Author: Yaniv Ozana

The COVID-19 crisis has affected multiple industry sectors and disrupted economic processes. Because of the increased burden that the pandemic has placed on the medical device industry, the application of the Medical Device Regulation (“MDR”) was postponed by one year. It will now apply from May 26 2021 (instead of 2020). Since the MDR also regulates software which can qualify as a medical device, this extended timeline provides developers of mobile medical applications the opportunity to (re-)evaluate the classification of their app and to implement any MDR required changes. The following article takes a closer look at the requirements that the MDR imposes on health apps or medical apps and compares these with the requirements for medical apps under the US regulatory regime.

1. Development stage – Does the app need regulatory approval?

A health app requires regulatory approval either in the EU under the MDR or in the USA under FDA (Food & Drug Administration) rules when the app qualifies as a “medical device”.

2. If the app meets the criteria of “medical device”: Classification of the app to determine what regulatory approval is necessary, and whether self-certification is possible

3. Regulatory approval or clearance

4. UDI (Unique Device Identifier)

5. Post-Market Surveillance after Launching the App

Conclusion

Any app developer that wants to market an app relating to wellbeing, health or medical treatments either in Europe or the US needs to be aware of the impact that the MDR or the FDA Rules have on their business. Developers intending to launch in Europe should ensure that they have a clear strategy underway to achieve compliance in time for May 2021.

 

for any question, please contact

Simon Marks or Dr. Laura Jelinek

 

[1] FDA guidance document, published in September 2019: Policy for Device Software Functions and Mobile Medical Applications – Guidance for Industry and Food and Drug Administration Staff.

[2] With the CE mark a manufacturer expresses conformity with the European legislation, specifically with European directives and European regulations.

[3] FDA guidance document, published on July 1, 2020: Unique Device Identification: Policy Regarding Compliance Dates or Class I and Unclassified Devices and Certain Devices Requiring Direct Marking

The Court of Justice of the European Union (“ECJ“) issued its judgment in the Schrems II case on 16 July 2020. The ECJ declared the EU-US Privacy Shield invalid. As a result, personal data of EU residents can no longer be lawfully transferred into the US based on the Privacy Shield.

At the same time, the ECJ confirmed that the Standard Contractual Clauses (“SCC”) remain valid, while emphasizing the need for companies involved in a transfer of personal data to check whether an adequate level of data protection can be maintained. If this cannot be guaranteed, the data exporter might need to suspend the data transfer.

Background

The ECJ’s decision has its roots in a complaint filed by in 2013 Max Schrems, an Austrian data protection activist, with the Irish Data Protection Commission (DPC). Schrems requested the DPC to prohibit the transfer and processing of personal data of European users of the US social network “Facebook” to Facebook Inc.’s servers in the USA. He argued that US law did not adequately protect the rights of data subjects from the surveillance activities of US authorities. In October 2015, the ECJ eventually ruled that the “safe harbor” agreement, on which the transfer was originally based, was invalid. A few months later, the “Privacy Shield” was born, a similar mechanism that allowed US companies to self-certify that they complied with a set of rules regarding the protection of personal data, and permitting European data exporters to transfer personal data to these US companies. At the same time, many companies switched to use SCC as legal basis for cross-border data transfers.

The Irish High Court, deciding on Schrems’ complaint, referred several questions on the validity of the SCC and the Privacy Shield to the ECJ, these questions essentially asked whether data transfers under SCCs and the Privacy Shield violated Articles 7, 8, 47, and 52 of the EU Charter of Fundamental Rights.

Standard Contractual Clauses remain valid

The ECJ ruled that the SCC are valid. The SCC contain effective and adequate mechanisms to protect EU data subjects whose personal data would be transferred to third countries.

However, the court adds that before any transfer of personal data to a third country takes place, the parties should verify whether the EU data subjects whose personal data are transferred enjoy a level of protection equivalent to that guaranteed in the EU. Therefore, the parties concerned would have to assess on a case-by-case basis whether the data importer in the third country is able to comply with the SCC at all or whether the legal system of the third country does not enable the required level of data protection, for example in the case of certain access rights by public authorities that go beyond what is deemed permitted under the SCC. If the legal system of the third country does not provide for an adequate level of protection, the data exporter would be obliged to suspend the transfer or terminate the contract with the data importer.

At the same time, the ECJ also obliges the competent data protection authorities of the EU member states to intervene and prohibit data transfer to specific countries on a case-by-case basis if they consider that the SCC are not (or cannot be) respected in such countries. The examination by the authorities is only waived if the EU Commission has issued an adequacy decision for the target country.

Privacy Shield is Invalid

The ECJ determined that the Privacy Shield is invalid. As a result, personal data transfers to the US that were based on the Privacy Shield now lack a valid legal basis.

The Court found that US national laws which regulate access and use by US authorities of personal data imported from the EU into the US do not provide protections “essentially equivalent” to those required under EU law. Instead, US laws provides its public authorities with far reaching surveillance powers which in the Court’s determination go beyond what is “strictly necessary” (including in respect of non-US individuals) and do not give data subjects the adequate rights to challenge the relevant authorities and assert their rights before the courts.

In this respect, the ECJ also held that the Ombudsperson mechanism provided under the Privacy Shield does not actually guarantee data subjects the same protections that they would be afforded under EU law (for example, the Ombudsman does not have the power to make decisions that are binding on the US intelligence services).

Consequences and recommendations for action for Israeli businesses

The ECJ’s decision is relevant also for Israeli businesses that are active in the EU. They will need to closely examine their data transfers to third countries, in particular to the USA.

To the extent that companies have so far justified a data transfer from the EU to the US on the basis of the EU-US Privacy Shield, companies will need to act quickly, as this data transfer is now illegal. While it might be tempting to simply sign SCC with data importers in the US, the ECJ’s decision has made it clear that the parties need to examine very carefully whether the SCC are still a sufficient alternative for transfers to the US and to other countries. In general, the parties signing SCC have to ensure whether or not they can comply with the (rather strict and burdensome) requirements of the SCC. If they, in particular the data importers, find that they cannot fully comply with both the obligations under the SCC and the laws of the country in which they are located, then the SCC are not a suitable legal basis.

In addition, statements from some of the European supervisory authorities following the Schrems II ruling raise the question of how data transfers to other non-EEA countries should be conducted. Any country where authorities have more extensive surveillance powers or individuals have fewer protections of their privacy rights might be subject to scrutiny. In this context, several commentators have raised the question of whether past adequacy decisions can be upheld. While Israel currently still enjoys the status as an “adequate jurisdiction” and personal data can thus be freely transferred from the EU, the extensive surveillance activities conducted by authorities for national security may be considered running afoul of the standards set out in the Schrems II decision. Businesses in Israel that currently rely on the country’s adequacy status might be advised to assess if a transfer of personal data from the EU to Israel can qualify on a different legal basis.

The European Data Protection Board (EDPB) has published an initial set of FAQ on the Schrems II decision, which is expected to be further developed. Several European data protection authorities have already issued statements and guidelines on the legality of data transfers to certain countries on basis of SCC. In parallel, the EU Commission confirmed working on alternative instruments for international transfers of personal data, including by reviewing the existing SCC.

In light of the continued uncertainties around data transfers to the US, it is to be expected that some organisations will move away from transferring data across the Atlantic and will instead move to data processors in the EU and EEA.

 

Natalie Noy 

Dr. Laura Jelinek

 

ERM advises real estate developer Lior Bardugo on a combination transaction in the city of Kfar Saba, on which the developer, together with partners Yeshivot Bnei Akiva, will build the largest housing complex for rent in Israel. The complex will consist of about 2,400 housing units and 3,000 square meters of commercial property.

Partner Yoav Zehavi, Co-Head of the Real Estate and Urban Renewal Department, together with associate Golan Laihtman, advised Lior Bardugo.

For further reading click here (HE)

While Israel does not participate in the World Forum for Harmonization of Vehicle Regulations, the new UN Regulations that will be further elaborated in this article are extremely relevant for Israeli companies active in the field of autonomous and connected vehicles. These companies are advised to familiarize themselves with the requirements of the UN Regulations to ensure that their products and services remain relevant for car manufacturers located in or exporting to jurisdictions where these regulations will be binding, such as the EU, Japan and South Korea.

The interest in autonomous and used mobile medical vehicles for sale grows rapidly, causing the automotive sector to transform profoundly as manufacturers respond to the interest by introducing digitalized in-car systems. Today, cars contain up to 150 electronic control units and about 100 million lines of software code, projected to rise to 300 million lines of code by 2030.

The increased cybersecurity risks that accompany this development, as hackers seek to access electronic systems and data, are addressed by two new UN Regulations on Cybersecurity and Software Updates, adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations on 24th June 2020. These regulations set out clear performance and audit requirements for the manufacturers of autonomous and connected vehicles.

The two new regulations are set to become mandatory in the European Union for all new connected vehicle types from July 2022. Other participating countries, namely Japan and the Republic of Korea, also intend to apply these regulations. They will require that measures be implemented across four distinct disciplines as follows:

  1. Managing vehicle cyber risks;
  2. Securing vehicles by design to mitigate risks along the value chain;
  3. Detecting and responding to security incidents across vehicle fleet;
  4. Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for “Over-the-Air” (O.T.A.) updates to on-board vehicle software.

About the UN Regulation on Cybersecurity and Cyber Security Management Systems

This UN Regulation requires car manufacturers to be able to demonstrate, prior to putting a vehicle on the market, that they have put in place a cybersecurity management system, amongst others, to:

  • Identify and manage cybersecurity risks in vehicle design;
  • Verify that the risks are appropriately managed;
  • Ensure that the risk assessments are kept current;
  • Monitor, detect and respond to cyber-attacks and effectively respond to them;
  • analyse attempted or successful cyber-attacks, and analyse if the cybersecurity measures implemented are still effective in light of new cyber threats that may have been identified.

In addition, the vehicle manufacturer has to be able to demonstrate that

  • Cyber threats are mitigated within a reasonable timeframe, and
  • The monitoring activities shall be ongoing and also include vehicles after first registration while respecting the privacy rights of car owners and drivers.

All of these will be audited by the national approval authorities, which are appointed on a national level by each participating country, or the technical services of such approval authority.

Reports of monitoring activities will be provided at least once a year to the relevant approval authority or technical service, including relevant information on new cyber-attacks. The approval authority or technical service may then, if necessary, require the manufacturer to remedy any detected ineffectiveness.

 About the UN Regulation on Software Updates and Software Updates Management Systems

This UN Regulation requires car manufacturers to be able to demonstrate, prior to putting a vehicle on the market, that they have put in place a software update management system that:

  • Records the hardware and software versions relevant to a vehicle type;
  • Identifies software relevant for type-approved systems;
  • Identifies interdependencies, especially with regards to software updates;
  • Assesses whether a software update affects the type approval or legally defined parameters (including by adding or removing a function);
  • Assesses if an update affects safety or safe driving;
  • Informs vehicle users of updates;
  • For Over-The-Air software updates:
    • An update may not impact safety if conducted during driving;
    • Execute update only if the vehicle has sufficient power;
    • Ensure safe execution;
    • Inform users about each update and about their completion;
    • Ensure vehicle is capable of conducting update;
    • Inform the user when a mechanic is needed.

In addition, the vehicle manufacturer has to be able to demonstrate that:

  • Software updates will be protected to prevent manipulation, and
  • The update processes are protected from being compromised.

All of these will be audited by national technical services or approval authorities.

Every modification of the vehicle type which affects its technical performance or the documentation required by this regulation shall be notified to the approval authority which granted the original type approval (i.e. a certificate of conformity, recognized by all participating countries) with regard to a software update procedure.  The approval authority may then, if necessary, require a further test report from the technical service responsible for conducting the tests.

We will be happy to answer any additional questions you may have. Feel free to contact any of us: 

Roni Abelski, Partner, Head of German Desk 

Dr. Laura Jelinek, Associate 

 

ERM advised GoTo Global, the multi-modal vehicle sharing service provider (CAR2GO, Auto Tel, Mobike), on a  $19M Series A round led by Adam Neumann (formerly WeWork). By participating in this round Neumann has taken a third of the equity stake in the company.

Natalie Noy, Partner and Co-Head in ERM’s Hi-Tech & Venture Capital practice acted for GoTo, together with associates Galit Farkash, Raz Mechalovich, and Bar Mor.
For further reading, click here (Techcrunch)

From 12 July 2020 onwards, the Regulation of the European Parliament and of the Council on promoting fairness and transparency for business users of online intermediation services (2019/1150) (the “Regulation”) will directly apply in EU member states. With the Digital Single Market being a focus point of the European Commission, this Regulation aims to strengthen the rights of commercial users of online platforms by addressing the issues of unfair contractual clauses and trading practices identified in platform-to-business relationships.

To whom does the Regulation apply?

The Regulation will apply to online platforms and search engines, online marketplaces, application distribution platforms, reservation and price comparison websites as well as platforms for the collaborative economy. These businesses are subject to the Regulation if (1) they provide their services to business users/corporate website users that are established in the EU, and (2) these businesses offer goods or services to consumers located in the EU and in France, as there are many businesses designed for this, and there are even services online like indices trading France which allow you to make money from any place in the country. It does not matter where the provider of the platform service is established. In need of forecasting that helps reduce risks and make better financial decisions? Check out this qyld dividend schedule here to know how to increase profit margins and cash flow, improve resource allocation, and create more opportunities for growth.

By contrast, pure business-to-business platforms that are not offered to consumers and peer-to-peer intermediation in which no commercial providers are involved are not covered by the Regulation. Online payment and advertising services are not included either.

Key Requirements under the Regulation

The Regulation will require platform operators to be more transparent and fair. This will affect, among other things:

Terms and Conditions, and information to be provided therein:

  • Terms and Conditions (“T&Cs”) must be written in clear and understandable language, and be easily available, failing which such terms are void. Moreover, any changes to those terms have to be notified at least 15 days before taking effect.
  • Platform providers should inform the business users about any additional distribution channels and potential affiliate programs available to market those users’ goods or services.
  • The T&Cs must also set out the reasons for which platform access may be terminated, suspended, or restricted. Generic wording will no longer meet the requirements of the Regulation.
  • If the business user’s use of the services is terminated, the platform provider has to provide a statement of reasons for that decision on a durable medium and at least 30 days before the termination comes into effect.
  • Platform providers must also specify in their T&Cs whether and to what extent their own products or products from their group are given differential treatment.

 Disclosure of ranking parameters:

  • Platform operators must disclose the main parameters determining the ranking of search results in a plain and intelligible manner in their T&Cs, i.e. it must be clear from the T&Cs which criteria are used to list products and how these criteria are weighted.
  • If platform users can influence the ranking against payment, this also needs to be disclosed – this includes both direct payments and indirect fees, such as the use of auxiliary services or premium features.
  • The detailed functioning of the ranking methods — including the algorithms — does not need to be disclosed.

Dispute resolution out of court:

  • Platform providers need to set up an internal complaint-handling system for their business users. This internal complaint-handling system should provide the opportunity for resolving disagreements between platform users and platform operators, for instance, if the user’s access to the platform was restricted in some way or if a ranking was downgraded, in a quick and individualized manner.
  • Platform providers also have to identify in their T&Cs at least two mediators that can be used to settle disputes with the business users.  It should be pointed out, however, that in practice it is not mandatory to conduct mediation.
  • The requirements for setting up an internal complaint-handling system and identifying mediators do not apply to small businesses with fewer than 50 employees and annual turnover and/or an annual balance sheet totals of less than €10 million.

Conclusion

This Regulation is expected to create more transparency in the operation of online platforms and to safeguard the interests of companies that depend on online platforms for their business operations. Platform providers should assess now whether their internal procedures and their terms and conditions need to be adapted to comply with this new Regulation

Natalie Noy 

Dr. Laura Jelinek

ERM advised Eshkol Fund, which focuses on financing various real estate projects, on a NIS 18 million loan to members of a purchase group in Rehovot.

Eran Mizrahi, Partner of ERM’s Real Estate and Urban Renewal Practice, led the deal together with associate May Fima.

Natalie Noy, Co-Head of ERM’s High-tech & Venture Capital practice, in an interview for Calcalist regarding the uniqueness of the high-tech niche.

Natalie shares her predictions for 2020 in tech and investments and talks about what guided her to strive to be a leading female advocate in her field.

for further reading (He) click here.