The use of digital technologies in healthcare is changing how medical treatments are developed by researchers, delivered by medical professionals and experienced by patients. This chapter argues that a defining feature of this disruption is the emergence of medical apps that leverage algorithm-based AI systems. As the use of such apps and AI wearables goes mainstream and new players – notably ‘Super Platforms’ with digital rather than medical expertise – enter the healthcare sector, traditional medical services will be transformed.

These developments pose several challenges for regulators and policymakers, most obviously in terms of privacy and data protection. Here, we examine how the emerging field of Legal Design can provide a more transparent infrastructure that embeds relevant legal protections in the user interfaces of healthcare products and services. A Privacy-by-Design approach focused on the user interface (UI) offers several advantages, most obviously greater transparency, accountability and human choice. The chapter offers real-world examples of design patterns that illustrate the value of UI-focused Privacy-by-Design in protecting sensitive information, enabling people to retain control of their personal data. The chapter concludes with some examples and reflects on the challenges in implementing Legal Design in an eHealth context.

The COVID-19 pandemic has highlighted that leveraging medical big data can help to better predict and control outbreaks from the outset. However, there are still challenges to overcome in the 21st century to efficiently use medical big data, promote innovation and public health activities and adequately protect individuals’ privacy. The metaphor that property is a “bundle of sticks” applies equally to medical big data. Understanding medical big data in this way raises a number of questions, including: Who has the right to make money off its buying and selling, or is it inalienable? When does medical big data become sufficiently stripped of identifiers that the rights of an individual concerning the data disappear? How have different regimes such as the General Data Protection Regulation in Europe and the Health Insurance Portability and Accountability Act in the US answered these questions differently? In this chapter, we will discuss three topics: (1) privacy and data sharing, (2) informed consent, and (3) ownership.

The rules on de-identification and research exemptions in the GDPR help companies to use personal data for scientific research with fewer restrictions compared to data collections for other purposes. Under these exemptions, companies in the EU might collect and process data for a secondary purpose without consent. However, the requirements and exemptions for scientific research vary among EU Member States, which might result in forum shopping. They might also hinder the review of the input data in medical devices since the new regulations on medical devices in the EU (Regulations 2017/745 and 2017/746) require compliance with the GDPR. These combined implications might result in safety risks. Focusing on the research exemption and de-identification rules of the GDPR in a medical device setting, the authors discuss to what extent scientific research with public interest should benefit from the research exemption of the GDPR. Harmonized rules would also be necessary on the expected level of de-identification, to balance the data subjects’ rights and safety of medical devices. This chapter will examine how the input data is reviewed by medical device authorities and notified bodies in the EU and how this may affect the US, following recently released guidelines and discussion papers.

Medical devices have historically been less regulated than their drug and biologic counterparts. A benefit of this less demanding regulatory regime is facilitating innovation by making new devices available to consumers in a timely fashion. Nevertheless, there is increasing concern that this approach raises serious public health and safety concerns. The Institute of Medicine in 2011 published a critique of the American pathway allowing moderate-risk devices to be brought to the market through the less-rigorous 501(k) pathway,1 flagging a need for increased postmarket review and surveillance. High-profile recalls of medical devices, such as vaginal mesh products, along with reports globally of nearly two million injuries and more than 80,000 deaths linked to faulty medical devices,2 have raised public health critiques regarding the oversight of these products. Should we follow the recommendation of the Institute of Medicine to reduce the use of the 510(k) pathway, and, if so, what should replace it? What would an ideal regulatory pathway, reflecting the twin goals of innovation and patient protection, look like in the twenty-first century? These questions are complicated by new tools and mechanisms that can be used to achieve our goals. For example, in an era of big data, where we have the capabilities to better follow postmarket incidents, what should postmarket review look like?