The Interaction of the GDPR and Medical Device Regulation in the Times of COVID-19: Do European Rules on Privacy and Scientific Research Impair the Safety and Utility of AI Medical Devices?

Research output: Working paperResearchpeer-review

Stipulations on de-identification and scientific research in the European General Data Protection Regulation (GDPR) help organisations to use personal data for with fewer restrictions compared to data collections for other purposes. Under these exemptions, organisations might collect and process data for a secondary purpose without consent. However, the definition and legal requirements of scientific research differ among EU Member States. Since the new regulations on medical devices in the EU (Regulations 2017/745 and 2017/746) require compliance with the GDPR, the failure to come to grips with these concepts creates misunderstandings and legal issues. We argue that this might result in obstacles for the use and review of input data in medical devices, which could not only lead to forum shopping but also safety risks.
Focusing on these issues, we take the COVID-19 as use case example to discuss to what extent scientific research should benefit from the research exemption and de-identification rules under the GDPR. Furthermore, this chapter examines recently released guidelines and discussion papers to find out how input data is reviewed by medical device authorities and notified bodies in the EU. Ultimately, we call for more harmonised rules in the EU, to balance the data subjects’ rights and the safety of medical devices in an international context.
Original languageEnglish
Number of pages11
Publication statusIn preparation - 2021

ID: 240320896