In Europe/Italy, it is practice that many companies furnish and distribute apparatuses (like echography machines, cat scans, and so on) to hospitals and organisations, also with possible maintenance and technical assistance in the future. However, the question is: what happens when these therapies have implications when the data is transferred from one country to another? Checks and balances with the relevant personal data transferred usually happens via servers in Non-European countries, especially in the USA.
In this context, it should be noted that the processed data is special, as it refers to the state of health; there are precise obligations of confidentiality of such information in respect of which the patients concerned have reasonable expectations of confidentiality and expect limited future use.[1]
The transfer of personal data (all types of data, not only health) from European States to Non-European States (so called “third countries”) is principally forbidden, unless the state that is receiving the data ensures an adequate level of protection.[2]
The new Data Protection General Regulation 2016/679 refers to the same as the old Directive with some new changes: when the European Commission has adequately evaluated the level of protection of personal data by the State in question, only then can the transfer of personal data occur.[3]. In the absence of this evaluation, transfer of data will be legalised only in the presence of adequate guarantees, for example: clauses of data protection, contractual clauses, established structures to make them transparent to data subjects and the public, and so on; or in particular, cases listed in articles no. 42 and 45 of the Regulation.
The European Commission has also adopted a series of packages of “model clauses” in the contract used for the transfer, through which the exporter of data shall ensure that the latter will be treated in accordance with the principles laid down in the Directive (Regulations) in the third country importer[4].
Another very useful tool through which to operate legitimately a transfer of data to third countries: the Binding Corporate Rules (BCR), a series of clauses that establish binding principles that are upheld and kept by all companies within the same corporate group (Corporate). In this case, the clauses incorporate the fundamental principles governing the protection of personal data, such as the principles of fairness and lawfulness of the processing, purpose, necessity and proportionality of the data, the obligation of the owner to provide the information, etc. The same national Authority Guarantees however, cannot take action against a decision of the European executive adequacy, based on the provisions of the European Court of Justice. In the recent judgement Schrems of 6 October 2015 (C-364/14): if the Commission has already declared a legitimate transfer of data to a given third country, the national Competition Authority will adopt internal measures, suspension or prohibition of data transfers with respect to these third-party systems already deemed appropriate by the Commission. [5]
We note that the Consumers, Health and Food Executive Agency (Chafea), commissioned by the European Commission to develop the Program projects for Health, has launched a project on e-Health and cross-border movement of health data within the European Union. In the first phase, the project is aimed to examine all national rules on Electronic Health Records in the 28 member States and in Norway, to find legal barriers in exchange of health data between the various European Union States. The second phase will consist of the publication of some guidelines that will furnish instructions to regulate the exchange of data in e-Health.
Finally, I remind you of another study: “Overview of the national laws on electronic health records in the EU Member States and their interaction with the provision of cross-border eHealth services”[6] which analysis the interaction between national laws of member States with reference to the future developments of transnational e-Health services.
[1] What happens when this information is transferred to States where they do not offer adequate guarantees of data protection especially in cases of different uses from the data originally collected?
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Article 25. Principles «1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection […]»
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Article 41 Monitoring of approved codes of conduct «1.Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58. The monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority […]»
Article 44 General principle for transfers
«Any transfer of personal data which is undergoing processing or is intended for processing after transfer to a third country or to an international organisation shall take place only if subject to the other provisions of this Regulation the conditions laid down in this Chapter are complied with by the controller and processor. This would include onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.»
[4] In particular I refer to 4 different decisions of the European Commission: no. 2001/497/EC of 5 June 2001; no. 2002/16/EC of 27 December 2001; no. 2004/915/EC of 27 December 2004; no. 2010/87/EU of 5 February 2010
[5] It is obvious that National Data Protection Authorities are able to collect complaints from citizens when a violation of personal data occurs, actually the Authorities will have to institute legal proceedings (par. 63-65 C-364/14).
[6] European Commission, Overview of the national laws on electronic health records in the EU Member States and their interaction with the provision of the cross-border eHealth services, http://ec.europa./health/ehealth/project/nationallaws_electronichealthrecords_en.htm