For US healthcare companies considering an acquisition of a medical device or in vitro diagnostics company in the EU or that has a material part of its business in the EU, there are legal changes taking place in the EU that should be addressed during the due diligence process, financial model development, conditions precedent and subsequent, and negotiation of representations & warranties in a definitive purchase agreement. Two key areas of change include the EU’s recent Medical Device Regulation (MDR) and the General Data Protection Regulation (GDPR).

EU’s MDR (https://ec.europa.eu/growth/sectors/medical-devices/regulatory- framework_en)

For many years, American device manufacturers have launched devices first in Europe, as the requirements under the EU’s previous Medical Device Directive were lower than analogous FDA rules in the US.  This was especially true for high-risk devices in the Class III category, where small clinical studies that were deemed sufficient for EU commercialization fell short of the FDA’s required level of data to confirm the safety and effectiveness of the device in the US.  In the case of in vitro diagnostics, the vast majority of products did not require approval through “Notified Bodies” (EU’s term for a private third party that has been accredited to assess healthcare products on behalf of an EU country’s healthcare regulator) and could be placed on the market after self-certification without pre-market authority oversight.

Several public health scandals associated with defective breast implants and hip implants profoundly influenced the new EU medical devices and IVD rules that were proposed first in 2012. In May of 2017, the EU’s new Medical Device Regulation and IVD Regulation came into effect, and device makers have 3 years in which to comply while in vitro diagnostic companies have 5 years. An essential feature is that current devices are not “grandfathered” into the new requirements, and the net effect of the MDR and IVDR will be an increase in regulatory burden on industry, in some ways bringing the EU’s rules closer to the FDA’s rules.

For example, the MDR requires universal device identifiers, increased clinical trial data for Class III devices, post-market surveillance reports, an expanded adverse event database (EUDAMED), and a spike in the percentage of in vitro diagnostics that require pre-market approval from below 20% to above 80%.   Those elements are largely status quo in the US.

The two regulations require that Notified Bodies are re-accredited for issuing MDR and IVDR certificates. The re-accreditation will take place against much stricter rules than currently apply and many Notified Bodies are planning to exit the business in light of the staff increases needed to process more submissions, review more clinical data, and add new post-market surveillance obligations (e.g., unannounced audits) to an already-stretched group. In addition, the UK’s “Brexit” is causing massive insecurity around the four UK notified bodies. Some of them are currently trying to move to the continent to be accredited there, while others seem to be betting on a soft Brexit, allowing the UK to be tied into the EU internal market in a way that preserves its right to nominate Notified Bodies for the EU internal market. The Brexit is further causing upheaval on the drug side as the European Medicines Agency (EU’s centralized FDA for drugs) contemplates leaving Great Britain and moving to one of the 19 EU countries offering it a new home, causing delays and staff losses that are likely to affect the medical device industry as well.  The EMA will announce a decision in November 2017.

M&A strategy to address MDR and IVDR risk

From an M&A perspective, the situation is somewhat like the environmental rules that changed in the US decades ago, where all acquisition agreements came to include detailed representations and warranties about environmental law compliance that, without proper disclosure, left buyers with substantial unexpected post-closing expenses. For the MDR and IVDR there is the additional risk that a company will not be able to remediate its devices to the new standards before the end of the transitional periods and that its notified body may not be able to issue and MDR or IVDR certificate in time before the end of the transitional period.

Combined with the non-grandfathering, this means that investment in a company that does not execute a well-thought out gap assessment and subsequent transition plan that brings it into timely compliance will be very risky. These companies will likely not be compliant by the time that the transitional period ends. Lacking MDR or IVDR certificates means they will not be allowed to place further product on the market in the EU and their EU business and market share will collapse.

A gap assessment and transition plan is therefore the first thing to look for in due diligence.  By conventional wisdom and planning, a company should more or less be finished with its gap assessment at this point in time and be working on implementing the results – retiring, remediating, or replacing each of its EU marketed devices.  If a company does not have a credible gap assessment and transition plan, proceed with caution because the company risks losing its entire EU market. If a company defends the absence of such measures with the excuse that ‘many things are still unclear,’ this is a sign of absence of a pro-active compliance culture in the company.  In that case it may even be wise to wait for the company to get in trouble at the end of the transitional period and then buy it in the ensuing fire sale scenario for a fraction of the price.  Several large device manufacturers and private equity funds are already making lists of fire sale candidates to add to their portfolios at low prices.

Staffing and executing the gap assessment transition plan is costly and time-consuming. The gap assessment may show that for particular devices significant investments in clinical data must be made in order to make them compliant to MDR or IVDR standards. This occurs especially for devices that are up-classified under new classification rules, such as standalone software (from class I to potentially class III).  As a consequence, the entire financial model underlying the product can be nullified by unanticipated costs.  The business development team’s financial models cannot assume an inflation-based increase in cost of goods sold if the products are medical devices or in vitro diagnostics whose regulatory and quality costs are about to rise dramatically over the next 3-5 years due to the MDR and IVDR. The added cost of MDR and IVDR compliance needs to be a line item in the spreadsheet, not only for immediate remediation of devices to MDR and IVDR compliance but also for sustained compliance under the new rules.

While similar to post-closing compliance expenses where target company business practices and sales “culture” must be integrated and conformed to the acquiring company’s risk tolerance, quality & regulatory processes are upstream (non-customer facing) activities where everything being done may be fully compliant today, but will not be in the near future.  Buyers and sellers need to negotiate the allocation or sharing of these costs, and, in some cases, the purchase price may need to be adjusted, partially escrowed, or converted to “earn-outs” in the event that, for example, a current revenue-generating device or highly-anticipated new in vitro diagnostic struggles to regain or obtain regulatory approval under the new standards, despite the best efforts of the buyer and no improper activity on the part of the seller. A sound gap analysis and roll-out of a transition plan to the satisfaction of the buyer must be a condition precedent.

General Data Protection Regulation (http://www.eugdpr.org/)

On privacy, the industry’s historical opinion is the reverse of that for medical device regulation– that is, the EU rules have long been viewed as more stringent than any privacy rules in the US. Indeed, the US has never been on the EU’s list of countries whose privacy laws are deemed to provide “adequate protection of personal data” (and so we’ve always relied upon an alternate arrangement, such as the current “EU-US Privacy Shield”).

The EU describes the GDPR as the most important change in data privacy regulation in 20 years. And the transition period is ending soon, with enforcement set to begin on May 25, 2018.  This means that, like the MDR and IVDR, a thoughtful gap assessment and transition plan is key. As with the MDR and IVDR, the GDPR is an increase in regulation from a healthcare company perspective, providing increased regulation for health, genetic and biometric data. If a company does not have a robust gap assessment and transition plan by now, it is likely to be non-complaint under the GDPR.

Like the US Foreign Corrupt Practices Act, the GDPR has extra-territorial effect, and it allows a right of action against anyone who uses (a data controller, like HIPAA’s “covered entity”) or handles (a data processor, like HIPAA’s “business associate”) the personal data of a person under EU jurisdiction.   Note that the GDPR’s definition of “personal data” is far broader than HIPAA’s definition of “protected health information,” as, for example, the EU includes “health related posts on social networking websites” as an example of personal data that is in-scope of the GDPR.   Fines are graduated with a maximum penalty of 4% of worldwide revenue/turnover.

Other key changes include the need to appoint a Data Privacy Officer, report breaches within 72 hours with no de minimis exclusion, a private right of action, and a “plain language” requirement for written consents (including the ability of citizens to inquire about what data are collected on them, correct it, or revoke consent under a so-called “right to be forgotten”).

Other new features are the principles of privacy by design and default and the requirement to perform privacy impact assessments as a pre-condition for processing sensitive personal data (including personal data concerning health).  The GDPR’s privacy by design requirements and new security requirements overlap critically with the new MDR and IVDR software design requirements for embedded and standalone software.  As a result, design and risk management considerations have to be evaluated under both sets of rules, which companies typically do not do currently.  This impacts any devices processing personal data ranging from connected blood glucose meters to apps on smartphones to capital equipment and standalone software used in health institutions.

M&A strategy to address GDPR risk

In due diligence, the buyer must conduct a gap analysis to determine whether the seller’s existing privacy infrastructure needs to be upgraded before Q2 of 2018.  As with environmental concerns, a pre-closing risk assessment may be commissioned, and a smart seller might hire their own consultant in order to provide a copy of an “upbeat” report to all prospective buyers.

One topic to focus on is privacy by design, which includes encryption and the seller’s current method of de-identifying data, and the way that this ties into the overall risk management plans for addressing privacy and security risks for the processes concerned.  Under both the GDPR and HIPAA, this could provide a basis for avoiding breach notification and other obligations. The GDPR uses the term “pseudonymization” of data to mean “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information” and advocates this as an example of implementation of privacy by design.

To the extent issues are found (e.g., missing proof of consent for patient data), the solutions are the same as for other due diligence findings and as described above for MDR and IVDR risk, including purchase price adjustments/escrow/earn-out, modification to financial models, and/or a representation regarding the pedigree of personal data that the buyer plans to rely upon for product development, marketing, or quality & regulatory purposes.   In some cases,

commingled data or access systems may need to be separated and categorized, and that cost should be addressed before closing.  The post-closing survival of seller representations & warranties is a negotiated issue, but the typical period of 12-18 months needs to be taken into account in post-closing integration plans to fully assess privacy issues once the seller is in control.

Conclusion

It is unusual for the EU to simultaneously implement major changes to medical device and data privacy regulations.  The UK’s “Brexit” process also adds uncertainty.   For American companies that plan to acquire or invest in EU medical device or in vitro diagnostic firms, the potential added costs of these changes need to be taken into account, even if the seller is fully compliant to all applicable requirements at the time of sale.

About the Authors

Roger Cepeda, JD, MBA is a commercial, regulatory, and compliance attorney at Health Sciences Law Group LLC. For most of his career, he served as in-house counsel at global healthcare companies, including GE Healthcare and Baxter Healthcare.   He may be reached at roger.cepeda@healthscienceslawgroup.com

Erik Vollebregt specialises in EU and national legal and regulatory issues relating to medical devices, including eHealth, mHealth, software and protection of personal data. He is an expert in life sciences regulation at EU and Dutch level, with a focus on contracts, regulatory litigation against competent authorities and M&A.  He may be reached at: erik.vollebregt@axonlawyers.com