New Copyright Directive approved by the EU Parliament

On 26 March 2019, a fierce battle took place in the arena of the EU Parliament. Arguments flowing back and forward resulted in a close majority in favour of the supporters of the new Directive (EU) 2019 of the European Parliament and of the Council on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (hereinafter: the New Copyright Directive). You may find the debate here and the final text as adopted here.

The fact that the European Commission launched the proposal back in September 2016 with a legislative process lasting nearly two and a half years and only 348 Members of the European Parliament (hereinafter: MEP) voting in favour, while 274 MEP voted against and 36 MEP abstained, illustrates the controversial nature of the New Copyright Directive. This led to the adoption of the current text containing merely 32 articles to be accompanied with almost three times that amount of recitals, i.e. 86.

Closing the value gap

The biggest battle was fought over the new obligations and the personal scope of Online Content-Sharing Service Providers (hereinafter: OCSSP). When reading between the lines of the personal scope, the thresholds and the exemptions, it seems that the new rules on the internet are tailored towards big information society service providers such as YouTube, Facebook and similar platforms. The goal of the New Copyright Directive is clear: the EU only intends to regulate the internet to the extent necessary to tackle the famous “value gap” and ensure appropriate remuneration for rightholders for the use of their protected works on the internet.

Under the New Copyright Directive, an OCSSP means “a provider of information society service of which the main or one of the main purposes is to store and give the public access to a large amount of copyright-protected works or other protected subject matter uploaded by its users, which it organises and promotes for profit-making purposes”.

Despite clear indications, the New Copyright Directive still leaves room for interpretation of this new key concept. It will be interesting to see how courts will define the boundaries and interpret the open notions like “main” and “large”. What is certain, is that activities of providers of services like Wikipedia (online encyclopaedia), Dropbox (online storage), eBay (online marketplace) and Telenet or Belgacom (electronic communication services) are not included in the scope as they are explicitly excluded for the reason that they do not have as their main purpose to give to the public access to a large amount of copyright-protected works.

The new obligations on OCSSP flowing from the New Copyright Directive include amongst others that OCSSP must now obtain an authorisation in exchange for an appropriate remuneration from the rightholders in order to communicate the protected works to the public. In the event that they cannot obtain such authorisation, they must demonstrate best efforts to obtain it, demonstrate best efforts to make unavailable unauthorised content for which relevant and necessary information was provided and organise an expeditious notice, take down and stay down mechanism for unauthorised content. The latter must include an effective and expeditious complaint and redress mechanism with a human review in the event of disputes. At the same time, the OCSSP must refrain from general monitoring and over-blocking.

Other key features of the New Copyright Directive

Besides the above-mentioned, other key features of the New Copyright Directive include:

  • New exceptions and limitations covering text and datamining, the use of works in digital and cross-border teaching activities and copies made for the preservation of cultural heritage
  • Measures to ensure wider access to out-of commerce works by providing the grant of non-exclusive licences to cultural heritage institutions for non-commercial purposes, together with measures to ensure transparency and stakeholder dialogue
  • Measures to facilitate collective licensing and rules governing collective management organisations offering such collective licenses
  • Negotiation mechanism to assist parties facing difficulties related to the licensing of rights for the purpose of making available audiovisual works on VOD platforms
  • New publisher’s rights with regard to online uses of their press publications
  • A right for authors and performers to receive information as well as appropriate and proportionate remuneration when they license or transfer their exclusive rights
  • A right of revocation for authors and performers in case of a lack of exploitation after transferring or licensing their rights on an exclusive basis


The journey is far from over. The Council of Ministers still has to give its final opinion over the New Copyright Directive and it is expected that it will accept the final text on 9 April 2019. After that, the text will be published in the Official Journal and the Member States will have 2 years after the date of entry into force of the directive to transpose it into their national laws.

The rules laid down in this new directive aim at creating a fair balance between access to creative works and appropriate remuneration for the rightholders. It would be in the interest of all stakeholders that users and rightholders come to a mutual understanding and conclude the necessary licenses to keep contents available while at the same time ensuring appropriate remuneration of the rightholders, and ultimately prove the sceptics wrong.

We will keep monitoring the progress of the New Copyright Directive and its implementation and keep you updated.

*     *     *

Philippe CampoliniPeter Blomme and Christopher Dumont

For any question, do not hesitate to contact the authors: – +32 2 533 17 52  – +32 2 533 17 13 – +32 2 533 17 58

Implementation of the GDPR in Belgium – An overview of the law of 30 July 2018

Following the entry into force of the GDPR on 25 May 2018 (see our news “GDPR – Are you ready?”), the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which repeals the law of 8 December 1992, has been published in the Belgian Official Journal on 5 September 2018 and entered into force the same day.

Another matter on which the GDPR gives some flexibility to the Member States is the processing of Although the GDPR is directly applicable in all EU Member States, it contains numerous provisions allowing or imposing on the Member States to enact national implementation provisions.

The material scope of the new Belgian law is, however, more extensive than a mere implementation of the GDPR. It also transposes the Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and regulates in details the conditions under which personal data can be processed by various public authorities in that context, including by national intelligence and security services, armed forces, the threat assessment coordination body, the passengers information body, or even the body controlling the police information.

The following overview will focus on the consequences of the law of 30 July 2018 for private undertakings rather than the public sector.

Territorial scope of the law

The territorial scope of the law is determined by criteria similar to those outlined in the GDPR. Therefore, the law applies to any processing of personal data in the context of the activities of the establishment of a controller or a processor in Belgium, as well as to any processing of personal data of data subjects who are in Belgium by a controller or processor not established in Belgium where the processing activities are related to the offering of goods or services to data subjects in Belgium or to the monitoring of the behaviour of data subjects in Belgium.

Age of consent

In accordance with the flexibility provided by the GDPR, the Belgian legislator decided to lower to 13 (instead of 16 in the GDPR) the age from which children can consent themselves to the processing of their personal data by a third party willing to address them a direct offer of information society services.

Sensitive data

Another matter on which the GDPR gives some flexibility to the Member States is the processing of so-called ‘sensitive’ data (particularly, personal data revealing the racial or ethnic origin of the data subject, their political opinions, their religious or philosophical beliefs, their trade union membership, data concerning their health or even their sexual orientation). Namely, the GDPR provides that the Member States can enact reasons of substantial public interest allowing, under certain conditions, the processing of such sensitive data. The Belgian legislator has set a list of processing activities based on such reasons including, in particular, the processing by associations for the defence of human rights or for the assistance to missing or sexually exploited children. Additional conditions oversee the processing of genetic data, biometric data or health-related data.

Judicial data

The GDPR enables the Member States to allow, under certain conditions, the processing of personal data relating to criminal convictions and offences or related security measures by other persons than official authorities. In that respect, the Belgian law notably allows the processing of such data by natural persons or by legal persons governed by public or private law, as long as it is necessary for the management of their own disputes. The law also authorises lawyers to process such data if the defence of their clients requires it. Another specific scenario dealt with by the law is when the personal data are made public by the data subject. In such cases, the processing is allowed provided that it is compatible with the purpose for which the data have been made public. Nonetheless, the lawfulness of those processing activities always depends, in particular, on the respect of the confidential nature of these data.

Specific processing purposes

The processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary expression is subject to an alleviated legal regime to avoid restricting excessively such activities. In particular, the law waives the data controller’s obligation to provide information and limits considerably the rights of the data subjects.

The law also provides for a derogatory regime for personal data processing made for purposes of archiving in the public interest, scientific or historical research, or statistical purposes. In accordance with the GDPR, the law oversees such processing with appropriate safeguards.

Procedural aspects and sanctions

Procedurally, the law creates the possibility for data subjects to seek a ceasing order in case of unlawful processing or to potentially assert their rights, in particular their right of access and of rectification, their right to be forgotten, or even their right to restrict the processing. The data subject can also mandate a body, an organisation or an association to act on their behalf. As the case may be, such ceasing order may also be requested by competent authorities. The judge, adjudicating in such proceedings, can order not only the termination of the breach but also publicity measures if they can contribute to the termination of the breach or its effects. The judge can also order the data controller or data processor to inform third-parties that they had access to data which are inaccurate, incomplete or irrelevant, or whose storage is forbidden. The judge can even be seized by an ex parte application if there are serious reasons to believe that evidence could be concealed, could disappear, or could be made inaccessible, and order any measure to prevent such concealment, disappearance or inaccessibility.

Finally, the law provides for various administrative and criminal sanctions, that can be imposed on the data controller or processor, or against their servants or agents.

*     *     *

Philippe Campolini and Charlotte Behets Wydemans

For more information, please contact the authors:
+32 (0)2 533 17 52


Unveiling the new Belgian law on the protection of trade secrets

At last, after roughly two years, the EU Directive 2016/943 (hereinafter: The Directive) of 8 July 2016 has finally been transposed by the long-awaited Belgian Law of 30 July 2018 on the Protection of Trade Secrets (hereinafter: The Law) that entered into force on 24 August 2018.

The Law brings clarity, among other things, by giving a legal definition of “trade secrets” and provides useful mechanisms that allow more effective enforcement of the right to the protection of trade secrets.

Considering that The Law is in large part a copy/paste-exercise from The Directive, we first recollect the main objectives and principles of The Directive.

Main objective

It is clear from the recitals and the preparatory documents that The Directive has as its primary objective to establish effective and comparable legal means for protecting trade secrets across the Union in order to facilitate cross-border activities within the internal market.

Globalisation, digit(al)isation, the internet, the lack of common definitions and legal concepts are reoccurring phenomena that create the need for most of the regulatory actions at the European level.  These were specifically problematic in the area of trade secrets considering the high economic value attached to trade secrets, the ease of copying and transferring huge amounts of data, as well as the multinational aspects and strategic considerations that go with a possible leak of trade secrets.


To achieve the objective mentioned above, The Directive does not only contain articles on substantive law, but also several articles dealing with the procedural side of the coin.

The Directive starts with a homogenous definition of “trade secrets” in order to have a common legal understanding of the concept across the internal market.

Further, it outlines the circumstances in which legal protection of trade secrets is justified. Bearing in mind lawful means of acquisition, use or disclosure of a trade secret, The Directive strikes a careful balance between the interests of the various stakeholders, amongst which, the companies concerned, journalists, whistleblowers and employees. It aims at providing sufficient protection to the right holders, while at the same time not aiming at stifling competition nor innovation, nor restrict the fundamental freedom of others.

Finally, it contains articles aimed at facilitating, but also encouraging those harmed by a breach to seek and find legal redress. The Directive prescribes that Member States put in place procedures that are not overly burdensome, whilst at the same time providing the persons seeking redress with adequate legal means to address specific issues relating to their trade secrets. The preservation of confidentiality of trade secrets is essential during these procedures.

Key features of The Law

The Law does not deviate noticeably from The Directive and copies the wording of The Directive almost literally in many aspects. There are, however, several articles from The Directive that did not make it into The Law, merely because the legal concepts or mechanisms already existed under Belgium Law, such as the legal remedies against abusive exercise of a right.

Just like The Directive, it is worth mentioning that The Law brings clarity to the domain of trade secrets by, for the first time, providing a written legal definition of this concept. It has done so by enumerating the different requirements that need to be fulfilled in order for information to be protected as “trade secrets”. It is interesting to note that these requirements are substantially in line with those already known from the TRIPS Agreement. The new definition reads as follows:

The information needs to be

  • secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
  • it needs to have commercial value because it is secret;
  • and finally it needs to be subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret;” (art. 2, 1° The Law, own emphasis).

In light of this new definition, and especially the last requirement, it is recommended that companies re-examine and document their current measures undertaken to keep their valuable information secret to ensure that they can continue enjoying protection under the new legal regime, in addition to documenting the valuable information itself.

A most welcomed novelty in Belgian procedural law is the new confidentiality obligations and mechanisms aimed at protecting trade secrets, not only during but also after the procedure involving these trade secrets. This should provide those harmed effective legal protection and facilitate the enforcement of their rights. In this regard, The Law gives the possibility to the judge to impose a fine on anyone in breach of their confidentiality obligations, ranging from € 500 to € 25.000.

It is worth noting that The Law provides for legal remedies similar to those that already exist for intellectual property rights such as, but not limited to, cessation of unlawful use or disclosure, recall, destruction of infringing goods and damages. This enhances the strength and effectiveness of the right to the protection of trade secrets. However, despite being debated during the parliamentary discussions, the descriptive seizure procedure will not be available to the holders of a trade secret.

Lastly, in light of enhanced specialisation, The Law centralises most litigation concerning trade secrets to the commercial courts regardless of the parties’ capacity, although there are several exceptions in favour of labour courts in cases involving employees. One should keep in mind that the statute of limitation has been set to five years from the discovery of the unlawful breach and the identity of the alleged infringer, similar to the regime of non-contractual liability.


Remains to be seen the impact in practice, but in theory, The Law should be able to provide sufficient means to combat the phenomena of industrial espionage and employees copying substantive amounts of (confidential) documents, in particular before they leave. The enhanced legal remedies put the holders of a trade secret almost on par with the holders of an intellectual property right, which should enable them to take action more efficiently against a possible leak of their trade secrets.

In conclusion, the change is most welcomed, in particular considering that the most valuable information sometimes is information that precedes intellectual property rights, and is thus not protected by the latter.

*     *     *

Philippe Campolini and Christopher Dumont

For more information or any question, please contact the authors: – +32 2 533 17 52 – +32 2 533 17 58


Lorem ipsum dolor sit amet…


Lorem ipsum dolor sit amet…

GDPR – Are you ready?

On 10 January 2018, the law of 3 December 2017 concerning the establishment of the Data Protection Authority was published in the Belgian’s official Gazette. This law, reforming the current Commission for the protection of privacy, is one of the necessary legislative efforts to anticipate the entry into force of the European Union’s General Regulation on the protection of natural persons with regard to the processing of personal data and of the free movement of such data (GDPR). As of 25 May 2018 all natural or legal persons, public authorities, agencies or other bodies which process personal data or organise such processing will have to comply with these new rules. What does this mean in practice?

This news aims at providing the reader with an overview of the changes entailed by the GDPR and to give some insight on the necessary measures to be taken to comply with the new legislation.

Will I be affected by the GDPR?

The GDPR applies to the processing of personal data by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Certain exceptions and limited alterations set aside, the GDPR’s material scope of application is identical to the scope of the act of 8 December 1992 on the protection of privacy in relation to the processing of personal data. The latter is currently the must-go-to legislative act in Belgium. In practice, this legislation is important for nearly all undertakings, if only for the management of personnel, clients and suppliers.

The territorial scope of the GDPR includes all undertakings established within the EU, as well as, in specific circumstances, all foreign undertakings that process personal data of individuals located in the EU. The fact that your business is established outside the EU does not necessarily entail that the GDPR does not apply to it.

The major changes brought by the GDPR do not relate to the scope of application of the rules, but to the obligations imposed on data controllers and their processors, as well as to the sanctions for non-compliance with this regulation.

Key changes and what to do in practice?

1)  Currently, processing personal data is frequently based on the consent of the individual concerned (hereinafter: the data subject). However, this consent is not always obtained under conditions that guarantee a consent of acceptable quality. Therefore, the GDPR provides for more stringent requirements to obtain an individual’s consent. In the future, any company that bases processing of personal data on the individual’s consent will have to check whether:

  • the consent is obtained by a statement or a clear affirmative action (which precludes, for example, the use of pre-ticked boxes);
  • the consent is freely given, specific, clear and unambiguous (meaning that the data subject was duly informed of the scope of his/her consent before giving it);
  • the consent refers to a processing for one or several specific lawful purposes (general and broad phrasing is not allowed);
  • where consent is given in a written statement which relates to multiple subject-matters (such as the acceptation of general terms and conditions or terms of use), the request for consent should be presented in an intelligible and accessible form, in a clear and plain language, and in a way that is clearly distinguishable from the other matters;
  • it can easily demonstrate that it obtained the data subject’s consent (the data processor should, therefore, keep records of the consents).

The GDPR will also apply to personal data collected before its entry into force. Hence, all processing of personal data that was consented in a way that is not satisfactory to the new GDPR requirements should be regularised – meaning that the consent should be renewed in a way that meets the GDPR requirements.

The GDPR also provides for enhanced obligations of information for data controllers. In practice, it is necessary to verify whether the documents currently used by your company (e.g. charter for the protection of privacy or privacy policy) comply with the GDPR, and ensure that they include, amongst others, the following information:

  • the lawful purposes and legal basis for the processing of personal data;
  • the legitimate interests pursued by the data controller or by a third party when processing is based on such legitimate interests;
  • as the case may be, the fact that the data controller intends to transfer the personal data to a country that is not an EU Member State, and the existence or absence of an adequacy decision from the Commission or, where applicable, a reference to the appropriate safeguards that are put into place to protect the data subjects;
  • where processing is based on a data subject’s consent, the right to withdraw their consent at any time;
  • the data subject’s right to lodge a complaint with the national supervisory authority;
  • the period during which the personal data will be stored or, if not possible, the criteria used to determine the period of conservation;
  • whether the provision of personal data is a statutory or contractual requirement, or necessary to enter into a contract, as well as whether the data subject is obliged to provide his/her personal data and the possible consequences of failure to provide it;
  • the existence of automated decision-making, including profiling, and useful information about the underlying logic, as well as the importance and the foreseen consequences of such processing for the data subject.

The GDPR explicitly mentions the “right to be forgotten” from which all data subjects will benefit. This right will empower the data subject to ask for a complete erasure of his/her personal data under certain conditions. Although this right of erasure inchoately existed under directive 95/46/CE and was confirmed by the ECJ’s ruling in the Google Spain-case, this right is given prominent placing in the GDPR. All data controllers will have to implement a procedure to be able to respond in practice to a request of erasure “without undue delay”.

Every data controller shall set up a procedure to notify every recipient of personal data of all requests of rectification or erasure of such data, as well as of every limitation of processing, unless the provision of such information is impossible or gives rise to disproportionate efforts.

Regarding the data subjects’ rights, the creation of a right of data portability – which aims at the independence of customers in the online environment – is the GDPR’s most innovative addition. It gives a data subject, under certain conditions, the right to receive the personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format, to transmit these data to another controller. Data controllers will have to take all appropriate technical measures to be able to act upon such requests.

The GDPR also establishes the foundations of data protection by design and by default. To respect these principles, the data controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation. These technical and organisational measures should also ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. These principles will not only affect the content of products, websites or mobile applications that collect personal data, but also undertakings’ general business strategy. Therefore, this requires in-depth thinking by all data controllers.

Data controllers and processors established outside the EU which must comply with the GDPR requirements (because they offer products and services to data subjects within the EU or monitor individuals that reside within the EU) should designate a representative in the EU as a point of contact for national supervisory authorities and data subjects.

Another element of attention is the relationship between the data controller and the data processor. The GDPR defines the data processor as a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. It provides for specific requirements that both future and existing outsourcing agreements for the processing of personal data will have to satisfy. These agreements should notably:

  • define the subject-matter, duration, nature and purpose of the processing;
  • define the type of personal data and categories of data subjects;
  • mention that the processor ensures that the persons authorised to process the personal data have committed to respect the confidentiality of such data;
  • include the appropriate technical and organisational measures that the processor shall take to ensure a proper level of security in light of the risk at hand;
  • compel the processor to make sure that any subsequent processor implements the same technical and organisational measures;
  • compel the processor that he/she deletes or returns the personal data to the controller at the end of the provision of services relating to the processing;
  • make available to the controller all information necessary to demonstrate its compliance with the obligations laid down in the GDPR.

Every data controller should also keep track of the processing activities in a record containing the following information: the name and contact details of the controller; the purposes of the processing; a description of the categories of data subjects and of personal data; the categories of recipients to whom the personal data have been or will be disclosed, including transfers to third countries; the envisaged time limits for erasure of the different categories of data; a general description of the technical and organisational security measures.

In case of personal data breach, the data controller must, on some occasions, notify the breach to the national supervisory authority. When the breach is likely to result in a high risk for the rights and freedoms of natural persons, the data controller must also notify the data subject. Therefore, the data controller has to set up procedures ensuring that such notification is made within the mandatory terms of the GDPR (in principle, notification to the supervisory authority should be done within 72 hours of the personal data breach).

Where a type of processing is likely to result in a high risk for the rights and freedoms of natural persons, the controller shall, prior to the processing, assess the impact of the envisaged processing operations on the protection of personal data. When the assessment identifies a high risk for a certain type of processing, the data controller shall, prior to the processing, ask the national supervisory authority for advice.

Last but not least, under specific circumstances, undertakings will have to designate a data protection officer. This obligations applies when processing is carried out by a public authority or body, but also when the core activities of the controller or the processor consist of (i) processing which, by nature or because of its scope and/or purposes, requires regular and systematic monitoring of data subjects on a large scale or (ii) processing sensitive data on a large scale (sensitive data are, for example, data related to health, sexual orientation, political opinions, ethnic origin or data related to criminal convictions or offences).


The GDPR substantially changes the powers granted to the national supervisory authorities and the sanctions applicable. Administrative fines can be inflicted upon infringers of data protection regulations by the Data Protection Authority. Their amount varies depending on the gravity of the infringement. For the most severe infringements, the administrative fines can reach up to EUR 20,000,000 or, in the case of an undertaking, 4% of the total worldwide total annual turnover of the preceding financial year, whichever is higher. Moreover, the Data Protection Authority is mandated to propose settlement agreements, give warnings and reprimands, command to act upon a data subject’s request to exercise his/her rights, incur changes to the processing of data or temporarily or permanently prohibit the processing of personal data.

For further contact or specific assistance, do not hesitate to contact our Data Protection Team:
Philippe Campolini, Pierre Van Achter and Gaëtan Goossens.

A drug prescription assistance software can be a medical device

In its judgment dated 7 December 2017 (case C-329/16), the Court of Justice of the European Union (CJEU) considered that software, of which at least one of the functions makes it possible to use patient-specific data for the purposes, inter alia, of detecting contraindications, drug interactions and excessive doses, is, in respect of that function, a medical device within the meaning of the Directive 93/42/EEC concerning medical devices (MDD).

According to the CJEU, software that cross-references patient-specific data with the drugs that the doctor is contemplating prescribing, and is thus able to provide the doctor, in an automated manner, with an analysis intended to detect, in particular, possible contraindications, drug interactions and excessive dosages, is used for the purpose of prevention, monitoring, treatment or alleviation of a disease, and therefore pursues a specifically medical objective, making it a medical device within the meaning of the MDD.

On the contrary, software that, while intended for use in a medical context, has the sole purpose of archiving, collecting and transmitting data, like patient medical data storage software, the function of which is limited to indicating to the doctor providing treatment the name of the generic drug associated with the one he plans to prescribe, or software intended to indicate the contraindications mentioned by the manufacturer of that drug in its instructions for use, does not fall within the scope of the MDD.

The CJEU adds that to assess whether a software is a medical device in the meaning of the MDD, it does not matter whether software acts directly or indirectly on the human body. The essential criterion is that its purpose is specifically one of those set out in the definition of a medical device (such as the diagnosis, prevention, monitoring, treatment or alleviation of disease).

The stakes of the qualification are clear. Any medical device, including software, must compulsorily bear a CE marking of conformity when it is placed on the market. Such marking indicates that the product has been subject to an assessment of its conformity with the requirements of the MDD. As a consequence of such marking, Member States may not create obstacles to the placing of the device on the market. In the case at stake, France imposed an additional national certification obligation on a drug prescription assistance software bearing the CE marking. As a consequence of the CJEU’s judgment, such an obligation must be considered as contrary to the MDD.

The CJEU also clarified that if medical software comprises both modules that meet the definition of the term ‘medical device’ and others that do not meet it and that are not accessories to a medical device, only the former falls within the scope of the MDD and must be marked CE. The manufacturer of such mixed software is required to identify which of the modules constitute medical devices so that the CE marking can be affixed to those modules only.

There is no doubt that this judgment of the CJEU will remain valid under the future legislation, namely the Regulation 2017/745/EU on medical devices (applicable as from 26 May 2020). This Regulation explicitly states that software in its own right, when specifically intended by the manufacturer to be used for one or more of the medical purposes set out in the definition of a medical device (such as the diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease), qualifies as a medical device.

For more information on this future legislation, you can contact us or have a look at our previous news: The new legal framework applicable to medical devices

Philippe Campolini: +32 (0)2 533 17 17 or
Peter Blomme: +32 (0)2 533 17 13 or


Lorem ipsum dolor sit amet…

Selling data collected through your home appliances – The role of Data Protection Law and the GDPR

In Le Soir of 27 July 2017, Philippe Campolini and Gaëtan Goossens comment on the implications of Data Protection Law and the upcoming GDPR when the manufacturers of electronic home appliances intend to sell the data collected through these devices to companies like Amazon, Google or Apple, to enable them to personalize shopping offers.

Read full article in Le Soir

The new legal framework applicable to medical devices


A few years ago, many were shocked by the news that thousands of women across the world suffered harm caused by wrongly manufactured breast implants. For several years a French manufacturer had used industrial silicone instead of medical grade silicone to produce breast implants, in violation of the approval that had been issued by the notified body. Furthermore, a BBC investigation revealed that hundreds of thousands of individuals across the world could have been exposed to dangerously high levels of toxic metals from failing hip implants.

These revelations were some of the reasons why the European Commission issued, on 26 September 2012, two new regulation proposals to replace the three existing medical devices directives. One of the proposed regulations concerned in vitro diagnostic medical devices only, while the other one related to all other sorts of medical devices. These proposals marked the beginning of a long legislative process that led to the renewal of the regulatory framework on medical devices.

On 5 April 2017, the regulation on medical devices (hereinafter “MDR”) and the regulation on in vitro diagnostic medical devices (hereinafter “IVDR”) were adopted. They were published on 5 May 2017 and entered into force on 25 May 2017. The MDR will apply from 26 May 2020 and the IVDR from 26 May 2022.

In a nutshell, the highly anticipated texts address the concerns over the assessment of product safety and performance by placing stricter requirements on clinical evaluation and post-market clinical follow-up and by requiring better traceability of devices through the supply chain.

Brief Overview of the Main Changes

  • Scope extension

Besides some changes in several definitions contained in the directives (including the definition of medical device itself), some products without an intended medical purpose and thus excluded from the previous regulatory framework, but which present the same characteristics and risk profile as analogous medical devices, have been included within the scope of the MDR.

These products, which are listed in annex XVI of the MDR, include, inter alia, contact lenses, facial or other dermal or mucous membrane fillers, equipment for liposuction, lasers and intense pulsed light equipment for skin resurfacing, tattoo removal or hair removal, and equipment for electromagnetic brain stimulation.

Moreover, it has been clarified that software specifically intended by the manufacturer to be used for a medical purpose qualifies as a medical device, while software for general purposes, even when used in a healthcare setting, or software intended for lifestyle and well-being purposes, is not a medical device. It has also been clarified that the qualification of software, either as a medical device or an accessory for a medical device, will be independent of the software’s location or the type of interconnection between the software and a device.

With regards to in vitro diagnostic medical devices, genetic tests and other tests that provide information about a patient’s predisposition to a specific medical condition or disease, as well as tests that provide information to predict treatment response or reactions, such as companion diagnostics, have been included within the scope of the IVDR.

In order to ensure consistent qualification decisions across all Member States, in particular with respect to borderline cases, the Commission will have the right to decide, on its own initiative or at the duly substantiated request of a Member State, after having consulted the Medical Device Coordination Group, whether or not a specific product, category or group of products falls within the scope of the regulations.

  • Increased identification and traceability of devices

The regulations seek to ensure proper identification of all economic operators to whom devices are supplied or from whom devices are purchased. Devices will have a Unique Device Identifier (UDI) to provide for traceability throughout the supply chain to the end user or patient, allowing fast and effective measures in case of safety problems.

Before placing a device on the market, the manufacturer will have to assign a UDI to the device and provide it to the UDI database together with other core data elements related to that device. The UDI database will be available to the public via the European database on medical devices (Eudamed). The obligation to place the UDI on the label of the device will vary from one to five years after the date of application of the regulation, depending on the class of the device concerned.

Moreover, a summary of safety and clinical performance of high-risk devices written in a way that is clear to the intended user will be publicly available via Eudamed. The draft of this summary will have to be submitted to and validated by the notified body involved in the conformity assessment of the device concerned. Additional information will also need to be provided by the manufacturers of implantable devices, in particular via an implant card.

  • Safety and performance requirements

As regards safety and performance, the “essential requirements” established by the current directives will be replaced by the general safety and performance requirements described in Annex I of each regulation.

Accordingly, manufacturers will have to perform a gap analysis of the consequences of the changed requirements for recertification of their existing devices.

  • Modified rules on classification and conformity assessment

The changes to the classification rules, especially concerning in vitro diagnostic medical devices, will have to be sifted through by manufacturers as they will lead to reclassification (and hence additional requirements) for certain devices. Under the new rules, most in vitro diagnostic medical devices will have to be checked by a notified body.

As regards conformity assessment, increased control of high-risk devices will be performed. The MDR foresees that, subject to some exceptions, notified bodies will be obliged to request expert panels to scrutinise their clinical evaluation assessment reports concerning class III implantable devices and class IIb active devices intended to administer and/or remove a medicinal product. The notified bodies will have to give due consideration to the views expressed by these expert panels before granting any certificate. They will also have to notify the competent authorities of all certificates they grant for such high-risk devices, to allow said authorities and the Commission to apply further procedures or to take appropriate measures in case they have reasonable concerns. The IVDR provides for similar notification obligations with regard to class D in vitro diagnostic medical devices.

The requirements applicable to the designation of notified bodies have also been strengthened. Notified bodies will amongst others need to demonstrate they have permanent availability of sufficient administrative, technical and scientific personnel as well as personnel with relevant clinical expertise.

  • Risk management system

Manufacturers will be obliged to implement a risk management system for each medical device. Risk management is defined by the regulations as a continuous iterative process throughout the entire life cycle of a device, requiring regular systematic updating. In carrying out risk management, manufacturers shall, in particular, establish and document a risk management plan for each device. They will have to identify and analyse the known and foreseeable hazards associated with each device. They will also have to estimate, evaluate and control the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse.

  • More stringent requirements regarding clinical evidence and availability of data reports

The regulations require manufacturers to conduct clinical or performance evaluations and to provide an appropriate level of clinical evidence given the characteristics of the device and its intended purpose. Subject to some exceptions, clinical evaluation needs to be based on clinical investigations in the case of implantable devices and class III devices. Clinical investigations also have to be performed for products without an intended medical purpose as listed in Annex XVI, unless reliance on existing clinical data from an analogous medical device is duly justified.

As regards in vitro diagnostic medical devices, clinical performance studies will have to be carried out, unless it is duly justified to rely on other sources of clinical performance data.

In any case, manufacturers will also be required to update the clinical or performance evaluations of their devices based on post-market clinical data collected throughout the life cycle of said devices.

  • Increased liability of authorised representatives

Given the pivotal role of authorised representatives in ensuring the compliance of the devices produced by manufacturers who are not established in the EU and in serving as their contact person in the EU, the liability of these authorised representatives will increase. In particular, they will be legally liable for defective devices if a manufacturer established outside the EU has not complied with its obligations. This liability of authorised representatives will be without prejudice to the provisions of Directive 85/374/EEC concerning liability for defective products. Accordingly, the authorised representatives will be jointly and severally liable with the importers and manufacturers. Distributor and importers will also be subject to additional obligations, including a compliance check of their immediate upstream economic actor with the MDR or IVDR.

  • Reprocessing and further use of single-use devices

Some specific rules applicable to the reprocessing and further use of single-use devices have been included in the MDR. However, such reprocessing and further use will need to be permitted by national law, and Member States are allowed to introduce national provisions that are stricter than those laid down in the MDR.


Philippe Campolini

Please do not hesitate to contact the author for any question: