unyer

Going Digital: Opportunities and Challenges for Medical Tech

The digitalisation of the healthcare system is an important step towards more effective and efficient healthcare. Advances in medical technology such as Wearables, robot-assisted surgery and Artificial Intelligence (AI) are also being used more and more frequently in the healthcare sector. The EU and the German Federal Ministry of Health (Bundesministerium für Gesundheit; “BMG”) have set themselves the goal of making health data accessible for research purposes and improving healthcare through digital solutions.

The German Digital Act (Digital-Gesetz, “DigiG”) was introduced in March 2024 to simplify every-day treatment for doctors and patients with digital solutions. The most important contents include the Electronic Patient Records (ePA), which will be set up for all people with statutory health insurance at the beginning of 2025. The e-prescription has already become a binding standard in the provision of medicines in Germany and is currently being further developed.

Furthermore, the German Health Data Use Act (Gesundheitsdatennutzungsgesetz; “GDNG”) came into force in March 2024 as well. The main, but not final, contents are the establishment of a central data access and coordination centre for the use of health data in order to reduce bureaucratic hurdles and facilitate access to research data. The lead data protection authority for transnational research projects will be extended to all health data. In future, an opt-out procedure will apply to the release of data from the ePA. This will make it easier to utilise treatment data for research purposes. Only data that has been reliably and automatically pseudonymised will be transmitted.

‘Modern medicine needs digital help’, said Federal Health Minister Karl Lauterbach at the presentation of the new digitalisation strategy in March 2023. However, these modern developments are subject to strict regulatory requirements such as the European Medical Device Regulation (MDR) and the national Medical Device Law Implementation Act (Medizinprodukterecht-Durchführungsgesetz; MPDG) and pose a challenge for the development of the Metaverse around the digitalisation of medical technology. For example, the MDR and MPDG contain extensive requirements for the clinical evaluation of Wearables. As a rule, medical technology companies must conduct clinical studies and fulfil basic requirements for the safety and performance of the products.

For this reason, international companies are increasingly investing in the UK, Singapore, China and Vietnam, where the government is promoting the digitalisation of the healthcare system more strongly and setting the course for the future.

In Germany, even after facilitating the digitalisation of the healthcare system through national and European laws, there is still a need for action to create a legal framework that is open to digital innovations and does not impair the marketability of wearables, for example.

It remains to be seen whether legislators will respond to these developments with regulatory relief in order to improve Germany’s attractiveness as a centre of innovation for medical technology. Stay tuned!

 

unyer Working Group Health Care & Life Science
Dr. Christoph von Burgsdorff, LL.M.
Partner

Luisa Kramer
Associate

Payback Litigation – News from the Constitutional Court

Numerous appeals are still pending before the Regional Administrative Court for Lazio against the deed issued in December 2022 by the Regions, based on Article  9-ter of the Legislative Decree No. 78/2015 (as amended by the Legislative Decree No. 115/2022), ordering the suppliers of medical devices to public administrations to pay a contribution for the partial offset (so-called payback) to cover the regional governments’ public expenditure on medical devices in excess of a certain limit for FY’s years 2015, 2016, 2017 and 2018, as certified by the Ministerial Decree dated 6 July 2022.

The Court, in nearly all pending cases, has temporarily suspended the effects of the payment requests and, in order to adopt the final decision on the merits, formally requested to the Constitutional Court, on 24 October 2023, to verify the constitutional legitimacy of the rules regulating the payback system.

The Constitutional Court, with its final judgement No. 140 published on 22 July 2024, confirmed the constitutional legitimacy of the rules governing payback, essentially affirming that the law can limit private economic initiative in case of social needs, providing a solidarity contribution, provided that it responds to the principles of reasonableness and proportionality.

This solidarity contribution, according to the Constitutional Court, would be ‘reasonable’, as it is aimed at guaranteeing the protection of the public healthcare system and the rationalization of its costs, and ‘proportionate’, taking into account the reduction of the contribution for all suppliers of medical devices to an amount equal to 48% of the payments requested by the Regions.

In this latter respect, in fact, the Constitutional Court itself, with the judgement No. 139 published on the same date of 22 July 2024, declared the constitutional illegitimacy of the known Government provision (referred to in Article 8 of the Legislative Decree No. 34/2023) which provided for the said 48% reduction as reserved only for operators who decided to waive to the claims raised before the Regional Administrative Court, since such reduction should have been acknowledged to all the operators with no distinction.

Following the rulings of the Constitutional Court, which effectively represent a compromise between the various positions taken by the public and private entities involved in the dispute, it is now believed that there is no margin for obtaining a complete annulment or further reductions of the requests for contributions of payback.

Therefore, it is expected that the Regions will issue, within a period of time difficult to foresee, new deeds, redefining the amounts due (equal to 48% of the amounts originally requested for the FY’s 2015, 2016, 2017 and 2018) and the payment methods of the same. This may lead to a consequent conclusion of the pending appeals before the Court due to a supervening lack of interest.

Legal implications of the Crowdstrike incident: a wake-up call for IT security

On July 19, a serious IT security incident shook the digital world. A faulty update by the renowned security company Crowdstrike for its Falcon software led to massive computer failures at companies and organizations worldwide. The effects were dramatic: airplanes were grounded, hospitals had to cancel operations and numerous companies were faced with significant operational disruptions. Organizations in the USA, Germany, India and Australia were particularly affected, underlining the global dimension of this incident.

This article not only highlights the facts of the incident, but also gives you valuable insights into the legal implications. We also provide concrete recommendations for action to guide companies and organizations if they are affected by a cyber incident. For this reason, the recommendations for action are formulated in general terms. In times of increasing digital networking and dependence on IT systems, this incident shows once again how important it is to be prepared for such scenarios – both technically and legally. As legal experts, we would like to inform you about the possible legal consequences and options for action following a cyber incident.


What happened?

The Crowdstrike Falcon security software update released on July 19 was originally intended to improve the software’s protection features. Instead, it led to widespread system failures for the company’s customers. As many IT service providers also use this security software, there was a chain reaction as the IT service providers’ systems failed.

Crowdstrike Falcon, a leading product for Enterprise Detection and Response (EDR), offers comprehensive protection for end devices in corporate networks. To ensure its effectiveness, Crowdstrike uses a system of continuous updates. These updates are distributed via channel files, that allow dynamic improvements and new detection rules to be seamlessly delivered to the installed Falcon sensors. These Falcon sensors are installed on servers and end devices. A faulty update led to crashes and the so-called “Blue Screen of Death” on Windows systems.

Thousands of organizations worldwide reported disruptions, with estimates of tens of thousands of systems affected Crowdstrike responded with a workaround within a few hours. However, this is not an emergency patch that can be automatically applied to the affected systems, but a work instruction for IT managers on how to reset the affected systems. The IT managers then had to implement this manually for the affected systems, which tied up considerable resources in the affected companies.

It is suspected that Crowdstrike did not adequately test the faulty update before it was released and thus overlooked the cause of the error. Even if the incident was not a targeted cyberattack, the global impact shows just how fragile the IT world can be. It is particularly piquant that the cause was triggered by security software that was actually designed to prevent such incidents.

However, this is probably also one of the reasons for the massive impact, as security software often has very extensive rights and privileges in IT systems so that regular software can be monitored and threats can be contained and eliminated.


Legal implications

This incident raises a number of complex legal issues. Specifically, the question of Crowdstrike’s responsibility and liability for the massive IT outage is currently under discussion. Although exact figures are not yet known, the press is reporting the largest IT incident in history. IBM estimates the cost of a data leak in 2023 at EUR 4.3 million(https://de.newsroom.ibm.com/2023-07-11_IBM-Bericht-Ein-Datenleck-kostet-deutsche-Unternehmen-durchschnittlich-4,3-Millionen-Euro). Although the Crowdstrike incident is not a data leak (as far as we currently know), the scale shows the financial dimension of cyber incidents.

Crowdstrike could be held liable for negligence in the development and testing of the update, and the duty of care in the provision of security software is particularly high. Depending on the contractual situation, IT service providers and other stakeholders could also be liable for damages caused by the failure to detect or rectify the problem in good time. It depends on the detailed questions that still need to be clarified as to whether gross negligence should be assumed. This would also have an impact on the application of any limitations of liability. First of all, it must be clarified whether provisions in the general terms and conditions are effective at all with regard to choice of law and place of jurisdiction. If companies have made individual agreements, it depends on the individual case.

As far as is known, the incident did not result in a data leak. Reporting obligations under the GDPR are therefore unlikely to apply. Nevertheless, data protection law can regularly be the starting point for claims against an IT service provider. If an order processing contract has been concluded with an IT service provider, this can help to gather further information about the incident. This is because these contracts regularly provide for monitoring and auditing options. It should also be remembered that deploying the faulty update constitutes a breach of the technical and organizational measures. This is because under data protection law, there are possible violations of the GDPR requirements for ensuring the security of processing (Art. 32 GDPR). This could give rise to liability on the basis of the data processing agreement.

However, affected companies could also be liable. Contractually, there could be breaches of service level agreements (SLAs) with customers and business partners, as well as possible breaches of supply contracts or other business agreements due to business interruptions. Affected companies could also be liable if they did not have adequate contingency plans in place. Even if you appear to have been the victim of the incident, this raises the question of whether you are liable to your own customers and business partners for errors relating to your own IT security measures. This is because legislators in Germany and the European Union are constantly raising the legal requirements with numerous statutory regulations. These include the NIS2 Directive, DORA and some sector-specific regulations from the Digital Act, which increase the IT security requirements for hospitals and medical practices.

For companies and organisations affected by a cyber incident, it is important to document the duration and extent of the disruption as well as all measures taken to rectify the problem. Damage and losses incurred should also be quantified with a view to subsequent claims for compensation. This also applies to the working hours and specific activities carried out by employees who are now involved in rectifying the damage.

In the event of a cyber incident, reporting and transparency obligations must also be checked and observed. As a rule, the internal reporting channels must first be completed and all relevant functions (e.g. IT security, data protection, legal department, communications, HR) must be informed. It should also be checked whether and to what extent there are reporting obligations to authorities, e.g. the Bundesamt für Sicherheit in der Informationstechnik (BSI) or the data protection supervisory authorities. It should also be clarified whether and to what extent there are reporting and information obligations towards customers and other business partners.

Irrespective of any legal obligation, it must always be clarified what and how employees and business partners are informed. After all, if a company is paralyzed by a cyber incident, this often takes several days or even weeks. If no one responds to emails or the telephones are unavailable, this quickly leads to speculation. If you have taken out a cyber insurance policy, you must also pay attention to any information obligations. Finally, depending on the type of incident, you need to clarify whether the police and security authorities should be informed and involved. It should be noted that these companies often offer extensive assistance.

To better protect against similar incidents in the future, we recommend implementing a multi-level security concept that is not dependent on a single solution and establishing a structured process for software updates, including testing in an isolated environment before broad rollout, where possible due to the technical dependencies of the software solution. Develop detailed contingency plans for different scenarios and implement a robust backup system with regular recovery testing.

 

Effects

The Crowdstrike incident could have far-reaching consequences for the IT security industry and the regulatory environment. The requirements for security software providers are likely to become stricter, particularly with regard to testing procedures and quality assurance. In addition, there could be an increase in court proceedings to clarify liability issues in the event of IT security incidents, which may create precedents for product liability in security software. It is also to be expected that fraudsters and cyber criminals will use the incident to obtain money. In this respect, such requests should be viewed critically.

There are also questions about dependence on big tech companies. Lina Kahn, the head of the US Federal Trade Commission (FTC), is very much in favor of splitting up the big tech companies with market power. In the wake of the Crowdstrike incident, she has positioned herself accordingly on Platform X.

As experts in IT law and data protection, we can help you overcome the legal challenges associated with the Crowdstrike incident and similar IT security issues. Our range of services includes the legal analysis and assessment of your individual situation, support in communicating with authorities, business partners and customers, advice on optimizing your contracts and general terms and conditions as well as representing your interests in negotiations and in court. Together we can master the remaining challenges in the dynamic environment of IT security, protect your company in the best possible way and assert your claims in the best possible way.

Do not hesitate to contact us if you have any questions or need support. Together we can master the legal challenges in the dynamic environment of IT security and protect your company in the best possible way.

The EU’s withdrawal from the Energy Charter Treaty: a setback for investors protection or a step forward for climate protection?

On June 27, 2024, the European Union announced its withdrawal from the Energy Charter Treaty (ECT). This move potentially marks the end of a long and difficult negotiation process on the reform of the treaty, which was originally intended to promote and protect investment in the energy sector. Given the undisputed need to promote investment in renewable energy and thus combat climate change, this withdrawal raises a number of questions.

The Origins of the ECT

The ECT was signed in 1994 and came into force in 1998. Originally comprising almost 50 contracting parties from Europe (including all EU member states in addition to the EU), the successor states to the Soviet Union and Asia, it aims to create a stable framework for cross-border cooperation in the energy sector. This includes protecting investments in the energy sector and settling disputes between investors and states. The original political motivation was to secure access to the oil and gas sources there after the First Gulf War and the collapse of the Soviet Union.

So far unsuccessful reform negotiations

In recent years, criticism of the ECT has grown, particularly with regard to its alleged incompatibility with the EU’s climate targets and the Paris Agreement. Critics argued that the treaty protects fossil fuels and would thus hinder the transition to renewable energies. In 2022, after five years of negotiations, an agreement in principle was reached on a modernized treaty that would have significantly restricted protection for existing and new investments. However, as not all EU member states agreed to the details, a vote was postponed until 2023. In the meantime, however, numerous contracting parties, including Germany, Denmark, France, Italy, and Spain have declared their withdrawal from the ECT. Austria has also been considering an exit from the ECT for some time, but initially has postponed its final decision in view of the modernization efforts.

In March of this year, the European Commission therefore proposed a three-stage process in which the EU first withdraws from the treaty, then the EU member states agree to no longer block the conclusion of the modernized treaty, and subsequently all other EU member states withdraw from the non-modernized ECT.

Effects of the phase-out on existing investments

A crucial point in connection with the EU’s withdrawal is the sunset clause in Article 47 of the ECT. This clause states that existing investments continue to be protected by the treaty for up to 20 years after the withdrawal of a contracting party. This applies both to foreign investors and to investors of this contracting party abroad.

However, the relevance has so far been low, as proceedings have almost always been initiated against EU member states. The withdrawal is also likely to be of little relevance for investors from the EU, as all EU member states were also parties to the ECT. Despite the withdrawal of these states, the issue will also have little relevance in the future, as the sunset clause also applies to the member states. Whether this can be abolished retrospectively is at least doubtful.

Impact on new investments and renewable energies

Probably the most serious effect of the withdrawal concerns new investments. While existing investments, whether fossil or renewable, will remain protected, no new investments, whether fossil or renewable, will be protected against EU measures.

The need for private investment in the energy transition is undisputed. According to the International Energy Agency (IEA), annual investment in clean energy must increase to around USD 4 trillion by 2030 in order to achieve the goals of the Paris Agreement.

Interestingly, the majority of arbitration proceedings under the ECT were directed against European states such as Spain, Italy and Germany and concerned the renewable energy sector. These proceedings were often initiated by investors who felt disadvantaged by changes in the support conditions for renewable energy. Spain, for example, was confronted with a large number of lawsuits after it retroactively reduced the feed-in tariffs for solar energy. This shows that renewable energies also require considerable investment protection in order to ensure confidence and stability for investors.

Conclusion: a double-edged sword

The EU’s withdrawal from the Energy Charter Treaty is a complex issue with far-reaching consequences. While existing investments continue to be protected and European companies in third countries continue to benefit from the ECT, the lack of protection for new investments, particularly in the area of renewable energies, could hamper the EU’s climate protection efforts.

It remains to be seen whether the European Commission’s strategy of overcoming resistance to the adoption of the modernized ECT will work. In the short term, however, it represents a setback for the protection of urgently needed investments in renewable energies.

 

Authors of the unyer Energy & Infrastructure working group

Dr Richard Happ
Manuel Tomas
Roberto Padova
Nicolas O. Zenz 

Revival of the CISG? Evading an ever more complex German Civil Code

The German Civil Code (BGB) has been getting increasingly complex for years, in part due to several EU Directives and in part due to domestic legislative changes. This development constantly creates new challenges for companies and might lead to an increased application of the “United Nations Convention on Contracts for the International Sale of Goods” (CISG).
The CISG is an international law for trading of goods, which contains its own legal system of rights and obligations for buyers and sellers. It is recognized in 97 Contracting States, includ-ing most European nations and many others like the USA, China or Japan. In theory, the CISG would apply to most cross-border commercial contracts for the sale of goods, as long as the contract is subject to the law of one of the Contracting States. In fact, many contracts exclude the application of the CISG, because companies and their legal advisors favour their familiar domestic civil codes.

Regarding the German jurisdiction, it might be worth to reconsider. The CISG is easy to un-derstand, less complex than the German Civil Code and allows greater freedom of contract.
In the past years more and more provisions have been added to the German Civil Code, e.g. provisions on the sale of consumer goods or provisions on recourse. “Recourse” means a sellers claim against his supplier. It differs partially from general warranty claims that the seller might be entitled to and only applies to contracts on certain goods, such as consumer goods or newly manufactured things.

As of January 1st 2022 the Directive (EU) 2019/770 (“Digital Content Directive”) and the Di-rective (EU) 2019/771 (“European Sales of Goods Directive”) have been implemented into domestic law. Since then, the German Civil Code also contains special provisions on the sale of digital products and the sale of goods with digital elements, each with their own pro-visions on warranty and recourse. The changes of 2022 have also abolished the fixed limita-tion period for recourse. And the changes have extended the period of shifted burden of proof, regarding defects of consumer goods, up to one year. Many of these new provisions are mandatory rules, that can not be modified by contract.

In contrast, the CISG does not differentiate between different types of products and only con-tains one set of provisions. It only stipulates general warranty rights, like claims for damages, reduction of price or declaring the contract avoided. These rights are time-barred after a peri-od of two years. Furthermore, most provisions of the CISG are default rules and subject to modification by the contracting parties. Overall the CISG is subject to less legislative change compared to the German Civil Code.

In conclusion, the CISG might be a suitable alternative for cross-border sales contracts. It enables contracting parties to agree on terms and conditions that would be invalid under domestic German law. Finally, because the CISG is recognized in many countries, it allows for the use of the same contract template for business dealings in different countries.

 

unyer Working Group Commercial & Trade Law
Dr Christoph von Burgsdorff
Dr Robert Burkert

France implements first sector-wide agreement on ecological transition in the pharmaceutical industry

On October 17, 2023, the French pharmaceutical industry signed its first sector-wide agreement on ecological transition and sustainable mobility. The agreement, signed between Leem and the CFDT, CFTC, FO and Unsa federations, requires companies to carry out a carbon assessment of their activities by October 17, 2024, and to adopt two best practices from among those proposed, such as adjusting executive compensation, collective catering, responsible transport and purchasing.

The agreement highlights the importance of integrating ecological issues at every stage of the drug life cycle without compromising jobs or working conditions. In line with the French Climate and Resilience Act of August 22, 2021, which incorporated the ecological transition into negotiations on job and career path management (GEPP), the agreement goes further by requiring that all company negotiations now include the ecological dimension.

The social and economic committees (CSE) of companies with over 50 employees must be informed about the environmental impact of projects. As with the human impact study of projects, the environmental impact study is becoming essential. Acculturating and training the social partners on CSR/ESG issues will help ensure common understanding and effective collaboration.

Companies will have to include environmental criteria in their profit-sharing agreements and are encouraged to offer employee savings funds with the “socially responsible investment” (SRI) label.

Lastly, the agreement encourages the inclusion of environmental criteria in compensation policies, particularly for top executives, as the involvement of management (the tone at the top) is a key factor in effective environmental policy. Companies must also sensitize their employees to environmental issues, with initiatives such as eco-driving and everyday actions.
This agreement is a significant step towards a more responsible and sustainable pharmaceutical industry, integrating environmental concerns at the heart of its strategy.

Against this backdrop, the role of lawyers as expert advisors is essential in explaining the legal implications of the new regulations and enabling business leaders to build effective sustainable strategies, avoiding greenwashing and socialwashing, to reduce the litigation risk. As trusted advisors to business leaders, lawyers play a strategic role in managing these paradigm shifts within companies.

 

Caroline Ferté
unyer Working Group Health Care & Life Science

Violation of the pharmacy reservation pursuant to Section 59 of the Austrian Medicines Act (AMG) by a specialist doctor?

The Supreme Court (OGH) dealt with this question in its recently published decision of March 19, 2024 on 4 Ob 42/24s and commented on a few fundamental questions.
The use of Ozempic in people who are not severely obese or do not suffer from diabetes, but want to lose weight easily, has been the subject of much controversy for several months. Only recently there was a dispute between two well-known Hollywood actresses.

In the case in question, a specialist doctor in plastic, aesthetic and reconstructive surgery had given several patients in his two surgeries who were suffering from obesity the drug Ozempic for self-administration at home for the entire duration of the treatment. The defendant doctor had taken a fee for this. One of the preparations, which he had not purchased from an Austrian pharmacy, also turned out to be a counterfeit. After using the counterfeit preparation, the patient using it suffered a seizure and hypoglycemia.
The Austrian Chamber of Pharmacists based its action on Section 1 of the Unfair Competition Act (UWG) and asserted a breach of Sections 57 and 58 of the Austrian Medical Practitioners Act (ÄrzteG – permissible dispensing of medicinal products) and Section 58 of the Austrian Medicinal Products Act (AMG – pharmacy reservation). The courts issued the requested interim injunction against the doctor.

In its decision, the Supreme Court emphasized that the pharmacy reservation anchored in Section 59 para. 1 AMG means that the supply of medicines to the population by public pharmacies has primacy, from which there are only narrow, legally defined exceptions.

It is true that, depending on the nature of their practice and local conditions, all doctors must keep the necessary medicines for first aid in stock. This requirement is interpreted restrictively by the courts, according to which an urgent case of dispensing a medicine to a patient can only ever exist if it is no longer possible to obtain the medicine from a public pharmacy in good time. This exception therefore only applies to medicines that must be administered to patients without delay in order to provide first aid. Under no circumstances does this regulation apply to medicines that are used for further therapy.

Furthermore, a doctor is not prohibited from keeping medicines in stock that are required for the treatment contract. Such use by the doctor also includes the provision of small quantities of a medicine for self-taking if (i) the direct connection with the treatment in the surgery and (ii) medical supervision are ensured.

These requirements were not met here; the defendant doctor unlawfully interfered with the pharmacy reservation by providing patients with not small quantities (namely a whole month’s supply) of the medicinal product, including injection devices, for the purpose of self-injection over several weeks without any medical supervision.
The main proceedings following the interim injunction have not yet been concluded, but the conclusive reasoning of the Supreme Court in the summary proceedings does not suggest a different outcome.

unyer Health Care & Life Science Working Group
Barbara Kuchar
Beatrice Blümel

REMIT II enters into force: Important changes for energy trading

1. Background

On May 7, 2024, Regulation (EU) 2024/1106, better known as “REMIT II“, came into force. This marks the first amendment to REMIT, the Regulation on Wholesale Energy Market Integrity and Transparency, which has been in force since early 2012. The adoption of REMIT II is part of the European package of measures to reform the electricity market design. This European package aims to utilise the experiences gained during the energy crisis to achieve long-term stabilisation of the electricity markets.

The most important changes introduced by REMIT II are as follows:

2. Extension of the scope of application

REMIT II changes the definition of wholesale energy products. Both contracts for the supply of LNG and storage contracts are now included. Additionally, REMIT II includes contracts for the supply of electricity and derivatives related to electricity which may result in a delivery in the Union as a result of single day-ahead and intraday coupling in the electricity sector. For trading orders placed in a third country participating in the Union’s single day-ahead and intraday coupling, the optimal matching of bids may result in a contract for the supply of electricity for delivery within the Union. The legislator clarifies that these contracts shall also be subject to the REMIT regulatory regime.

The existence of a wholesale energy product is the essential prerequisite for the applicability of the market abuse prohibitions and reporting obligations. By changing this definition, the legislator expands the scope of their applicability.

Additional elements are introduced in the provisions on market manipulation and insider trading. The regulation expands the list of actions that potentially fulfil the provisions on market abuse, introducing additional alternatives. REMIT II also introduces catch-all provisions to address previous difficulties in subsuming certain trading practices under the legal provisions. These amendments align REMIT with financial market regulation, which served as a model for the wholesale energy markets’ protection regime in 2011.

 3. Harmonisation of fines

The practice of setting fines varies significantly among Member States, particularly regarding the amounts imposed. In recent years, fines have ranged from low four-digit amounts to tens of millions. With REMIT II, the legislator goes further in intervening in national sanction laws than before. REMIT I stipulated that sanctions must be effective, dissuasive, and proportionate, considering the nature, duration and seriousness of the infringement, the damage to consumers, and the potential gains resulting from trading. REMIT II substantiates this requirement: the regulation raises the upper limit of fines by setting maximum amounts for fines that a Member State must at least provide for the fining of a violation. For example, for market manipulation, the national regulatory authority must be able to impose a fine of at least 15% of the annual total turnover in the preceding financial year against a legal entity. In future, fines of at least up to 5 million euros can be imposed on a natural person. This requirement contains a clear mandate to the Member States to increase the maximum amounts provided for under their national laws.

4. Strengthening cooperation between authorities

According to the REMIT concept, a broad information base is essential for enforcing the prohibition of abuse. To this end, REMIT II strengthens cooperation between national authorities. In particular, it promotes the sharing of information, which is intended to close information gaps at individual authorities. However, REMIT II does not only focus on energy regulators, but also takes supervisory authorities from other markets into consideration. For example, the exchange of information between financial and energy regulators will be intensified.

5. New powers for ACER

In addition to its market surveillance function, ACER can also investigate suspected cases with cross-border relevance on the basis of REMIT II. The reason behind this change was the realisation that market abuse is increasingly taking place across borders. In the past, difficulties have arisen in prosecution when determining responsibilities. ACER’s involvement creates new capacities for investigating suspected cases. Under REMIT II, for example, ACER is authorised to carry out on-site inspections, request information, and impose penalty payments to enforce the investigative measures. However, the right to sanction violations remains exclusively with national regulatory authorities.

6. Expansion of reporting obligations

REMIT II expands existing reporting obligations and introduces new ones. For example, the reporting obligation for persons professionally arranging transactions is expanded. In future, they will no longer only have to report suspicious transactions, but also suspicious trading orders. With the expansion of the definition of wholesale energy products, existing reporting obligations are correspondingly expanded. REMIT II also implements additional reporting obligations, for example, for operators of algorithmic trading. These changes must be taken into account when (re-)organising internal reporting processes.

7. Algorithmic trading

REMIT I, which came into force in 2012, did not yet contain any regulations on algorithmic trading. This type of trading has increased significantly in recent years, partially surpassing manual trading. Due to its relevance, ACER clarified in its application guideline that trading by means of algorithms can also fall under abuse prohibitions.

REMIT II contains additional requirements for the resilience of algorithms. Market participants must design their algorithms to avoid causing disruptions in the market. REMIT II also stipulates monitoring and documentation obligations. Market participants engaging in algorithmic trading are also required to notify the national regulatory authority and ACER. The national regulatory authority can request specific evidence from market participants. Therefore, the newly introduced retention periods must be particularly observed.

8. Need for action

Market participants must immediately review and, if necessary, adjust their trading and reporting processes and internal compliance regulations to the new legal framework. The amended regulations regularly require significant adjustments to established practice, which demand time and resources. In light of the stricter sanctions, these adjustments must be carried out all the more carefully.

 

unyer Working Group Energy / Infrastructure
Lilith Boos
Dr Holger Stappert
Manuel Tomas

Product liability of medtech companies on the German market: International regulations vs. national liability

The safety of medical devices is of utmost importance for the health of patients around the world. Numerous regulations, particularly by the European Commission, are therefore commonplace in this industry. Just recently, the EU launched the AI Act to regulate artificial intelligence, with further requirements explicitly for the manufacture of medical devices. However, while the authorisation of medical devices is based on complex international standards, subsequent liability due to any product defects has not yet been part of international legislation. Medtech companies that sell their products on the German market should therefore obtain an overview of national liability law.

Neither the European Medical Devices Regulation nor the German Medical Device Law Implementation Act (MPDG) contain regulations on product liability. In fact, the industry-independent German Act on Liability for Defective Products and the German Civil Code are actually the basis for liability claims.

The Act on Liability for Defective Products is the key liability base. It provides for a no-fault claim for damages by the injured party if they have suffered physical damage due to a design, instruction or manufacturing defect. Damages due to defective monitoring of the product after market entry are not covered.

Proving a mistake is the key of product liability litigation. In principle, the injured party must pro-vide evidence that the product was defective. In practice, however, this is not an overly strict standard, as even a basic presentation of the relevant circumstances places a secondary burden of proof on the manufacturer. It is then up to the manufacturer to demonstrate that its product is in order.

However, this product liability does not only apply to traditional end-manufacturers, but also to companies that claim to be the manufacturer of a product by affixing their trade mark or that im-port a product into the European Economic Area. Even distributors can be held liable. In the event of a justified claim, they are obliged to name the manufacturer. If the manufacturer cannot be identified, the distributor is itself liable.

In addition to liability due to a product defect, fault-based liability of all market players in accordance with the general provisions of tort law must also be considered. In particular, this can also be used to assert a breach of a product monitoring obligation even after market launch.

Companies in the medtech sector should therefore protect themselves with a detailed documentation. This certainly begins with the manufacturing process due to the extensive EU regulations, but should by no means end with market authorisation. Admittedly, German law does not provide for such high compensation payments as in the USA, for example. Nevertheless, the conditions for a claim are quickly met and, in particular, are not linked to fault by the manufacturer.

 

Dr. Christoph von Burgsdorff, LL.M. (University of Essex)
Working Group Healthcare & Life Science

Luisa Kramer
Working Group Healthcare & Life Science

Payback on sales of medical devices

Pending litigation in Italy

 

Around two thousands of claims were raised before the Italian Administrative Court of Rome against the Ministerial and Regional Decrees which, implementing the Legislative Decree 2015, No. 78, Article 9-ter, required the supplier of medical devices many years after – at the end of 2022 – to pay an amount corresponding to the percentage incidence of their sales to the Regional Healthcare Service (Servizio Sanitario Regionale), in order to contribute to the coverage of the regional governments’ public expenditure on medical devices in excess of a certain limit (as identified by Ministerial Decree 6 July 2022) for FYs 2015, 2016, 2017 and 2018.

The total amount due is about two billion euros, a prohibitive sum for pharmaceutical companies.

The fundamental macro-arguments contained in such claims refer, inter alia, to:

  1. the violation of the constitutional principle of reasonableness, proportionality as well as transparency;
  2. the impossibility for the private companies to know and quantify, in terms of provisions and/or potential liabilities, the excess of the public expenditure;
  3. lack of transparency about the list of suppliers, the uniformity of the products and the figures.

The Administrative Court of Lazio, in the second half of 2023, issued a temporary decision in almost each pending claim which suspended all the deeds challenged, until the final decision in the merits.

In the meantime, the same Court has published a temporary decision, deciding to submit to the Constitutional Court the issue relating to the legitimacy of the payback system, provided by the said Legislative Decree No. 78/2015.

Therefore, the outcome of all the claims raised before the Court is still uncertain and will depend on the decision of the Constitutional Court which is expected by the end of 2024.

Not only. To date, the Companies manufacturing and distributing medical devices are going to face further difficulties in running their business.

A Ministerial Decree, published in the Official Journal on 9 February 2024, implementing EU Regulations No. 2015/745 and 746/2017 and European Delegation Law No. 53/2021, which established the “medical device government financing system” provides for the payment of an annual share of 0.75% of their turnover, net of VAT, deriving from sales of medical devices to the National Health Service.

Many of the arguments and complaints of constitutional illegitimacy made in the payback litigation could ground further claims against the said rules and regulations.

Consequently, further initiatives are expected from the Companies involved to protect their profit margins already seriously jeopardized by the payback system, with the additional risk that inevitable increases of bid prices would turn in a greater regional public spending for the purchase of medical devices and further difficulties to guarantee an efficient health service to the citizens.

 

Ermanno Vaglio
Pirola Pennuto Zei & Associati, Associate Partner
Working Group Healthcare & Life Science

Proposed EU AI Act’s application to medical devices

The recitals of the proposal for a Regulation laying down harmonised rules on artificial intelligence (the “AI Act”) states that “By improving prediction, optimising operations and resource allocation … the use of artificial intelligence can provide key competitive advantages to companies and support socially and environmentally beneficial outcomes”, in particular in the area of healthcare.[1]

At the same time, the European Parliamentary Research Service has highlighted that the use of AI in healthcare poses a number of clinical, social and ethical risks, particularly with regard to medical devices including software as a medical device.[2]

In order to balance those risks and advantages, the proposed AI Act sets out rules that will regulate so-called ‘AI systems’ based on their capacity to cause harm to society following a ‘risk-based’ approach.

To that end, the proposed AI Act sets out strict rules for the use of what are termed ‘high-risk’ AI systems, ie AI systems that:

  • are “intended to be used as a safety component of a product, or the AI system is itself a product” that is subject to EU harmonisation legislation listed in Annex II of the proposed AI Act (including notably Regulation 2017/745 of 5 April 2017 on medical devices or Regulation 2017/746 of 5 April 2017 on in vitro diagnostic medical devices);
  • where the product, or the AI system as a product, “is required to undergo a third-party conformity assessment, with a view to the placing on the market or putting into service” pursuant such EU harmonisation legislation (article 6).

Given the reach of that definition, a significant percentage of AI systems used in medical devices (classes IIa, IIb and III) and in vitro diagnostic medical devices (class D) are likely to be captured by the proposed AI Act.

Thereafter – in addition to their existing obligations under the MDR and IVDR – providers, deployers, importers and distributors of medical devices qualifying as high-risk AI systems will be subject to a raft of new requirements, including:

  • Establishing, implementing, documenting and maintaining a risk management system and, for providers of such systems, implementing a quality management system;
  • Developing training models with data on the basis of training, validation and testing data sets that meet certain quality criteria;
  • Drawing up and keeping it up-to date technical documentation;
  • Ensuring the capability of automatic recording of logs over the duration of the system’s lifetime;
  • Ensuring sufficient transparency that enable deployers to interpret the system’s output and to use it appropriately and, for providers of AI systems intended to directly interact with natural persons, ensuring that such systems inform the concerned persons that they are interacting with an AI system, unless this is obvious;
  • Ensuring effective oversight by natural persons throughout the system’s lifecycle; and
  • Ensuring that the system achieves an appropriate level of accuracy, robustness, and cybersecurity.

In addition, deployers of high-risk AI systems that are bodies governed by public law or private operators providing public services (ie clinics and hospitals) will be required to perform an assessment of the impact of the system’s use on fundamental rights.

Non-compliance by providers of high-risk AI systems shall be subject to administrative fines of up to 15 million euros or, if the offender is a company, up to 3% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Beyond these penalties set out in the proposed AI Act, Member States will need to legislate penalties that are “effective, proportionate, and dissuasive”, as well as other enforcement measures in case of infringement.

The proposed AI Act was approved by the Council of the EU’s Committee of Permanent Representatives on 2 February 2024 and was endorsed by the European Parliament’s civil liberties and internal market committees on 13 February. The full European Parliament plenary vote is anticipated in April this year.

As the text of the future AI Act moves closer to being legislated, entities active in the medical device sector or involved in deploying medical devices would be well-advised to get a head start on the new EU rules applicable to AI systems – and the national provisions that will quickly follow – in order to avoid interruptions to their day-to-day operations.

 

Jean-Baptiste Chanial
FIDAL, Senior Partner
Working Group Healthcare & Life Science

Ruslan Churches
FIDAL, Senior Associate
Working Group Healthcare & Life Science

 

[1] Proposal for a regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts.
[2] Artificial intelligence in healthcare: Applications, risks, and ethical and  societal impacts’, European Parliamentary Research Service, Scientific Foresight Unit, PE 729.512, June 2022.

Revolutionising Healthcare and Life Science Supply Chains with Metaverse Technology

The Healthcare and Life Science sector is currently facing numerous supply chain challenges arising from the shortage of materials, increased costs, and staff shortages due to the COVID-19 pandemic, wars, and other ongoing crises.

It is now more crucial than ever to address these challenges, and one way to do so is by utilising new technologies such as Artificial Intelligence (AI). Intelligent workflows have been shown to effectively assist supply chain managers, and by incorporating AI into the supply chain, it can be made more effective and reliable. The implementation of AI can lead to the creation of a digital supply chain that can automatically respond to any crisis based on the programmed control unit. For example, if inventory levels fall below a particular value, AI can perform predictive ordering by checking networked databases on prices, delivery terms and general terms and conditions. Once AI places an order, it can confirm with another AI by checking inventory and production capacity.

Metaverse technology can further improve the digital supply chain by using “Predictive Maintenance” which monitors the performance and condition of equipment and assets, reducing the chances of failure.

However, the adoption of AI technology calls for appropriate regulations to create a legal framework that ensures legal certainty: Who concludes the contract in an automated ordering process between two AI? Is the AI an ‘e-person’ with legal capacity? What is the content of the contract? These questions require clear answers as AI does not weigh divergences in the contract as an experienced lawyer would. It is even more concerning when AI makes incorrect declarations due to technical defects or programming errors.

To mitigate these issues, the European Union is currently developing an AI law to ensure that AI systems in the European Union are safe, transparent, traceable, non-discriminatory, and environmentally friendly. To prevent harmful consequences, the European Parliament advocates for the oversight of AI systems by humans instead of automated mechanisms. Furthermore, there is a strong effort of the European Parliament to establish a technology-neutral, unified approach to AI systems for application to future systems.

The legal framework could solve the legal uncertainties that may arise from the use of AI in the supply chain. In December 2023, the European Parliament reached a provisional agreement with the European Council on the AI Act. The agreed text will now have to be formally adopted by both the European Parliament and the European Council to become EU law.

 

Dr. Christoph von Burgsdorff, LL.M.
Luther Lawfirm, Partner
Industry Group Healthcare & Life Science

Luisa Kramer
Luther Lawfirm, Associate
Industry Group Healthcare & Life Science