Site search

INSIGHT

Wearable devices: important regulatory updates and key considerations

By Phil O'Sullivan, Lauren John, Nick Li, Stefan Ladd, Claudia Hall 28 June 2021
Cyber Data & Privacy Healthcare

Protecting your IP, and their privacy 10 min read

Growing consumer demand for wearable devices, such as the 'Apple Watch' or the 'Fitbit', has created exciting opportunities for businesses. However, it is crucial that businesses understand the regulations which can apply to these types of products – particularly where they perform health or wellness-related functions, what steps they can take to protect any valuable IP in such products, as well as the privacy and other issues associated with the collection and use of data from such devices. We explore these issues in this Insight.

Jump to

  1. Key takeaways
  2. Who in your organisation needs to know about this?
  3. Growing demand raises key considerations for business
  4. Regulation of software as a medical device – How does it affect wearable tech?
  5. What if my software is not excluded or exempt?
  6. Safeguarding your IP
  7. Data and Privacy: the financial, regulatory and reputations risks
  8. Conclusion

Key takeaways

healthcare-icons_1.pngMany wearable devices include health-related features, which in some circumstances may be classed as medical devices, and therefore subject to regulation in Australia by the Therapeutic Goods Administration (TGA).

healthcare-icons_2.pngIn most cases, software operating in consumer wearable devices will be excluded from regulation as a medical device. However, any software intended for use in clinical practice, or with respect to serious diseases or conditions are regulated as medical devices. As such, carefully consider the claims made in relation to the device in marketing or promotional materials.

healthcare-icons_3.pngIf software as a medical device (SaMD) is not excluded or exempt, it is required to be included on the Australian Register for Therapeutic Goods (ARTG). Recent reforms include new classification rules, which may affect the way in which SaMD is assessed by the TGA.

healthcare-icons_4.pngConsider applying for design, patent and trade mark registrations in respect of wearable tech products, to ensure appropriate protection of any relevant IP.

healthcare-icons_5.pngThere is an increasing focus by consumers, business and regulators on data handling activities, particularly in the health sector where new technology enables the collection and use of increasingly rich and detailed data sets. As a result, businesses need to ensure compliance with their strict legal obligations while balancing community expectations around transparency of data use. This can usually be achieved by providing a genuine value proposition to users when seeking permission for data use beyond delivering core product functionality.

Who in your organisation needs to know about this?

Legal and regulatory personnel at organisations that develop, manufacture or supply wearable devices.

 Growing demand raises key considerations for business

In recent years, we've seen growing demand for wearable tech that can perform health-related functions, including devices which:

  • measure and track a user's heart rate, such as the electrocardiograph heart-monitoring feature of Apple's Series 4 'Apple Watch', which received US Food and Drug Administration (FDA) clearance in 2018;
  • measure blood sugar levels, such as Dexcom's G6 Pro Continuous Glucose Monitoring System, which gathers real-time glucose data from a user over a 10-day period, which similarly received FDA clearance in 2019; and
  • measure blood pressure and other vital signs, including those which have been deployed to identify early symptoms of, and assist in monitoring, COVID‑19.

However, the growth of wearable tech in the healthcare space raises important questions for businesses, namely how such products are regulated, how data can be used, and what approvals may be required.
Back to top

Regulation of software as a medical device – how does it affect wearable tech?

In Australia, significant reforms have been made to the Therapeutic Goods (Medical Devices) Regulations 2002 (Cth) which may affect the way in which SaMD is regulated.

Under the revised regime, as a general rule, any software (whether standalone or used in combination with another device) that is intended by the supplier to be used for, among other things, the diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of a disease, condition, ailment, injury or disability (therapeutic purpose) is regarded as a medical device that must be included on the ARTG unless it is expressly excluded or exempt. Excluded goods are not medical devices, and are not subject to any TGA regulatory requirements. In contrast, exempt goods are medical devices which are not required to be included on the ARTG, but which must comply with all other regulatory requirements.

Excluded SaMD

Certain classes of software have been excluded from regulation by the TGA. Relevantly, this includes:

  • software intended for self-management of existing, non-serious diseases or conditions (without providing specific treatment or treatment suggestions);
  • consumer health and wellness products (which may be software of a combination of non-invasive hardware and software) that do not make claims about serious diseases or conditions;
  • behavioural change or coaching software intended to be used to improve general health or wellness factors (such as weight, exercise, sun exposure or dietary intake) that does not provide information requiring the interpretation of a health professional; and
  • digital mental health tools based on established clinical practice guidelines that are referenced and displayed in the software to the user.

However, software that is intended to be used in clinical practice, or with respect to a serious disease or condition are not excluded.

The effect of the above is that common consumer wearables, including step counters, 'Fitbits' and similar devices, as well as diet and wellbeing apps, will generally not be regulated as medical devices in Australia.

Exempt SaMD

At present, only certain 'clinical decision support' software has been exempted. The TGA has published guidance on how to determine whether software satisfies the exemption criteria. Significantly, although inclusion in the ARTG is not required, exempt SaMD must still comply with other regulatory requirements under the Therapeutic Goods Act 1989 (Cth), including adverse event reporting obligations, advertising requirements and the 'Essential Principles' (which set out the fundamental design and manufacturing requirements for medical devices).

Back to top

What if my software is not excluded or exempt?

All SaMD that is not excluded or exempt is required to be included on the ARTG. All applications to include SaMD on the ARTG must meet the new requirements. Key points to be aware of in this regard include the following:

healthcare-icons_new-classification.pngNew classification parameters The new regulations set out detailed parameters for the classification of SaMD into the four classes of medical devices, which will determine the level of assessment undertaken by the TGA of the device's quality and safety. The manufacturer of the medical device is responsible for obtaining the relevant conformity assessment certification. The sponsor (which must be an Australian entity) is responsible for obtaining the device's inclusion on the ARTG.

healthcare-icons_reforms.pngReforms to Essential Principles Medical devices (including exempt medical devices) are required to comply with the Essential Principles. The reforms have amended two of the previous Essential Principles, and introduced one new principle in order to account for the regulation of SaMD. One of the key changes is a new requirement that the current version and build number of the relevant software be made accessible and identifiable to users of the medical device.

healthcare-icons_transitional.pngTransitional arrangements The new classification rules and the changes to Essential Principles will affect some SaMDs that are already included on the ARTG. While all new ARTG applications for medical devices are required to comply with the new regulations, transitional arrangements are in place for any medical devices that are already on the ARTG, or for which an application was lodged prior to 25 February 2021. Under the transitional arrangements, where the relevant SaMD has been reclassified into a higher risk class under the new reforms, a new conformity assessment and ARTG application must be made. Affected persons must notify the TGA before 25 August 2021 (if the device is on the ARTG) or within 2 months of the ARTG start date (if the device is the subject of a current application), and undertake the assessment and make the new application before 1 November 2024.

Back to top

Safeguarding your IP

In addition to understanding the regulatory landscape in which wearable technology sits, it is also critical that your business thinks about its IP strategy in relation to these products. Whilst copyright protection in respect of the underlying software code for your wearable device will arise automatically under Australian law (provided the criteria for the subsistence of copyright are met), your business will need to separately apply for design, patent and trade mark protection, where applicable.

In relation to securing patent protection in respect of software in particular, it is worth noting that in Australia, unlike a number of other jurisdictions, methods of medical treatment are considered patentable subject-matter. However, there may be other issues, such as whether the 'substance' of the invention is a 'technical innovation' which is patentable or merely a 'business innovation', which is not. This will come down to how the software operates, which will require careful expert analysis.

In terms of its overall IP strategy, your business should consider:

  • applying for a design registration to protect the visual features of your wearable tech product;
  • applying for registration of any relevant trade marks used in respect of your wearable device, such as brand names or logos;
  • applying for a patent to protect any inventive aspects of your wearable tech product; and/or
  • ensuring that any existing registrations for intellectual property such as trade marks used in connection with your device are sufficiently broad in scope.

Further, as discussed below, certain wearable devices will collect significant amounts of data from users. From an IP perspective, it is worth noting that copyright may subsist in relation to the resultant dataset, depending on how that information has been arranged, structured or presented. This can provide an important tool for your business in seeking to ensure that that dataset is not reproduced by third parties. Further information regarding how copyright can assist in protecting the commercial value of your business' data is available here.

Back to top

Data and Privacy: the financial, regulatory and reputations risks

By their nature, wearable devices recognise and store data points about users over a sustained period of time, with the potential to capture large volumes of personal and sensitive data from individuals. While this presents a clear opportunity for businesses to provide more targeted and personalised health and wellness offerings, it also requires careful consideration from a privacy and data security perspective. In particular, demand from health consumers for transparency and a dynamic legislative and regulatory landscape with increasing focus on data handling activities brings significant financial, regulatory and reputational risk for businesses without a clear data strategy and appropriate data governance.

Privacy, surveillance and transparency

Data collected by health wearable devices is likely to constitute health information (a sensitive subset of personal information) under relevant federal, state and territory privacy legislation (including the Privacy Act 1988 (Cth) and Health Records and Information Privacy Act 2002 (NSW)). These laws impose a range of obligations on businesses, including that businesses:

  • obtain consent to collect this health information from users;
  • only use such health information for the purpose for which it was collected, another directly related purpose which the individual would reasonably expect or otherwise with consent; and
  • appropriately secure such health information (including as transmitted from the device to the business or third parties).

Where wearable devices track a user's location (ie to record the route of a run or attendance at a particular location/event), businesses need to consider their obligations under applicable state and territory surveillance legislation, which generally requires a user's consent to such tracking.

In addition to the strict legal obligations around health information, we are seeing consumers better understand the scope of data which entities hold about them and the value of such data. In turn, consumers are demanding greater transparency around and control over the use of data (including where certain data has been deidentified, which suggests this is not solely a privacy concern). This consumer sentiment is backed up by Australian regulators, including the Office of the Australian Information Commissioner (OAIC) and the Australian Competition & Consumer Commission, with increasing focus on how failures to ensure transparent terms of use and clearly communicate data handling practices can undermine community trust.

In this environment, it is important for businesses to clearly articulate the end-to-end value proposition around the use of wearable devices, including:

  • how relevant risks have been addressed, such as the security measures in place to protect data;
  • how data (whether in identified or deidentified form) will be handled (including proposed sharing or subsequent interactions with third parties); and
  • how and the extent to which individuals can exercise control around their data, such as opting in/out of certain activities or using a dashboard to switch certain functionality on and off.

This can be done through a combination of public-facing documentation, specific terms of use and collection notices, and increasingly through providing functionality to users to self-manage data access and use. Previously, businesses were more inclined to rely on implied consent obtained in the course of setting up devices and associated accounts, but there is rightly a shift towards obtaining and maintaining more express forms of consent around use of health and wellness technology (which is adequately informed, specific and unbundled).

Information security

The OAIC consistently reports that the health sector represents amongst the highest number of notifiable data breaches under the Privacy Act. This is, in part, due to the sector:

  • utilising large numbers of connected remote end points; and
  • being a lucrative target for bad actors, with health records being estimated to be up to 10 times more valuable than other forms of data.

As such, it is no surprise that wearable devices and similar health tracking applications have made headlines for significant data breaches in recent years.

In 2018, popular nutrition and fitness tracking app MyFitnessPal, which was then owned by Under Armour, was targeted in a breach affecting than 150 million users. Whilst Under Armour stated in its data breach notification that it did not believe users would experience significant harm as a result of the issue, a year later it was reported that the stolen credentials from the breach appeared for sale on the dark web.

Fitbit has also been compromised more than once. In 2016, several dozen Fitbit accounts were accessed by cybercriminals utilising account details from other breaches. In February 2020, it was reported that a hacker had leaked the account details of nearly 2 million Fitbit users and had access to account holders' location tracking history, in addition to other health metrics such as sleep tracking and nutrition.

Security requirements for wearable device businesses is generally be governed by the Privacy Act (including Australian Privacy Principle 11 and the notifiable data breach scheme), and similar obligations under state and territory health records laws, which require businesses to use reasonable steps to protect information from misuse, interference and loss, unauthorised access, modification and disclosure.

We expect that recently proposed reforms may impose additional security obligations in this space. In particular, for the purposes of the upcoming review of the Privacy Act, comments have recently been sought on:

  • how personal information can be protected where IoT devices (such as internet enabled wearables) collect personal information from multiple individuals; and
  • whether the Privacy Act adequately protects sensitive information collected by wearables.

As such, data security is a key component of any product or feature roll-out, and businesses need to:

  • understand the data being collected by the delivery model, and the data flows involved in their practice;
  • adopt a privacy-by-design approach to new projects in the wearable device space, including the potential impact on any changes;
  • establish robust systems, information controls and monitoring and detection processes in place that are regularly tested, including:
    • ICT, physical and access security, including identifying and addressing vulnerabilities created by outdated systems or devices and perform appropriate due diligence on third-party vendors; and
    • reconsidering the appropriateness of such controls on a regular basis;
  • identify a data breach response team and have a comprehensive data breach response plan, in order to quickly and efficiently respond to potential data breaches and minimise harm to individuals and therefore the legal, financial and reputational costs of the breach; and
  • make any public communications about device vulnerabilities and incidents simple and easily interpretable, acknowledging and explaining any unknown factors, and discussing the risks and benefits of their device.
Back to top

Conclusion

Many wearable devices include health-related features and may therefore be subject to regulation as a medical device by the TGA in Australia. Whilst software in consumer wearable devices will typically be excluded from regulation as a medical device, this is not always the case. Accordingly, it is important that businesses carefully review their wearable device products, and the new regulations around medical devices, to ensure that they have taken all necessary steps for compliance.

Beyond the regulatory space, there are a range of other considerations businesses should bear in mind in relation to wearable devices including:

  • ensuring that they have in place appropriate protections for any relevant intellectual property, which may require seeking design, trade mark and patent registrations; and
  • ensuring that they have a robust data strategy and ensure appropriate data governance which covers:
    • current and proposed future data flows;
    • how they will ensure compliance with legal requirements including in relation to obtaining and maintaining consent and ensuring appropriate security;
    • community expectations in relation to product and data use, and the business' value proposition for users;
    • how risks arising from changes in the sector or new features or product lines will be addressed; and
    • how any potential breach (of law, security or community expectations) will be identified, responded to and (where appropriate) communicated to regulators and impacted users.