Cross-border health data

In the modern age we live in, health data flows in different ways. The increase in such flows raises challenges and concerns as regards the protection of personal data.

In a medical context data is shared among medical professionals in order to provide a patient with medical treatment. As you saw in Anna’s case, her data was shared between her GP and gynaecologists in the Netherlands and Germany. In Week 1 you learned that this data can be shared in this context considering that all parties are bound by professional secrecy (Article 14 GDPR). Furthermore, considering that in Anna’s case all parties are located within the European Union (EU), they all have to comply with the provisions of the GDPR, meaning that they need to ensure security of the data and keep records of categories of recipients when sharing data. When this data is shared, the receiver becomes the controller of the data, with all the obligations and responsibilities that come with it.

Third countries

If Anna were to seek medical attention outside the EU, for example if she would have found a specialist in the United States of America instead of Germany and her medical file would have been sent by her gynaecologist to his colleague in the USA, the provisions of Chapter V of the GDPR would apply. The aim of the GDPR is to offer a similar level of protection for EU citizens regardless of whether the data is being processed inside or outside the EU. It therefore applies to processing of data subjects who are in the EU by a controller or processor not established in the EU. This means that parties established outside the EU who offer goods or services to data subjects in the EU also need to comply with the GDPR (Article 3 (2, a)).

Outside medical context

This is however not the only way in which data can be transferred abroad. Health data can also be transferred abroad outside the medical context. For example in a research context, which will be discussed later this week, but also by using modern technologies. Technology transformed both the economy and social life. People increasingly make personal information available publicly and globally by using apps and online services. Due to the very nature of modern technologies, data is not necessarily bound by country or EU borders. Data can be located, stored and processed anywhere in the world by parties who offer goods and services to data subjects in the EU, such as app companies, online services and social media. Also in this regard, the GDPR aims to ensure a high level of the protection.

This means that, regardless of the context in which health data is being processed, the GDPR applies to the processing of data subjects who are in the EU. The GDPR determines that transfer of data which are being processed or which are intended to be processed after transfer to a third country (meaning, outside the EU) can only take place if the conditions mentioned in Chapter V are complied with by the controller or processor (Article 44). In order to ensure a similar level of protection, transfer to third countries can take place in several ways:

1. Based on an adequacy decision by the European Commission who decides whether a third country ensures an adequate level of protection (Article 45);

2. If there is no adequacy decision, based on the condition that appropriate safeguards are provided and enforceable data subject rights and effective legal remedies are available (Article 46);

3. If there is no adequacy decision and there are no safeguards put in place, based on one of the conditions mentioned in Article 49, including explicit consent to the proposed transfer by the data subject.

This means that processing of Anna’s health data, regardless of the context in which it is being processed and by whom it is being processed needs to take into full account her interests and fundamental rights. This sounds ideal, however, you may imagine that it is difficult for EU citizens to exercise their rights if processing of their data takes place outside the EU.