (Article 7(1) of the Directive)
10
11. Licensing
• Directive 2005/36/EC28 on the recognition of
professional qualifications does not apply to
healthcare professionals providing cross-border
telemedicine
• if the service provider complies with the
legislation applicable to the taking up and
exercise of an information society service in his
Member State of establishment, he will in
principle be free to provide its services in other
Member States (Cross-Border Patient Rights
Directive and e-Commerce directive)
11
12. Liability
• Professional liability
• Contractual liability
• Defective product
– Member states differ in whether e/mHealth
software is a “product” under EU Product
Liability Directive (85/374)
• Network outages?
12