mobile applications
Subscribe to mobile applications's Posts

Is Your Software a Medical Device? FDA Issues Six Digital Health Guidance Documents

The 21st Century Cures Act, enacted in December 2016, amended the definition of “medical device” in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FDCA) to exclude five distinct categories of software or digital health products. In response, the US Food and Drug Administration (FDA) issued new digital health guidance and revised several pre-existing medical device guidance documents. FDA also stated that it would continue to assess how to update and revise these guidance documents as its thinking evolved.

Late last week, FDA issued five final guidance documents and re-issued a draft guidance document to better reflect FDA’s current thinking on software as a medical device (SaMD) and other digital health products:

Most of the guidance documents reflect modest changes to prior draft guidance documents that describe categories of low-risk health and wellness devices that FDA does not intend to regulate. FDA’s new draft Clinical Decision Support (CDS) Software guidance, however, provides a new and more detailed analysis of risk factors that FDA will apply to determine whether a CDS tool is a medical device. FDA updated its previously issued draft CDS guidance without finalizing it. Although the new guidance does not explain why FDA is reissuing the CDS guidance in draft, the new draft guidance seems to reflect the agency’s attempt to better align its definition of non-device software with the often misunderstood and misinterpreted statutory definition of CDS in section 520(o)(1)(E) of the Cures Act. The chart below summarizes the key provisions and changes to these guidance documents.

Digital health products can present a particular challenge for developers and regulators in assessing the appropriate regulatory pathways for a new product. The updated guidance documents reflect the need for a more flexible, risk-based approach to regulation that accommodates a rapidly evolving technological landscape. These documents also reflect what appears to be the new normal for digital health regulation—the need for iterative thinking and ongoing revisions to interpretive guidance documents to keep pace with a constantly changing marketplace.

Click here to read the full client alert on this issue. 




GPEN Children’s Privacy Sweep Announced

On 11 May 2015, the UK Information Commissioner’s Office (ICO), the French data protection authority (CNIL) and the Office of the Privacy Commissioner of Canada (OPCC) announced their participation in a new Global Privacy Enforcement Network (GPEN) privacy sweep to examine the data privacy practices of websites and apps aimed at or popular among children. This closely follows the results of GPEN’s latest sweep on mobile applications (apps),which suggested a high proportion of apps collected significant amounts of personal information but did not sufficiently explain how consumers’ personal information would be collected and used. We originally reported the sweep on mobile apps back in September 2014.

According to the CNIL and ICO, the purpose of this sweep is to determine a global picture of the privacy practices of websites and apps aimed at or frequently used by children. The sweep seeks to instigate recommendations or formal sanctions where non-compliance is identified and, more broadly, to provide valuable privacy education to the public and parents as well as promoting best privacy practice in the online space.

Background

GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. GPEN aims to create cooperation between data protection regulators and authorities throughout the world in order to globally strengthen personal privacy. GPEN is currently made up of 51 data protection authorities across some 39 jurisdictions.

According to the ICO, GPEN has identified a growing global trend for websites and apps targeted at (or used by) children. This represents an area that requires special attention and protection. From 12 to 15 May 2015, GPEN’s “sweepers”—comprised of 28 volunteering data protection authorities across the globe, including the ICO, CNIL and the OPCC—will each review 50 popular websites and apps among children (such as online gaming sites, social networks, and sites offering educational services or tutoring). In particular, the sweepers will seek to determine inter alia:

  • The types of information being collected from children;
  • The ways in which privacy information is explained, including whether it is adapted to a younger audience (e.g., through the use of easy to understand language, large print, audio and animations, etc.);
  • Whether protective controls are implemented to limit the collection of childrens’ personal information, such as requiring parental permission prior to use of the relevant services or collection of personal information; and
  • The ease with which one can request for personal information submitted by children to be deleted.

Comment

We will have to wait some time for in-depth analysis of the sweep, as the results are not expected to be published until the Q3 of this year. As with previous sweeps, following publishing of the results, we can expect data protection authorities to issue new guidance, as well as write to those organisations identified as needing to improve or take more formal action where appropriate.




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021