The EU Regulation on harmonized rules on fair access to and use of data (“EU Data Act”)[1] entered into force on January 11, 2024. The EU Data Act introduces new rules regarding the access, use and sharing of data generated by connected products, or related services. The Data Act will have an important impact on companies globally and notably on medical and health devices’ companies.
Subject to particular provisions, organizations covered by the EU Data Act will need to comply with their obligations by September 12, 2025. In this article, we take a closer look at the application of the Data Act, and the steps that will need to be taken to comply with it.
Who does the EU Data Act apply to?
The EU Data Act applies notably to manufacturers of “Connected Products” and providers of “Related Services”.
“Connected Products” refers any devices or wearables that obtain, generate, or collect data concerning their use or environment and that are able to communicate such data via an electronic communications service, physical connection, or on-device access.[2] This includes connected medical devices and other health-related devices, such as monitoring devices, infusion pumps, implanted devices, autoinjectors, diagnostic devices, wellness wearables, fitness trackers, ingestible sensors, MRI and X-ray scanners, etc.
“Related Services” refers to any digital services which are connected with Connected Products This includes applications or user interfaces provided together with Connected Products.
Providers of “Connected Products” and “Related Services”, irrespective of their place of establishment, must comply with the EU Data Act to the extent that their users are located in the EU. This entails that organizations established outside of the EU could also be subject to the EU Data Act.
Which Obligations Does the Data Act Impose?
The EU Data Act imposes notably a series of obligations to “Data Holders”. Data Holders are natural or legal persons who have the legal right or obligation, to use and make available data. They are typically the manufacturers of the Connected Products and/or the providers of Related Services. Medical and health devices’ companies could qualify as data holders.
In application of the EU Data Act, Data Holders must notably:
- Provide users with information regarding the data generated by the Connected Product or Related Services and how this is used;[3]
- Design Connected Products and Related Services in a way that enables direct and easy access to the Connect Product and Related Services’ data, including the relevant metadata;[4]
- Make data, including relevant metadata, readily available to users or under certain conditions, to a third party designated by users without undue delay, and where relevant and technically feasible, continuously and in real-time;[5]
- Make data, including relevant metadata, available to another business; provide fair, reasonable, non-discriminatory and transparent access to such data; and must not charge excessive fee for doing so;[6]
- Under certain conditions, share data, including relevant metadata, with public sector bodies, when there is an exceptional need to use that data for the performance of a specific task carried out in the public interest, such as official statistics, or mitigation or recovery from a public emergency;[7]
- designate a legal representative in an EU Member State, if not established in the EU.[8]
These data access obligations apply to “Product Data” and “Related services data”. Product Data refers to the data generated by the use of the Connected Product that are retrievable[9]. In turn, Related Service data refers to data representing the digitization of user actions or of events related to the Connected Product[10]. In practice, these cover all data generated by the use of the Connected Product or Related Service, and applies to both personal and non-personal data, including relevant metadata. However, inferred or derived data are not covered.
It must be stressed that “Users” under the EU Data Act refers to any natural or legal persons that own or lease a Connected Product or receive Related Services. In the case of medical devices and health devices, users could be patients or individuals, as well as healthcare providers.
Note that the data access may be restricted, in particular:
- Users and the Data Holders may contractually restrict or prohibit data access if it threatens product security or adversely impacts health, safety, or security;
- Users and Data Holders may agree to the implementation of proportionate technical and organizational measures necessary to preserve the confidentiality of trade secrets.
What compliance steps must medical and health devices’ companies must take?
The EU Data Act will have far-reaching implications on medical and health devices’ companies active in the EU market. Indeed, compliance with this new Regulation will require changes spanning from the design and development of a Connected Product and/or Related Services, the implementation of procedures and processes, to the drafting of required disclosures. It is thus critical that they immediately start working on compliance with this new regulation.
Medical and health devices’ companies subject to the EU Data Act will notably need to:
- Ensure that their Connected Products or Related Services are designed in a way that allows to fulfil data access obligations;
- Draft notice on the data generated by their Connected Products or Related Services;
- Implement internal procedures and processes to respond to any data access request;
- Identify and document the data that needs to be protected as trade secrets, and the necessary measures that need to be implemented to protect them. This presupposes to conduct a thorough analysis on whether granting access to certain data could affect the confidentiality of their trade secrets, and to identify and implement proportionate measures in order to safeguard such trade secrets, essential for protecting their business models and competitivity;
- Review their terms & conditions.
What are the risks in case of non-compliance with the EU Data Act?
Penalties for infringement of the EU Data Act will be defined at national level by each EU Member State.[11] EU Member States must report to the European Commission on the rules implemented in that respect by September 12, 2025.[12]
Infringements of the obligations related to data sharing could be sanctioned by the administrative fines provided by the EU General Data Protection Regulation (GDPR), namely administrative fines up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover of the organization that commits the infringement.[13]
Conclusion
The EU Data Act will be applicable from September 12, 2025. Given the consequent steps that will be required to comply with the EU Data Act, medical and health devices’ companies would do well to already commence assessing what they will need to do to comply with it. By beginning this adaptation process early, they can reduce potential liabilities and ensure compliance with the EU Data Act in a suitable and timely manner.
[1] Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).
[3] Article 3(2) and (3) of the EU Data Act.
[4] Article 3(1) of the EU Data Act.
[5] Article 3(2) and 4(1) of the EU Data Act.
[6] Article 5 and 8 of the EU Data Act.
[7] Article 14, 15 and 18 of the EU Data Act.
[8] Article 37(11) of the EU Data Act.
[9] Article 2(15) of the EU Data Act.
[10] Article 2(16) of the EU Data Act.
[11] Article 40(1) of the EU Data Act
[12] Article 40(2) of the EU Data Act
[13] Article 40(4) of the EU Data Act