Privacy & Data Security

On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act.  The Sunshine Act entered into force on 26 June 2022.  However, it will become fully enforceable once the Ministry of Health sets up the Public Register where companies will have to disclose their data and issues the necessary implementing acts.  This means that realistically the new transparency system will not be operational before 2023.  Nonetheless, it is critical that companies operating in Italy make sure that they are ready when the time comes.  Here, we outline some of the key features of the new Sunshine Act and the steps that companies could take in preparation.Continue Reading The New Italian Sunshine Act: What Companies Should Know And How To Get Ready

On May 20, 2021 there was a major ransomware attack on the Irish health system.  The centralized HSE (Health Service Executive) which provides and manages healthcare for the Irish population was targeted on May 14, and has seen significant disruption since.  It has described the attack as a ‘zero-day threat with a brand new variant of the Conti ransomware.’
Continue Reading Major Cyber-Attack on Irish Health System Causes Commercial Concern

In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key points relating to NIS2, including more onerous security and incident reporting requirements; extending requirements to companies in the food, pharma, medical device, and chemical sectors, among others; and increased powers for regulators, including the ability to impose multi-million Euro fines.

The Commission is seeking feedback on NIS2 and the Critical Entities Resilience Directive, and recently extended its original deadline of early February to March 11, 2021 (responses can be submitted here and here).
Continue Reading Proposed New EU Cyber Rules Introduce More Onerous Requirements and Extend to More Sectors

On 3 July 2020, the German parliament passed a draft bill (German language) for patient data protection and for more digitalisation in the German healthcare system (Patientendaten-Schutz-Gesetz). The draft bill is currently in the legislative procedure and is expected to enter into force in autumn 2020.

One of the main objectives of the

On November 5, 2019, the European Commission published a report entitled “Strengthening Strategic Value Chains for a future-ready EU Industry”, which was prepared by the Strategic Forum on Important Projects of Common European Interest (“Forum”). The Forum assists the European Commission in identifying key strategic value chains that can contribute to Europe’s industrial

France’s medicines regulator, the Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), has released draft guidelines, currently subject to a public consultation, setting out recommendations for manufacturers designed to help prevent cybersecurity attacks to medical devices. Notably, the draft guidelines are the first instance of recommendations released by a national regulator in Europe that apply cybersecurity considerations specifically to medical devices. The full ANSM draft guidelines, ‘Cybersécurité des dispositifs médicaux intégrant du logiciel au cours de leur cycle de vie’ (‘Cybersecurity of medical devices integrating software during their life cycle’) published 19 July 2019, is available in French here, and in English here.

The draft guidelines note that while the European regulatory framework (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746) has been modified “in line with technological developments” (e.g. “data exchange, monitoring, risk prediction and control software”) to include software within the definition of a medical device, and accompanying security and performance requirements specific to such medical devices incorporating software, the “[medical device and in vitro diagnostic medical device r]egulations do not explicitly refer to or elaborate on the notion of cybersecurity”. For the purposes of the guidelines, ‘cybersecurity’ is described as “the full set of technical or organisational measures set up to ensure the integrity and availability of a [medical device] and the confidentiality of the information held on or output by this [medical device] against the risk of targeted attacks.” 
Continue Reading French medicines regulator produces first in Europe medical devices cybersecurity guidelines

The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”).  The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health.  The Directorate General decided to create this Q&A because of perceived contradictions between the GDPR and the CTR, in particular in relation to the legal basis (e.g., the use of consent) and the further use of clinical trial data. (See also here).
Continue Reading European Data Protection Board releases Guidance on Intersection of the GDPR and the Clinical Trials Regulation

On October 22, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership organized a workshop entitled “Can GDPR Work for Health Research.”  In the first session, the workshop discussed the implications of the General Data Protection Regulation (“GDPR”) on clinical trials in

The EU pharmaceutical industry landscape is in significant flux. There are many pressures to provide new therapies and to make them available more early and for as many qualifying patients as possible. In that context, the industry model and the role of exclusivity rights as a tool to stimulate innovation are being discussed. At the same time, discovering and developing new products is more complex and requires a collaborative effort. This happens against the background of new rules on medical devices and the protection of personal data, which are, for instance, relevant in assessing clinical effectiveness and relying on real world evidence.

Three members of the Covington European Life Sciences team will be speaking on these topics at the EU Pharmaceutical Law Forum being held in Brussels on 16-18th May.
Continue Reading Exploring the EU Horizon for Pharma

Article originally posted on our sister blog InsidePrivacy

The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s  mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps.  (See more here, and here for our blog post on the European Commission’s Summary Report of the mHealth consultation.)

In its latest paper on health data in apps and devices, the Working Party supports a broad definition of health data, distinguishing the following three categories of health data:

  1. The data are inherently/clearly medical data, especially those generated in a professional, medical context.
  2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate, legitimate or otherwise adequate or not).
    Continue Reading Article 29 Working Party Clarifies Scope of Health Data in Apps and Devices