France: CNIL publishes report on its role and privacy challenges during pandemic

On 21 January 2021, the French Data Protection Authority released its report on its activities during the coronavirus pandemic, in particular on the position of the regulator and on the challenges of personal data protection in times of crisis, in order to better educate professionals and individuals.

Press release:


Study: medical devices using AI/ML are poorly regulated

From the Abstract: “There has been a surge of interest in artificial intelligence and machine learning (AI/ML)-based medical devices. However, it is poorly understood how and which AI/ML-based medical devices have been approved in the USA and Europe. We searched governmental and non-governmental databases to identify 222 devices approved in the USA and 240 devices in Europe. The number of approved AI/ML-based devices has increased substantially since 2015, with many being approved for use in radiology. However, few were qualified as high-risk devices. Of the 124 AI/ML-based devices commonly approved in the USA and Europe, 80 were first approved in Europe. One possible reason for approval in Europe before the USA might be the potentially relatively less rigorous evaluation of medical devices in Europe. The substantial number of approved devices highlight the need to ensure rigorous regulation of these devices. Currently, there is no specific regulatory pathway for AI/ML-based medical devices in the USA or Europe. We recommend more transparency on how devices are regulated and approved to enable and improve public trust, efficacy, safety, and quality of AI/ML-based medical devices. A comprehensive, publicly accessible database with device details for Conformité Européene (CE)-marked medical devices in Europe and US Food and Drug Administration approved devices is needed”.

Europe – ENISA: Cloud Security for Healthcare Services report

The European Union Agency for Cybersecurity (ENISA) published the Cloud Security for Healthcare Services report, which provides cybersecurity guidelines for healthcare organisations to help further digitalise with cloud services.

Building on ENISA’s procurement guidelines for cybersecurity in hospitals, published early last year, this new report assesses the cybersecurity risks of cloud services and offers good practices for their secure integration into the European healthcare sector.

The ENISA report comes as the European Commission is moving forward this year with the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.

AEPD – IoT (II): From the Internet of Things to the Internet of Bodies

The advancement of hyperconnected technology is increasing today . The Internet of things or ‘IoT‘ is a reality that has reached homes through all kinds of ‘smart’ devices that we can find even in supermarkets, but also in vehicles and in our bodies. In the latter case, new risks arise for rights and freedoms, which could also be for health.

The press release explains that the concept of IoB has been created as a result of the emergence of connected devices used to monitor different parameters of our body, which at the same time result in the processing of biometric and health data with risks for privacy or the physical integrity of the user. In addition, the press release outlines the three levels of implementation or generations of the IoB, depending on the degree of attachment to the body, namely:

  • First generation: devices outside the body such as physical activity monitoring wristbands and smart watches with similar functionalities;
  • Second generation: devices internal to the body, including those that can be implanted, such as devices for medical purposes (e.g. pacemakers, cochlear implants or organs developed through 3D printing) and digital pills; and
  • Third generation: body-fused devices. This generation is still in the development phase and seeks the fusion between the human body and technology to achieve a communication interface that allows interpreting and acting on the biological elements themselves.

Italy – Italian DPA on electronic health record: no deadline for data entry

In relation to the news published in recent days, concerning an alleged deadline of 11 January 2021 to express any opposition to the inclusion of personal data in the electronic health record (Fascicolo sanitario elettronico – FSE), the Garante per la protezione dei dati personali clarifies that this deadline does not exist and has no legal basis.