Balancing transparency and intellectual property: obligations of data processing service providers in the medical device industry

In recent years, various data protection regulations and laws have been published globally, many mirroring aspects of the European GDPR. A key principle in these regulations is the transparency of data processing. This principle mandates that data controllers provide individuals with insights into the reasons, methods, entities, and processes involved in data processing, allowing them to make informed decisions.

Transparency in data processing

Transparency in data processing comes with obligations, especially in modern sales models involving multiple contributors and parties. For example, consider a scenario where a hospital uses a patient’s health data for AI-supported disease progression prediction. The AI service is typically not developed or hosted within the hospital, making the hospital a data controller reliant on sub-processors who provide the service. These sub-processors might include cloud hosting companies, web application security system providers, etc. The hospital, as the data controller, must inform the patient about the data processing activities.

Understanding data processing activities

For the data controller to comply with regulations, it must understand the data processing activities and obtain insights from the service provider. This understanding is crucial for evaluating whether to use a particular service. However, service providers often hesitate to disclose detailed information due to competition concerns. Despite this, regulations require the data controller to be aware of the service provider’s technical and organisational measures. Often, the technical information provided is a summary, mentioning encryption or web application security systems without offering deep insights. This superficial information is insufficient for a thorough data protection impact assessment by the data controller.

Regulatory requirements and industry trends

Modern directives, such as KRITIS and NIS2, enforce a level of insight availability to the data controller. Upcoming regulations like the EU Data Act further emphasise transparency by enabling access to monitoring measures. Service providers must navigate the challenge of protecting their intellectual property while sharing enough information to allow customers to use their products confidently.

Balancing transparency and protection

Service providers must decide what information to share with their customers and establish a sufficient level of trust. Transparency can facilitate better market access but also risks competitors copying the service. This trade-off is particularly challenging for smaller entities, who may find it difficult to balance transparency with protecting their intellectual property.

Our data protection expert Roland Schnitter will be happy to help you bridge the gap between openness and data protection in your company: roland.schnitter@eumediq.eu.