Challenges of remote patient care technologies under the General Data Protection Regulation: preliminary results of the TeNDER project

Remote care technologies help patients connect with their caregivers through monitoring, alerts, anomaly detection, and so on. Due to their nature, remote care technologies cross a number of legal fields, such as privacy and data protection, cybersecurity, and medical devices regulation. This paper aims to close the gap between high-level legal principles and practical implementation by mapping the challenges in European Union (EU) law and combining them with initial results from the TeNDER project. Specifically, we focus on technologies, which create an alert system by combining data sources from electronic health records and connected devices. Using these solutions as a starting point, we analyze the obligations the EU law lays upon the stakeholders, that is, the designers or developers, and the users, who are patients and caregivers. We answer the following research question: Which challenges does EU law pose for designers and users of remote care solutions, and in what manner can those questions be addressed in practice? We then analyze and apply the principles of privacy and data protection (proportionality, lawfulness, and data quality), and cybersecurity notification duties, and discuss the possible classification as a medical device. For all three areas, we use the two-pronged approach from the project, that is, a big-picture description of the legal challenges posed by remote care technologies, and a detailed description of the legal obligations applicable to the developers as well as users (i.e., caregivers and patients). We will follow up our work in repeated impact assessments in order to determine the benefits and pitfalls of the current approach.