UK Law and Practice Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
Selfcare, Wellness and Fitness IT Products (IoT, Wearables) If classified as medical devices, these products follow the respective medical device regulations (GB or NI frameworks). Non-medical device products remain subject to general product safety laws including the General Product Safety Regulations 2005 (GB) and applicable consumer protection legislation. Classification guidance helps determine when software and apps constitute medical devices. For example, general fitness tracking typically falls outside medical device regulation, while diagnostic applications would be regulated as medical devices. Cybersecurity and Data Protection If the personal data of users/patients is pro- cessed using digital health software, such pro- cessing must comply with the data protection laws in force in the UK, in particular with: • the UK General Data Protection Regulation (GDPR); • the Data Protection Act 2018 (DPA); and • the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), to the extent relevant. The UK GDPR generally governs the processing of personal data and requires that any process- ing undertaken be done (among other things) lawfully, fairly and in a transparent manner. (See in particular Articles 5 (1)(a), 6, 13 and 14 UK GDPR.) The UK GDPR also imposes further conditions on the processing of “Special cat- egory data” including health data. (See Article 9 GDPR.) The DPA is a national law which supplements the UK GDPR, and (among other things) sets
out additional requirements for the processing of special category data. The PECR sit along- side the DPA and UK GDPR and impose spe- cific requirements in the context of marketing, cookies, keeping communications secure and customer privacy. Enhanced cybersecurity requirements for medi- cal device software are under consideration as part of ongoing regulatory reforms in GB. Data protection laws apply to the processing of personal data, including health data, and impose requirements for lawfulness, transparency, secu- rity and data subject rights. Artificial Intelligence (AI) and Machine Learning (ML) No dedicated AI legislation The UK does not currently have a standalone legal framework specifically for AI or ML. Instead, existing sectoral regulations apply. In digital health, this means that AI/ML-based soft- ware is regulated as a medical device if it meets the definition under the UK Medical Devices Regulations 2002 (as amended). This requires compliance with safety, performance and tech- nical documentation standards, including those specific to the use of AI/ML. Principles-based, pro-innovation strategy The UK government has articulated a “pro-inno- vation” approach to AI regulation. In July 2022, the UK published its policy paper, “Establishing a pro-innovation approach to regulating AI”, which sets out five cross-sectoral principles for regula- tors to apply. These principles are intended to guide existing regulators (such as the MHRA, the ICO and others) in their oversight of AI, rather than creating a new, centralised AI regulator. The principles are as follows:
129 CHAMBERS.COM
Powered by FlippingBook