I am pleased to present here from time to time the major challenges of the digitalization of the European healthcare market. After my previous contributions on the special requirements for data collection, processing and retention in clinical studies on medicinal products and bio-banking, I would like to focus today on the particular challenges of outsourcing and data transfers.
The GDPR requires controllers to satisfy themselves that their appointed processors will keep personal data, and in particular highly sensitive health data, secure through pre-contractual due diligence, appropriate reviews and audits during the lifetime of the appointment. It also regulates the terms on which processors are appointed. The GDPR provides mandatory provisions to be included in contracts between controllers and processors, dealing with, amongst others:
- a detailed description of the processing to be carried out;
- assistance to the controller with performing various GDPR obligations;
- restrictions on subcontracting;
- information and audit provisions; and
- the return or deletion of data at the end of the arrangement.
Processors are also obliged to advise the controller if they think that instructions given to them will result in a breach of the GDPR or other EU or Member State data protection rules. This makes for lengthy, complex and onerous data security provisions, even in contracts where the processing of personal data is an incidental part of a wider service. And this applies in particular to data concerning health within the sense of Art. 4 Para. 15 of GDPR, i.e. personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Furthermore, while the GDPR requires processors to accept onerous data security terms, the details of which will need to be negotiated, for example regarding the cost of compliance, and processors may also seek additional contractual protection from their controller-customers.
Any transfer of personal data, in particular highly sensitive personal data concerning health, which are undergoing processing or are intended for processing after transfer to a third country or an international organisation shall take place only if, subject to the other provisions of the GDPR, specific mandatory requirements are complied with by the controller and the processor, including for onward transfers of personal data from the third country or an international organisation to another third country or another international organisation. In principle, personal data may be transferred based on an adequacy decision or subject to appropriate safeguards (for example appropriate binding corporate rules or standard contractual clauses).
Thus, while it is possible to transfer personal data to countries outside the EEA which ensure 'adequate' protection for personal data, the GDPR will actually not allow an exporting controller to reach its own view on the adequacy or otherwise of a country's data protection regime. Unless the relevant country is on the European Commission's list of approved countries, it will be assumed not to be adequate.
It will be difficult under the GDPR to justify transfers of personal data outside the EEA based on consent except in rather limited, one-off contexts where all the requirements for an explicit consent can be met. The GDPR provides for a legitimate interests condition allowing transfers to inadequate countries without consent, but it is so narrow, and subject to such difficult associated requirements (for example to notify data protection authorities on a transfer-by-transfer basis) that it is only likely to be relied upon in very rare circumstances.
If you are interested in data protection, you will certainly have followed the recent exciting developments in the Schrems II proceedings before the Court of Justice of the European Union (CJEU). Only two weeks ago, the CJEU invalidated the US Privacy Shield (as not ensuring adequate protection of personal data transferred from Europe to the US), and thereby gave a clear political statement in a data protection "trade war" between the EU and the US. By its recent decision, the CJEU made data exporters and recipients fully responsible for ensuring that data transfers to third countries comply with the law.
In the future, exporters and recipients will no longer be able to rely on that they are acting under data protection law when using standard contractual clauses. Rather, the use of such standard clauses must be preceded by an examination of whether the required level of data protection is observed in the third country. This requires a thorough knowledge of the data protection standards applicable in the third country. However, unlike the recipient who is himself resident in such country, the exporter can hardly be expected to have this knowledge.
However, since, under European law, data protection violations on the part of the recipient are (also) attributable to the exporter, the exporter's liability risk is considerably increased. In principle, the CJEU thus imposed on European exporters a task that actually lies with the European Commission - which is to carry out adequacy assessments for third countries.
You are welcome to also read my detailed sector-specific contributions on dataguidance.com.
Photo by Kevin Ku on unsplash.com
Please note this blog post was written by a Clifford Chance LLP employee. Clifford Chance LLP is the parent company of Clifford Chance Applied Solutions (CCAS). The content within this post does not constitute legal advice.
Find out more about how Cross-Border Publisher: Data Protection can assist you in complying with both GDPR and local data protection regulations on a multi-jurisdictional basis.