Health data: What to consider for third-country transfers
Whether you’re working on a cross-border project, using foreign service providers, or simply want to offer your products and services to as many customers as possible, data transfers don’t stop at national borders. Cross-regional cooperation is particularly important in the health sector. However, the General Data Protection Regulation (GDPR) requires a particularly sensitive approach to data concerning health. What does this mean for service providers who work with health data in a global context?
Legal framework
According to Art. 5(1)(a), any data processing within the scope of the GDPR must be lawful. The term “processing” is further defined in Art. 4 No. 2 GDPR. First of all, processing means collecting, storing or erasing data. But the term also applies to the disclosure or transmission of data. This means that a legal basis is also required for data transfers within and outside the scope of the GDPR. For a data transfer to a so-called third country – a country outside the European Economic Area – Art. 44 GDPR once again sets out specific requirements. Transfers are only permitted if
- the Commission of the European Union has decided that the third country in question ensures an adequate level of protection (Art. 45 GDPR);
- appropriate safeguards are provided and enforceable rights and effective legal remedies are available to data subjects (Art. 46 GDPR) or
- a derogation according to Art. 49 GDPR applies.
Adequacy decision
By means of an adequacy decision pursuant to Art. 45(3) GDPR, the EU Commission may determine that a third country achieves a level of data protection that offers data subjects protection comparable to that of the GDPR. If such a decision exists, then data transfers to that third country are permitted under the same conditions as a transfer within the European Economic Area. This means that transfers to third countries with an adequate level of data protection also require a legal basis according to Art. 6 or 9 GDPR.
There are currently 14 adequacy decisions. The Commission provides information on these on its website. It is true that many third countries, such as Israel, Canada, New Zealand, Switzerland and the United Kingdom, are already covered. However, the European Court of Justice (ECJ) declared invalid a similar agreement between the EU and the US, known as the Privacy Shield, and the EU Commission’s adequacy decision based on it, in its high-profile Schrems II ruling of 16 July 2020 (ref. C-311/18). Given that US authorities enjoy far-reaching data access rights, the judges argued that the level of data protection in the US was inadequate (read more about the decision and its consequences here). After the EU Commission and the United States announced in March 2022 that they had reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework, US President Joe Biden signed an Executive Order in October 2022 limiting the powers of US intelligence agencies to analyse the personal data of EU citizens and providing for a two-tier redress mechanism. In the first stage, EU citizens who feel that their rights have been infringed should lodge a complaint with the competent regional data protection authority, which will then be examined by the Civil Liberties Protection Officer. A new Data Protection Review Court will allow EU citizens to appeal against decisions of the Civil Liberties Protection Officer.
It is true that the Executive Order does not replace an adequacy decision. Nevertheless, companies could argue – for example in the context of a data protection impact assessment – that the order already leads to an improved level of protection for EU citizens. The final adequacy decision for the US is in preparation and is currently expected in the first half of 2023. Whether it will also stand up before the ECJ remains to be seen.
Standard contractual clauses and binding corporate rules
In the absence of an adequacy decision, a data transfer may nevertheless be lawful if appropriate safeguards are in place to protect personal data, and enforceable rights and effective legal remedies are available to data subjects. The standard contractual clauses (SCCs) and binding corporate rules (BCRs) are of particular practical relevance in this context.
The SCCs are contractual clauses specified by the EU Commission that can be concluded between a data exporter and a data importer (for more details, see here). However, the mere conclusion of SCCs is not sufficient as a legal basis for a transfer to a third country. The ECJ made this clear in the aforementioned Schrems II ruling. There, the ECJ also specified the requirements from Art. 44 et seq. GDPR that also apply to data transfers to third countries. The onus is on the data controller to carry out what is known as a data transfer impact assessment (TIA) to assess whether the personal data to be transferred enjoys an equivalent level of protection in the third country. If this is not the case, then additional contractual, technical or organisational measures (TOM) must be taken to ensure a level of protection comparable to that of the European Economic Area.
The requirements just outlined also apply to intragroup transfers of data based on BCRs. A group of companies can impose binding rules on itself, which in turn have to be approved by the supervisory authorities. As BCRs have to fulfil a large number of criteria in order to be approved (cf. Art. 47(2) GDPR), they are not equally suitable for every provider of health-related services. However, especially for international companies that transfer large amounts of personal health data to third countries, they offer the opportunity to develop tailored, legally secure and therefore more cost-effective solutions.
Derogations
If there is neither an adequacy decision pursuant to Art. 45(3) GDPR nor appropriate safeguards pursuant to Art. 46 GDPR, the transfer of personal data to a third country or an international organisation is only permitted under the conditions set out in Art. 49 GDPR. In practice, consent pursuant to Art. 49(1) Sentence 1(a) GDPR is particularly important in this regard. It is particularly suitable where data processing is based on consent from the outset. The most important criterion here is that the data subject is explicitly and duly informed about the risks of a third-country transfer and can make a freely given and informed decision.
While the ECJ in its Schrems II decision still explicitly referred to the derogations as an equivalent alternative to an adequacy decision and the appropriate safeguards under Art. 46 GDPR, the European data protection supervisory authorities take a more restrictive view. They are of the opinion that the derogations in Art. 49 GDPR must be interpreted narrowly and can only be considered for occasional data transfers. Therefore, it must be carefully considered in each individual case whether and under which conditions a third-country transfer can be based on the derogations for specific situations.
Medical confidentiality: An additional barrier
Health data is not only protected by data protection law. In certain cases, its unauthorised disclosure may also have criminal implications. For example, Sect. 203(1) No. 1 of the German Criminal Code (StGB) criminalises breaches of medical confidentiality – including the unauthorised disclosure of patient data. This ban on disclosure poses a challenge for doctors. They often have to rely on the expertise of external service providers (e.g. in the IT sector), but are not allowed to disclose information that is covered by medical confidentiality.
In order to address the problem of increasing digitalisation and division of labour on the one hand, and the obligation of doctors and other persons bound by professional secrecy on the other, the German legislator introduced a new law to regulate the protection of secrets when third parties are involved in the professional practice of persons bound by professional secrecy. Since 2017, the newly introduced Sect. 203(3) of the German Criminal Code (StGB) – and the correspondingly amended sector-specific professional law – have provided largely identical permissions for the disclosure of confidential information to external service providers. Under these amendments, the party bound by professional secrecy may grant the service provider access to patient data to the extent necessary for the use of the service. Because of the fundamental importance of the relationship of trust between doctor and patient, the legislator considers a narrow interpretation of “necessity” to be necessary. Accordingly, the disclosure of secrets entrusted to parties bound by professional secrecy is only deemed necessary if the provision of the service would not be possible without knowledge of the secret (need-to-know principle). The law requires careful selection of the service provider by the party bound by professional secrecy. Using a service provider whose suitability is doubtful is also prohibited.
Location may also play a role in the selection of suitable service providers. Doctors and other persons bound by professional secrecy are, in principle, allowed to use service providers based abroad. Apart from whether it is actually necessary to disclose patient data, it is important to ensure that confidentiality will be maintained abroad. More specifically, the protection of confidentiality abroad must be comparable to that in Germany. According to the explanatory memorandum to the law, sufficient confidentiality can generally be assumed for EU Member States. On the other hand, greater care is required when contracting external service providers in third countries. As soon as doctors or other parties bound by professional secrecy are involved in the transfer of health data to third countries, it is important to consider whether this may be relevant from a criminal law perspective. Otherwise, depending on the individual case, there may not only be consequences under data protection law, but also personal criminal liability for the medical professionals involved, such as doctors.
Conclusion
In the highly internationalised and specialised health services sector, it is difficult to imagine working without international partners. As many of these partners are also located outside the European Economic Area, providers of relevant services need to be able to transfer health data to third countries. German and European legislation sets high standards for such transfers to third countries. Following the ECJ’s Schrems II ruling, this is now even more demanding. The required implementation of the new SCCs, the associated assessment of the level of protection, and the requirement for supplementary protective measures, where appropriate, are creating considerable legal uncertainty and posing major challenges for companies. Parties bound by professional secrecy must proceed with particular caution in this context, as they are also bound by a duty of confidentiality that is punishable by law. Our experts can help you meet data protection and criminal law requirements and overcome the challenges they present.
Do you have any further questions about health data?