Medical devices and eHealth new technologies are becoming more and more linked one to the other in order to allow medical practitioners to continuously monitor their patients’ health conditions through eHealth remote patient management systems connected to cloud databases contributing to the growth of the Internet of Things.  

Medical device companies should assess the legal implications of technologies allowing practitioners to review the status of their patients in real time through devices that are connected to cloud databases, which can be accessed not only to review patients’ health conditions, but also to perform clinical trials.  These tools can be implanted directly in the body, as is the case with biostamp electronic tattoos and insertable cardiac monitors, which have contributed to the growth of the so-called ‘wearable technologies’ sector along with smart watches, fitness bands and smart glasses.

However, these technologies trigger privacy issues because of the large amount of sensitive data on patients’ health conditions that is collected and then transferred to a database accessible by practitioners. Such data processing is subject to considerable data protection obligations.

Applicable law

As already prescribed by the Article 29 Working Party (a European privacy advisory body) in its opinion on smartphone apps, the company managing the software installed on the device used for the remote monitoring system is subject to the privacy laws of the country where the device/user is located; this applies even to non-European entities. It will be insufficient merely to ask for privacy consent; rather, a data protection notice must be provided that lists all information requested under the relevant privacy law. Therefore, a pop-up message displayed following the download of most apps would not meet the regulatory requirements.

Privacy consent and notifications

The privacy issue is more complex in countries such as Italy, which requires written privacy consent for the processing of sensitive data and allows data processing only within the limits of a general authorisation issued by the data protection authority. In such cases, a case-by-case review of products will be undertaken to determine whether such regulatory restrictions might limit the exploitation of these technologies or whether a solution might be adopted to ensure privacy compliance without limiting the functioning of the app.

Data controller, processor and sub-processor

The roles of the entities involved in the handling of collected data cannot be left to the discretion of the parties; on the contrary, the data protection authorities are strict in defining these roles. In particular, hospitals are generally considered to be the sole data controllers, with sponsors acting as data processors and cloud platform providers acting as sub-processors. Sponsors will usually need to be qualified as data controllers in order to have a higher level of discretion in the processing of the data, but data protection authorities have challenged such qualifications in several instances.

Processing of biometric data

Under Italian law, the use of remote patient monitoring systems may require notification of the data protection authority. This requirement will apply if such technologies are used either to create user profiles (which might include a profile of the user’s physical features) or to collect biometric data.

Biometric data includes any data obtained from a person’s physical or behavioural features (eg, fingerprints, facial characteristics, hand geometry, and retina and iris scans). In this respect, as outlined in this post, the Italian data protection authority has issued stringent requirements as to the modalities of biometric data collection, the security measures to be implemented for data storage and the maximum term of storage.

Purpose of data processing

A common mistake of medical device companies is to assume that once patients’ data has been collected, it may be used for any purpose and belongs to the company. This is not the case, and privacy consent – specific to the purpose for which the data will be processed – must be obtained from the patient. Therefore, except in limited circumstances to be assessed on a case-by-case basis, personal data collected as part of medical treatment cannot subsequently be used in the performance of a clinical trial at a later stage without additional consent from the relevant patients. This requirement does not apply if collected data is then aggregated and anonymised. However, in this case the mere use of an identification code will not suffice if it is possible to connect a patient to the relevant code.

Transfer of data outside European Union

Data transfers outside the European Union can be the most challenging part of the assessment of legal implications, since it is necessary to know the role and location of all parties involved, as well as which servers are used to manage the platform distinguishing the roles between hospitals, sponsors and cloud platform providers. Based on the information collected, the usual solution is to implement ad hoc model clauses approved by the European Commission, but these must be tailored to the peculiarities of the case. For instance, a relevant issue is to ascertain whether the data processor that appoints the sub-processor is a European or non-European entity.

Potential liabilities

The potential privacy risks cannot be underestimated, given the fines for breach of privacy regulations prescribed by most EU countries and the criminal penalties that some countries – including Italy – impose for breaches in some cases (eg, if the breach has been performed to gain profit or causes damages). These penalties are expected to increase considerably as a consequence of the potential implementation of the new EU Privacy Regulations and should therefore be taken into account in the development of new technologies.

Stringent EU privacy regulations might create a sharp distinction between European and non-European jurisdictions where light data protection regulations could allow for the faster launch of these technologies. It remains to be seen whether regulators will be able to strike the right balance between the need to protect patients and the need to promote the potential benefits for patients arising from the exploitation of these new technologies.