Health Tech

How the EU’s New Data Laws Could Affect American Health Tech Companies

In the EU, there is a widespread distrust of American tech companies, according to a recent conference presentation by an international healthcare lawyer. Because of this, the EU has established a number of new laws protecting its citizens' data privacy and creating frameworks for the secure exchange of information — laws that American health tech companies will have to comply with if they do business in the EU.

American health tech companies that conduct business in the European Union or are seeking to do so should pay attention to the new data laws emerging in the region, according to Bleddyn Rees, chair at the Digital Health Society. Rees, who has decades of experience as an international healthcare lawyer, explained some of these laws during a presentation Sunday at ViVE, a health innovation conference in Nashville.

Rees pointed out that the EU has no power to harmonize health laws in Europe. The establishment and enforcement of such laws are the prerogative of the union’s 27 member states.

“If you’re trying to do business in those 27 states, you always need to understand what the rules are in each of the 27 countries. In contrast, the European Union has power to harmonize rules around such things as the digital single market and consumer rights, and that manifests itself in the GDPR — the General Data Protection Regulation,” he declared.

The GDPR, which went into effect in 2018, is regarded as the toughest privacy and security law in the world. It arose from a pervasive European distrust of American tech companies like Microsoft, Google, Apple and Amazon, Rees said. That distrust has grown in recent years due to the proliferation of hacking and data breaches, he added.

While the EU doesn’t have power to create overarching health laws for the entire union, it does establish harmonizing laws regarding data and the technology sector. And these laws require compliance from American health tech companies doing business in the union. The GDPR has given way to a number of additional legislative efforts to protect EU citizens’ data privacy, many of which have implications for health tech companies. 

Rees drew attention to three laws that have recently come into force in the EU.

presented by

Digital Markets Act

The Digital Markets Act is a competition regulation law meant to promote fair and contestable markets in the EU’s digital sector. It was entered into force in November, and it will become effective in May.

The law targets Big Tech companies and seeks to impose limitations on them, classifying them as “gatekeepers.” These large companies will be required to comply with regulations that could force them to change the way they interact with customers, users and competitors. 

“It’s extraterritorial, meaning the EU is legislating against U.S. companies who do business in Europe. So you don’t get off if you’re just an American business thinking you don’t have to comply. Lots of Europeans think this is payback for how antitrust laws work in the U.S. that catch non-U.S. companies,” Rees said.

The Digital Markets Act strengthens several privacy regulations established under the GDPR, including protections that give users greater ownership of their data. The Act also includes additional consent requirements. For example, Big Tech companies must receive users’ explicit consent before they share data with third parties, use data for advertising purposes or process data for a different service their company offers other than the one with which the user was originally interacting.

If a “gatekeeper” is found to be noncompliant with the law, it could be fined up to 10% of revenue reported in the most recent financial year. This rises to 20% for repeated infringements.

“The expectation is that this will alter the business models of those gatekeepers, but it will be some years before we see what the true impact of this is,” Rees declared.

Data Governance Act

The Data Governance Act, which came into force in June, aims to create a framework for data interoperability in the EU. Companies have until September 24 align their practices with the new rules.

“It’s a set of rules, processes and technical means to facilitate data sharing. It’s about leveling the playing field for access to data and ensuring that the rules around the GDPR are adhered to,” Rees explained.

The Data Governance Act establishes interoperability standards for the reuse of data across sectors. It seeks to improve data availability by building trust in data intermediaries and improving the mechanisms used to share digital information. The law also includes “data altruism” measures, which encourage businesses to make their data available for common good uses, such as certain use cases that concern healthcare, science and education.

Digital Services Act

The EU established the Digital Services Act to update its legal framework for illegal digital content. The law applies to digital intermediary services, such as search engines, digital hosting services and social media platforms. It entered into force in November and will be effective in January 2024.

“What the European Commission is doing is they are harmonizing the legal framework across the 27 member states,” Rees declared.

The law was designed to hold online service providers accountable for their content moderation practices, Rees said. Under this law, companies will likely be expected to uphold stricter moderation practices than they are required to in the U.S. Health misinformation could be strictly penalized under this measure.

Photo: Flickr user Yukiko Matsuoka