If Coronalert, the contact-tracing app for Belgium, qualifies as a medical device, the manufacturer has to ensure that the app meets all the legal requirements set by the EU law on medical devices. Based on the previous analysis concerning the qualification of such app as a medical device, this blog moves further to explore which entity in Belgium could be considered the app manufacturer and which obligations would apply to it.
Who is the manufacturer in theory?
Identifying who has the role of the medical device's manufacturer is crucial to understand who has the ultimate responsibility for the device conformity to the Medical Device Directive (MDD) requirements.
The MDD defines the manufacturer as the natural or legal person who has the responsibility for 'the design, manufacture, packaging and labelling of a device before it is placed on the market under his own name, regardless of whether these operations are carried out by on his behalf by a third party' (MDD, art 1(f)).
This definition implies two crucial criteria to evaluate who is the manufacturer:
- First, it entails that the entity shall manufacture (or have the medical devices manufactured) on his behalf.
- Second, the entity shall market the product under its own name or trademark. If the product is marketed under another person's name or trademark, this person will be considered as the manufacturer.
At the same time, the definition provides (by stating 'carried out by [..] a third party') that the manufacturer may outsource the manufacturing processes of a medical device to another entity while remaining mainly responsible for the manufacturing of the product. In this case, the first entity-manufacturer must retain the overall control for the product, and ultimately, it may in no circumstances discharge himself from his responsibilities.
Who is the manufacturer in practice?
To define which entity is a manufacturer of the Belgian Coronalert app, it is necessary to establish who are the involved entities, and what is their relationship.
For the development of Coronalert app, the Belgian government has set up an interfederal working group in charge of the development of the contact-tracing app. This group runs under the responsibility of the Belgian Interfederal Committee for Testing and Tracing which includes representatives and experts from Belgian federated entities (Regions and Communities), Sciensano and the eHealth platform.
The commissioning of the app went via a public tender for the purchase of services set up by Smals – of which Sciensano is a member. In this procedure, Smals acts as a contracting authority and a central purchasing body, and Sciensano is granted with awarding powers. We could not access the documentation concerning the awarding of the tender. However, according to the media and information available online, it appears that the company 'DevSide' will develop the Coronalert app in strict coordination with Sciensano. If this perspective is true, it means that DevSide is acting a third party with regard to the interfederal working group and Sciensano. Thus, under medical devices law, it may be considered as a subcontractor for the manufacturing of the product.
Moreover, in the Coronalert website's Privacy Notice, we found that the Coronalert is provided by Sciensano, which 'has commissioned DevSide to operate and maintain part of the technical infrastructure of the App'. The same Privacy Notice also reports that – for the effects of privacy and data protection law – Sciensano will be the controller, while DevSide will be the processor. This aspect means that Sciensano is setting the purposes of the processing of personal data, while DevSide will process the data on Sciensano's behalf.
The information above turns essential to evaluate who could be the manufacturer for Coronalert – if considered as a medical device. Going back to the two MDD criteria, we envisage the following hypothesis:
- Concerning the first criterion (manufacturing), Sciensano appears to 'have the product manufactured' (via a tender for the supply of services) by DevSide. The development of the app seems to be under the direction and responsibility of Sciensano, while DevSide 'maintains and operates the technical infrastructure of the app'.
- Concerning the second criterion (marketing of the product under own name), from the information available online at the time this blog was written, it appears that the app will be manufactured under the name of Sciensano as a legal person, which will also bear responsibilities as a controller for the processing of personal data carried out by the app.
In light of these factors, it may be concluded that Sciensano might be considered as the manufacturer of the Coronalert app within the meaning of MDD – should Sciensano qualify the app itself as a medical device.
Annex IX Section 1.4 MDD states that a stand-alone software which falls under the definition of a medical device shall be considered as an active medical device. This means that rules 9, 10, 11, and 12 of Annex IX MDD apply and should be examined in order to determine to which class the stand-alone software computing data for the benefit of individual patients to prevent COVID-19 disease belongs.
Rule 9 refers to active therapeutic devices; rule 10 regulates active devices for diagnosis; rule 11 deals with active devices to administer and/or remove medicines, body liquids or other substances to or from the body. Consequently, none of the three rules applies to the abovementioned software for proximity tracing since its purpose is the prevention of a COVID-19 disease.
Therefore, rule 12 should be followed. According to this rule, all other active medical devices not fitting into rules 9-11 fall into Class I medical devices.
Hence, the stand-alone software whose purpose is to reduce the rate of transmission and to advise a user on what to do upon receiving a notification to prevent COVID-19 disease belongs to Class I medical devices.
For placing on the market of Class I medical device, its manufacturer has to comply with the requirements defined by MDD and further elaborated in the Guidance Notes for Manufacturers of Class I Medical Devices by the European Commission Medical Devices Expert Group ('MDEG 2009'). The latter document prescribes eight necessary steps for Class I medical devices.
- Steps 1-2 require the manufacturer to double-check that the product is indeed a medical device following Article 1(2) MDD as well as that the device falls under the Class I risk category defined in Annex IX MDD;
- Step 3 establishes procedures to be followed before placing a device on the market:
- First, the device must meet the essential requirements set out in Annex I MDD. This means that the device must be "designed and manufactured in such a way that, when used under normal conditions of use and for the purposes intended by the manufacturer, they will not compromise the clinical condition or the safety of patients or the safety and health of users or other persons, provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety" (MDEG 2009);
- Second, the manufacturer has to prepare technical documentation demonstrating the conformity of the device with the MDD requirements. This documentation has to be prepared before drawing up the EC declaration of conformity and kept available for review by the Competent Authority. Moreover, the documentation should be prepared following a review of the essential requirements and other relevant requirements of the Directive and must cover all of the following aspects: description, component documentation, intermediate product and sub-assembly documentation, final product documentation, packaging and labelling documentation, design verification, risk management, compliance with the essential requirements and harmonised standards, clinical data (if applicable), etc;
- Third, the manufacturer also needs to prepare instructions for use and labelling by following MDD provisions.
- Step 4 requires drawing up the EC declaration of conformity. With such a declaration, the manufacturer confirms that the device concerned met the provisions of MDD;
- Step 5 requires CE marking affix to Class I medical devices placed on the market;
- while under step 6 the manufacturer has to inform the Competent Authority of the country of the registered place of business, the address of the registered place of business, and a description of the device;
- Under steps 7-8, the manufacturer is responsible for recording, evaluating and notifying incidents as well as to put in place and keep updated a procedure to review experience gained from devices on the market and to implement necessary corrective action taking account of nature and risks concerning the product.
This blog took the Belgian Coronalert app as a practical example to provide a short analysis of who is the entity subject to which legal requirements, stemming from the EU law on medical devices.
First, we introduced the role of the manufacturer, as the primary entity responsible for device conformity to the law. We understood that for the Coronalert, Sciensiano would likely qualify as 'manufacturer' in light of the currently applicable MDD. DevSide would have the role of a mere subcontractor for the development of the app.
Second, we explained how Coronalert might belong to a low-risk medical device (Class I MDD). Its manufacturer should thus follow obligations foreseen by MDD and the eight steps provided by the European Commission Medical Devices Expert Group.
About the authors:
Elisabetta Biasin is a Researcher in Law at the KU Leuven Centre for IT and IP Law (CiTiP). She is currently involved in several eHealth research projects (including Made4You/Careables.org, SAFECARE, PharmaLedger) where she focuses on privacy and data protection, (cyber)security, health and medical devices law. Her research concerns regulatory aspects related to Cyborgism, Open Source Hardware in healthcare, medical devices cybersecurity.
Erik Kamenjasevic is a PhD researcher in law and ethics at the KU Leuven Centre for IT and IP Law (CiTiP). The main focus of his research is on regulatory aspects of e-Health and human enhancement technologies.
The views expressed in this paper are those of the authors and do not necessarily reflect the views or policies of the Knowledge Center Data & Society or CiTiP. The paper aims to contribute to the existing debate.
Images taken from https://coronalert.be