Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Data Act Proposal envisages the rights of users of medical devices / health wearables to have access to and to share the data originated from the use of the device with third parties. These access and sharing rights are subject to requirements. The manufacturer / service provider is not unprotected and will be provided with safeguards to protect its business (e.g. trade secrets or intellectual property rights ) and monitor compliance. Besides, the data protection implications (taking into account the health data involved) shall be assessed.
The EU Data Act Proposal (available here) includes the obligation for providers (data holders) to share the data collected or originated from the use of the device with users and/or third parties allowed by the users. We already published a post about this “sharing obligation”.
In this publication of our Data Act series we will address the main challenges that Data Act will bring to the medical device industry and the health wearables manufacturers / providers. Please note that Data Act is still a draft and could be subject to changes.
Any provider (e.g. manufacturer) of medical devices / health wearable or supplier of related services will be subject to the Data Act where the product or service is placed in the European Union. However, sharing obligations will not apply to micro or small enterprises as defined in Recommendation 2003/361/EC.
Any connected (IoT) device or wearable that obtains, generates or collects data of the person using the wearable or their environment will be under the scope of the Data Act. Medical and health devices are expressly mentioned.
The Data Act does not make any distinction regarding the regulatory permissions / nature of the device / wearable. This way, with the current wording, both medical devices in the context of official medical treatments as well as health wearables that have not been prescribed by a practitioner, could be under the scope of the Data Act.
In relation to health apps that do not require a specific medical device or wearable, but only a smart phone, it is unclear whether it would be under the scope of the Data Act. Smartphones as “standalone product” are out of the scope of the Data Act with the current wording. In spite of this, according to recent discussions within the European Parliament, it seems that smartphones may be under the scope of the Data Act when they function as an IoT product (e.g. calculating distances, sleep of the person, etc.).
Under the Data Act, there is a right to access and share the “data generated by the use of a product or related service”. It includes any data recorded intentionally by the user (e.g. weight and height in a fitness tracker), also data generated as a by-product of the user’s action, such as performance data (e.g. average battery level or the quality and length of network connections), and without any action by the user, such as when the product is in ‘standby mode (e.g. location and heart-rate in a fitness tracker)’.
Such data includes raw data in the form and format in which they are generated by the product, but does not pertain to data resulting from any software process that calculates derivative data from such data (e.g. it would include the number of steps taken by the user, distance, duration and body measurements of the user, but not the conclusions carried out by the software regarding his or her health condition). Drawing a line between the raw data and the information inferred that should not be included in the scope of the obligation could be challenging in some circumstances and should be assessed on a case-by-case basis.
It is relevant to highlight that data that constitutes trade secrets or is protected by intellectual property rights shall also be shared if they are originated from the use of the device subject to appropriate measures and confidentiality obligations.
Under the Data Act, the right to access and/or trigger the sharing of data corresponds to the “user” of the product or service. User is defined as “the natural or legal person that owns, rents or leases a product or receives a service”. This way, the user is the person that is party to an agreement or the one that receives the service. Therefore, it is clear that devices acquired by the legal / natural person trigger the qualification of “user”.
Data holder is the company that has the control of the technical design of the product and related services and the ability (obligation or right, as the case may be) to make available certain data.
In the context of medical devices, medical device manufacturers may be data holders concerning a device used by a patient. However, in some cases patients are not primary entities for renting or leasing medical devices directly from manufacturers (e.g. computer aided diagnosis systems). Health care organizations may also qualify as users for patient´s data processed by the medical product or service. Also, they may act as data holders towards patients.
Based on the above, depending on circumstances, the positions may vary.
Before concluding a contract for the purchase, rent or lease of the medical device / health wearable, the user needs to be informed of some mandatory content, among others:
a. the nature and volume of the data likely to be generated by the use of the medical device / health wearable and it is likely to be generated continuously and in real-time;
b. how the user may access the data (e.g. by contacting the data holder or through the product’s settings);
c. whether the manufacturer/service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which the data will be used;
The user has the right of having access to the data (the concept of data is explained above) or to make the data holder share the data with any third party (with few exceptions, for instance certain big players cannot be recipients). This access / sharing needs to be done without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. Therefore, medical devices shall be designed in such a way that data generated by their use is, by default, easily and directly accessible to the user.
The user should be free to use the data for any lawful purpose. Where the recipient is a third party, it can process the data for the purposes and under the conditions agreed with the user, and subject to the rights of the data subject insofar as personal data is concerned, and shall delete the data when it is no longer necessary for the agreed purpose.
However, the user / third party cannot use the data to develop a product that competes with the product from which the accessed data originates. In cases where the recipient is not the user but a third party, this third party cannot use the data for profiling or make the data it receives available to another third party (unless necessary to provide the service requested by the user).
We have prepared a more detailed publication on the obligation to share data in this post.
The sharing of information shall be subject to a sharing agreement, where the data holder may protect its interest, obtain a monetary compensation, impose confidentiality obligations, protect trade secrets, etc. More information on the content of the sharing agreement may be found in this other post.
Finally, the Data Act sets forth the obligation to make the data available to public sector bodies in cases of public emergency (such as, for example, major cybersecurity incidents), which may be determined by Member States´ national procedures.
The access of the data subject (as user) to his/her own personal data does not involve any difficult legal scenario as it would be the same as requesting a right of access or right of portability (but enhanced as portability only applies with certain legal bases of processing, only with personal data, etc.).
However, any sharing of health data with a third party qualifies as processing of a sensitive category of data and requires a legal basis under art. 6 GDPR and a derogation under art. 9 GDPR. This is not a data portability right and is subject to different requirements (e.g. an agreement with the third party). In fact, the data subject could exercise his/her data portability right in any moment.
To the extent the sharing with a third party is not carried out for the purposes of preventive or occupational medicine, medical diagnosis etc. under EU law (which would be very unlikely) or pursuant to contract to health professional, the usual derogation for the disclosure of health data will be data subject’s consent. Consent shall be explicit (ie. implied consent does not work), following Guidelines 05/2020 on consent. Legal basis under art. 6 could be also consent, but other legal bases cannot be excluded (performance of an agreement, legitimate interest, etc.).
Is it possible for companies that wish to receive data to incentivize data users (e.g. economically) that are consumers? Interestingly, there is not a general prohibition in the Data Act. It is only forbidden for very big players (gatekeepers under the Digital Markets Act), but not for the rest of data recipients (at least explicitly). This could lead companies that are not gatekeepers under the Digital Markets Act, to think that incentivizing personal data sharing may be a possibility, in line with Directive 2019/770. We discuss it in this post, noting that the option is expressly stated in Recital 24, that “digital content or digital services are often supplied also where the consumer does not pay a price but provides personal data to the trader”.
In fact, under the Data Act, “the third party shall not […] coerce, deceive or manipulate the user” or carry out “profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is necessary to provide the service”. It includes several prohibitions while it does not exclude the possibility to incentivize the user (and the Commission is aware that personal data is involved). This raises the question of whether it is a coincidence or a deliberate omission.
In spite of this open door, to the extent that personal data is involved, GDPR will apply in parallel to the Data Act. This means that paying money (or in general providing incentives) in exchange for data is only accepted when this is in compliance with the GDPR. And this is really an issue. In the case of health data, the applicable legal basis of processing would be (in most cases) consent. And consent can be withdrawn at any moment, without negative consequences for the data subject. Similarly, according to the Guidelines 05/2020 on consent, lack of consent / withdrawal of consent does not generally allow the data controller to terminate a contract or to forbid the use of a service.
Therefore, with the current guidance of privacy regulators incentivizing (economically) the sharing of health data should be subject to a comprehensive assessment as it may entail a risk of breaching the GDPR.
Next steps
Authored by Gonzalo F. Gállego, Juan Ramón Robles and Joanna Rozanska