The EU Data Act provides for new rights and obligations regarding the sharing of data generated by connected products. Brian Johnston and Jamie Gallagher, partners, explore key features of the Act which are particularly relevant for those in the digital health space.
The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024, putting into place new rules for the fair access to and use of data. We look at the impact this new legislation will have on those in the digital health sector when it applies from 12 September 2025.
What is the Data Act?
The Data Act is a key pillar of the EU Data Strategy. It will operate alongside the EU Data Governance Act and sectoral legislation to develop common European data spaces such as the European Health Data Space. The goal of the Data Act - and the wider EU Data Strategy - is to facilitate reliable and secure access to data, fostering its use in key economic sectors and areas of public interest.
The Data Act provides for new rights and obligations regarding the sharing of “data generated by the use of a product or related service”. This includes any data recorded intentionally by the “user”, for example weight and height in a fitness tracker. Information recorded passively like location and heart-rate in a fitness tracker when the product is in standby mode also comes within scope.
The right to access and/or trigger the sharing of data will be attributed to a “user” of the product or service, who is defined as “the natural or legal person that owns, rents or leases a product or receives a service”. Meanwhile, the “data holder” will be the company that has the control of the technical design of the product and/or the related service and has the ability to share certain data.
Relevance for digital health
Any connected Internet of Things (IoT) device or wearable that obtains, generates or collects data of the person using the wearable, or regarding their environment, will be under the scope of the Data Act. Medical and health devices are expressly mentioned and most digital health stakeholders, such as manufacturers of software medical devices and wearables, as well as suppliers of related services, will be subject to the Data Act where the product or service is placed on the market in the European Union.
Important features
Some features of the Data Act that are particularly relevant to digital health products include:
Transparency
Before concluding a contract involving the supply of a connected medical device or health wearable, a user will need to be provided with information on:
- The nature and volume of the data likely to be generated by the use of the product
- How the user may go about accessing that data
- Whether the manufacturer/service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which the data will be used
Right of access/obligation to share
The user will have a right to access data and/or require the data holder (subject to some limited exceptions) to share it with a third party. Where the recipient of the data is a third party, it can process the data for the purposes and under the conditions agreed with the user in a “sharing agreement”, and subject to the privacy rights of the data subject. Users/third parties receiving data would not be permitted to use the data to develop a product that competes with the product from which the accessed data originates. Data may also be made available to public sector bodies in cases of public emergencies (e.g. major cybersecurity incidents), subject to national rules to be set down at Member States level.
Data protection
Sharing of health data with a third party will qualify as processing of a special category of data requiring a legal basis under Article 6 GDPR and a derogation under Article 9 GDPR.
The sharing will ordinarily not be carried out for the purposes of preventive or occupational medicine, medical diagnosis, etc. The usual derogation for the disclosure of health data will be the data subject’s consent, although other legal bases, performance of an agreement, legitimate interest, etc. may also be appropriate in certain circumstances and where a derogation under Article 9 GDPR will apply.
Key issues
While the Data Act has now formally entered into force, questions remain about how it will be applied in practice and impact on other legislative frameworks.
Towards the end of 2023, MedTech Europe and COCIR (the European Trade Association representing the medical imaging, radiotherapy, health ICT and electromedical industries) issued a joint statement on the final agreement of the Data Act). The statement aimed to raise awareness around the Data Act’s impact on the medical technology sector. It highlighted the importance of guidance that includes the necessary clarifications and references to the safety, health, and performance of connected products. It also looks ahead to future sector-specific legislation, such as the European Health Data Space (EHDS). The concerns highlighted by MedTech Europe and COCIR on behalf of industry remain relevant following the Data Act entering into force. Those concerns are as follows:
Data sharing obligations
- The obligation to share data under the Data Act should in no way contradict or compromise the obligations for medical technologies required under other EU legislation. This may have implications on patient or device safety
- The Data Act needs to be interpreted in a way that recognises the safety, performance, and efficacy requirements of medical technologies, given their direct impact on the health and safety of patients
- More clarity on the Data Act’s interplay with GDPR, MDR and IVDR cybersecurity, safety, and efficacy requirements, as well as privacy requirements, is crucial to mitigate unintended risks
- A better understanding of the interplay with upcoming sectoral data legislation, namely the EHDS, is needed
Intellectual property and trade secrets
Strict interpretation of which data is readily available along with the alignment with the existing legislative framework on the protection of IP and trade secrets as well as international agreements is important
International data flows
Any risk of imposing data localisation and possible counter-reactions of third countries must be avoided
Interoperability
Preference should be given to already successfully implemented fit-for-purpose and consensus balloted healthcare interoperability standards, including HL7, SNOMED, etc
The Data Act should encourage the creation of data repositories, consortia, or other mechanisms that allow companies to access and utilise anonymised, aggregated healthcare data for research and development, like HealthData@EU. These initiatives should prioritise maintaining the privacy and security of individuals while providing an environment conducive to innovation and breakthrough discoveries
Conclusion
The EU Data Act entered into force on 11 January 2024. The requirements of the Data Act will apply from 12 September 2025 .
Those in the digital health sector should therefore familiarise themselves with the Data Act, assess how it might impact on their respective business models, and put in place necessary measures to ensure compliance.
For more information, contact a member of our Privacy and Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this: