Metaverse and medical devices: what are the legal issues?

Cécile Théard-Jallu
Partner, De Gaulle Fleurance, Paris
ctheardjallu@dgfla.com

Introduction

In 2021, Mark Zuckerberg's ambition was to bring internet users into the metaverse. Web giants and major brands have mobilised to develop their projects there. Although there is currently a period of less enthusiasm for the metaverse, it presents real opportunities for a variety of sectors, from gaming to sports, real estate to leisure, retail to education and many others. Healthcare itself could reap invaluable benefits, notably in terms of improving the training of caregivers, patient care and the research and development or production of healthcare products. But what about medical? Here are a few observations to share.

Metaverse: a new social and interactive virtual world

The term ‘metaverse’ comes from the contraction of the words ‘meta’ and ‘universe’. The metaverse is a fictional, persistent, connected and totally immersive virtual world in which users move around in 3D, generally in the form of an avatar.

A metaverse can use a number of advanced concepts and technologies, some of which can be combined with others, depending on the context: (i) the Cloud where it is hosted; (ii) blockchain, which enables data to be uniquely recorded; (iii) virtual reality technology, which projects a computerised world through a headset; (iv) 5G or even 6G for fast connections; and (v) the Internet of Things.

A metaverse can therefore be a platform, open or closed, comprising digital assets and identities, and offering social experiences in which users interact via physical or digital points with multiple inputs. It enables businesses, between themselves or with consumers or users, to enter into contracts, or perform acts, possibly by committing digital assets, for a variety of entertainment or more serious experiences.

As such, the combinations, uses and concepts are limitless.

Metaverse and healthcare: a new medium for design, research and development and production of medical devices 3.0?

The metaverse allows great freedom in the virtual reproduction of situations (operating theatres, intensive care units, patient rooms, research laboratories and production sites, etc), and makes it possible to adapt to the needs of both patients and professionals by offering personalised experiences and services.

The versatility of the metaverse raises the question of whether certain associated tools should even be classified as medical devices, either due to their main purpose or in their capacity as an accessory.

According to Article 2, paragraph 1, of European Regulation 2017/745 of April 5, 2017 on medical devices (the ‘MDR’),[1]  a medical device is ‘any instrument, apparatus, equipment, software, implant, reagent, material or other article, intended by the manufacturer to be used, alone or in combination, in humans for one or more of the following specific medical purposes: — diagnosis, prevention, control, prediction, prognosis, treatment or alleviation of disease, — diagnosis, control, treatment, alleviation of or compensation for injury or disability, — investigation, replacement or modification of an anatomical structure or function or of a physiological or pathological process or condition, — communication of information by means of in vitro examination of samples from the human body, including donated organs, blood and tissue, whose principal intended action in or on the human body is not obtained by pharmacological or immunological means or by metabolism, but whose function can be assisted by such means. (...)’. (emphasis is author’s own)

According to a ruling by the Court of Justice of the European Union (issued under Directive 2001/83/EC, the predecessor to the MDR), software is in itself a medical device when it is specifically intended by the manufacturer to be used for one or more of the medical purposes recognised as such by the texts, and enables patient-specific data to be exploited, ‘in particular by means of calculation, quantification or comparison of recorded data with certain references, with a view to providing information concerning a specific patient’.[2]

Thus, software (or a linking element) must be qualified as a medical device if it pursues one of the purposes listed in the above definition, and if it is intended to enable the creation or modification of medical information relating to a given patient.

Similarly, the MDR stipulates that medical device accessories[3] are subject to the rules governing medical devices.

This is corroborated by the MDCG's October 2019–11 guide, adopted in the light of the MDR regarding software constituting medical devices.

Under French law, the concept of a medical device or its accessory follows the same line.[4] In short, a medical device is any product fulfilling at least one of the aforementioned purposes, and whose action is not pharmaceutical, pharmacological, immunological or metabolic, whereas an accessory is intended to be used with one or more medical devices, to enable use in accordance with their intended purpose, or to contribute specifically and directly to their medical function, depending on their intended purpose.

The ANSM[5] considers a certain number of software products to be medical devices (MDs) or in vitro diagnostic medical devices (IVD MDs), based on the following cumulative criteria:

• to be intended for use for medical purposes: to enable prevention of disease, diagnosis, diagnostic assistance, treatment or treatment assistance;

• to provide a specific result for the benefit of a single patient; and

• to perform an action on incoming patient-specific data, such as an analysis, in order to provide new medical information regarding that patient.

On the other hand, software designed simply to observe whether a patient is taking his or her treatment correctly, or to communicate data to the doctor, without any alert function, would not be a medical device.

Thus, depending on the circumstances, to be analysed on a case-by-case basis, a metaverse at least in part and/or any tool likely to be associated with it (eg, a virtual reality headset, a suit worn by the patient with sensors, a digital twin, etc) may or may not meet the criteria of a medical device and/or its accessory. Should this be the case, the entire regulatory regime for medical devices will have to be implemented by the manufacturer and other protagonists subject to this regime, when they interact with the metaverse or tool in question (eg clinical evaluation, CE marking, post-marketing surveillance (PMS)/materiovigilance/periodic safety update report (PSUR), good clinical, laboratory or manufacturing practices, technical standards, etc). 

In this way, the metaverse can be used for a variety of purposes in the healthcare sector, including:

• Healthcare professionals: to immerse themselves fully in virtual reality and benefit from a unique experience in learning how to use a medical device, to remotely carry out clinical trials on such a device or to practice telemedicine with it;

• Patients: to benefit from personalised diagnosis or treatment (eg in cases of mental or neurological illness, or physical rehabilitation);

• Medical device manufacturers: to design, develop, test, improve and control the quality of their devices before they are put on the market or in the post-market approach either internally or with partners and suppliers of the equipment or services (ie metaverse as a research and development and production site);

• Suppliers: to carry out production tests or implement a quality control procedure;

• Notified bodies: to carry out audits and tests prior to certification and the granting of CE marking, depending on the product class, as well as once the device is on the market;

• Regulatory authorities, such as health product safety agencies: to assess compliance with essential safety, quality and performance requirements throughout the product life cycle.

For example, the French startup HypnoVR is developing a medical device combining hypnosis and virtual reality to reduce pain and stress, while limiting the use of sedatives and anxiolytics.[6] The French company BLISS markets a virtual reality application as a medical device, enabling people suffering from isolation, pain or stress to reduce these symptoms.[7]

Beyond medical device regulations, the legal issues surrounding the metaverse are manifold

The metaverse can only function by interacting with the terrestrial world. It is therefore subject to the rules of the latter in every respect, over and above the regulations governing medical devices: rules on the training of caregivers, particularly in digital technology, consumer law, property law, contract law, international law (in particular the question of which law applies and which jurisdiction has jurisdiction in the event of a dispute), anti-money laundering and cybersecurity, etc.

Among other legal challenges, the operation of the metaverse raises questions about the effective protection of the personal data it processes.

The French Data Protection Authority (the ‘CNIL’), through its Digital Innovation Laboratory (LINC), has pointed out the risks associated with the exponential increase in data collection implied by the metaverse.

The question of how to effectively regulate and protect personal data in the metaverse has become essential as this new ‘virtual private sphere’ develops. Indeed, the volumes of data captured through or in the metaverse are impressive and can include sensitive data, such as biometric data (voice chat, eye tracking, etc) and physiological data (blood pressure through the controller's movements, etc) that merit heightened protection under Article 9 of the GDPR. The metaverse will potentially use this data.

Many questions arise: first and foremost, what data will be considered personal and how to apply the GDPR (or any other applicable data protection legislation) and related guidelines in this new area? For example, based on the principle of privacy by design, how can we: (i) gather appropriate consent from users, who are not always aware of the data they are producing; (ii) limit the data collected and its storage duration in line with the objectives pursued in a multidirectional and persistent real-time dimension; or (iii) enforce individual rights while potentially interacting with a multitude of data controllers, whose identification will be a challenge in itself given the multitude of actors involved.

How can privacy (and the enforcement of privacy rules) be guaranteed when personal lives will be exposed to data capture, even through avatars? How do we articulate this with the EU's forthcoming AI regulation, including its principle of guaranteed human oversight?

How can data protection authorities monitor compliance with applicable data protection rules, when the metaverse by its very nature operates across borders, resulting in a multitude of jurisdictions and legal regimes likely to interact, or even contradict each other? And how can legal decisions be enforced in a galaxy populated by an army of avatars? The new virtual samurai announced by the CNIL could be one of the solutions...[8]

Whether companies or individual users, everyone will need to pay close attention to the legal issues and risks linked to personal data in the metaverse, as this technology continues to develop, challenging individuals in the control of their virtual identities and privacy.

In September 2022, the European Commission announced the implementation of new key initiatives in 2023 as part of ‘Europe fit for the digital age’ to create standards and increase interoperability between protection solutions applicable in the metaverse. Data protection laws and regulations may also have to evolve over the next few years to adapt to the challenges of the latter.

Medical device manufacturers, whether acting as data controllers, data processors or simple tool designers, will need to put the protection of personal data, and more generally legal issues, at the heart of their growth strategy in the metaverse.

The future of new devices in the metaverse?

As we can see, there are real opportunities for implementing a new strategy for the design, research and development and production of medical devices in the metaverse, in line with the medical device company’s strategy and needs on the ground. Beyond that, new ways of interacting with healthcare professionals, reinventing the patient pathway to compensate for shortcomings or difficulties, or completing the actions of the terrestrial world or even helping to reduce the consequences of medical deserts by facilitating remote patient treatment, are at stake. For the manufacturer, the challenge will be to create new-generation medical devices adapted to all these challenges.

After much media hype, metaverse is currently raising doubts as to its relevance, notably because it is not within the reach of all users due to its apparent complexity of access or the means of connection it requires or because a series of uses may appear too artificial and futile.

It's true that revolutions, or at least major technological evolutions, can take a relatively long time to settle in and be properly adopted by users.

However, the potential benefits of the metaverse are considerable, and the great promise it holds gives hope that the metaverse in healthcare will respond to this growth trend, to the benefit of patients, carers and the sector itself.

Notes