In this final instalment of our series of blogs on the European Commission’s plans for AI and data, announced on 19 February 2020, we discuss some potential effects on companies in the digital health sector. As discussed in our previous blog posts (here, here and here), the papers published by the European Commission cover broad concepts and apply generally — but, in places, they specifically mention healthcare and medical devices.

The Commission recognizes the important role that AI and big data analysis can play in improving healthcare, but also notes the specific risks that could arise given the effects that such new technologies may have on individuals’ health, safety, and fundamental rights. The Commission also notes that existing EU legislation already affords a high level of protection for individuals, including through medical devices laws and data protection laws. The Commission’s proposals therefore focus on addressing the gap between these existing rules and the residual risks that remain in respect of new technologies. Note that the Commission’s proposals in the White Paper on AI are open for public consultation until 19 May 2020.

Each of the Commission’s White Paper on AI, the Report on safety and liability implications of AI, IoT and Robotics, and the Communication on a European strategy for data contain proposals that are relevant to digital health, including in particular:

  1. potential conformity assessment requirements on digital health products that incorporate AI; and
  2. support for a “Common European Health Data Space”.

Conformity assessment for “high-risk” AI applications

One of the principal elements of the Commission’s White Paper on AI (“White Paper”) is the proposal to introduce conformity assessment requirements for certain “high-risk” AI applications. The two cumulative conditions for determining whether an AI application is “high-risk” is the sector in which it is deployed and the manner in which it is deployed. A digital health application including an AI component operate in the healthcare sector (specifically identified as a sector that is likely to be considered high-risk), and if it is capable of affecting the physical health of an individual, it likely would be considered high-risk. The Commission proposes that such high-risk AI applications should be subject to pre-marketing conformity assessment requirements and also potentially on-going monitoring and ex-post controls.

The Commission acknowledges that in respect of medical devices, legislation in the form of the Medical Devices Regulation already contains specific provisions governing the safety of medical devices — including software as a medical device. The Regulation does not expressly mention AI components but does address certain aspects of digital technologies, such as interoperability and compatibility, and the standards that must be achieved as part of the conformity assessment procedure for such technologies. Further, medical device-specific cybersecurity guidance exists at the EU-level, and addresses additional topics such as automated decisions and cyber threats. However, the legal requirements that the Commission suggests should be included in an AI conformity assessment go beyond these requirements. These requirements include:

  • Requirements on training data. Requirement to train AI on datasets that are sufficiently broad and representative to cover all relevant scenarios to avoid dangerous situations.
  • Requirements on record-keeping and data sets. Requirement to keep accurate records regarding the dataset used to train and test AI systems; documentation on the programming and training techniques used to build, test and validate the AI systems; and, in some cases, the training datasets themselves.
  • Requirements on transparency. Requirement to provide clear information on the AI system’s capabilities, limitations, the purposes for which it is intended, the conditions under which it should function, and the expected level of accuracy.
  • Robustness and accuracy. Requirements to ensure that AI systems are robust, accurate and can deal with errors or inconsistences during all phases of its life cycle — a particular challenge for evolving or self-learning AI systems.
  • Human oversight. Requirements to ensure that there is an appropriate level of human oversight over the AI system, though the Commission does not provide clear views on what would constitute an “appropriate” level of human oversight for digital health applications.

For products like medical devices that are already subject to pre-marketing conformity assessment requirements, the Commission states that the AI conformity assessment should form part of the existing mechanism. But as the Commission acknowledges, not all of the requirements above may be suitable for verification in a conformity assessment. Medical device manufacturers may also not be best placed to comply with some of the requirements, particularly if they are deploying AI technologies developed by third parties. It is therefore not clear whether or how the Commission will update the existing medical devices rules to take AI into account. The Commission is now seeking industry input on proposals in the White Paper, through a public consultation that is open until 19 May 2020. Please contact the Covington team for a more detailed analysis of these proposals or to input into the consultation on the White Paper.

Common European Health Data Space

In its Communication on a European strategy for data, the Commission emphasizes the importance of data to realize the EU’s potential in the digital economy. In particular, the Commission recognizes the challenges that exist for organizations to effectively share health data for research, innovation and to improve patient care — including both regulatory and technical challenges. To tackle these challenges, the Commission proposes the creation of a “common European health data space”.

The Commission proposes to take the following actions (among others):

  • facilitate the establishment of a Code of Conduct for processing personal data in the health sector (in accordance with GDPR Article 40);
  • scale up cross-border exchange of health data such as electronic health records, genomic information (for at least 10 million people by 2025), and digital health images through secure federated repositories in compliance with the GDPR;
  • support the development of national electronic health records and interoperability of health data through the application of the Electronic Health Record Exchange Format;
  • start cross-border exchanges of data through the eHealth Digital Service Infrastructure (eHDSI) of electronic patient summaries, ePrescriptions, medical images, laboratory results and discharge reports; and
  • support big data projects promoted by a network of regulators.

Through these actions, the Commission hopes to support the prevention, diagnosis, and treatment of diseases (particularly cancer, rare diseases and common and complex diseases) through these initiatives, as well as foster research and innovation in this field.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade…

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade Organization agreements, treaties administered by the World Intellectual Property Organization, bilateral and regional free trade agreements, and other trade agreements.

Drawing on ten years of experience in Covington’s London and DC offices his practice focuses on helping innovative companies solve challenges on intellectual property and trade matters before U.S. courts, the U.S. government, and foreign governments and tribunals. Martin also represents software companies and a leading IT trade association on electronic commerce, Internet security, and online liability issues.

Photo of Sarah Cowlishaw Sarah Cowlishaw

Advising clients on a broad range of life sciences matters, Sarah Cowlishaw supports innovative pharmaceutical, biotech, medical device, diagnostic and software technology companies on regulatory, compliance, transactional, and legislative matters.

Sarah has particular expertise in advising on legal issues presented by digital health…

Advising clients on a broad range of life sciences matters, Sarah Cowlishaw supports innovative pharmaceutical, biotech, medical device, diagnostic and software technology companies on regulatory, compliance, transactional, and legislative matters.

Sarah has particular expertise in advising on legal issues presented by digital health technologies, helping companies navigate regulatory frameworks while balancing challenges presented by the pace of technological change over legislative developments.

Sarah is a co-chair of Covington’s multidisciplinary Digital Health Initiative, and is the Graduate Recruitment Partner for Covington’s London office.

Sarah regularly advises on:

  • classification determinations for software medical devices, including on developments resulting from the implementation of the EU Medical Devices Regulation;
  • legal issues presented by digital health technologies including artificial intelligence;
  • general regulatory matters for the pharma and device industry, including borderline determinations, adverse event and other reporting obligations, manufacturing controls, and labeling and promotion;
  • the full range of agreements that span the product life-cycle in the life sciences sector, including collaborations and other strategic agreements, clinical trial agreements, and manufacturing and supply agreements; and
  • regulatory and commercial due diligence for life sciences transactions.

Sarah’s pro bono work includes advising the Restoration of Appearance and Function Trust (RAFT) on the classification of a wound healing product containing human blood derivatives, and assisting in a project aimed at improving regulatory systems for clinical trials of drugs and vaccines for neglected diseases in developing countries.

Sarah has been recognized as one of the UK’s Rising Stars by Law.com (2021), which lists 25 up and coming female lawyers in the UK. She was named among the Hot 100 by The Lawyer (2020) and was included in the 50 Movers & Shakers in BioBusiness 2019 for advancing legal thinking for digital health.

Sarah has undertaken several client secondments, including to the in-house legal department of a multinational pharmaceutical company.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.