Risk for health app operators: will data transfers to the US soon be prohibited under an ECJ judgment?
The Digital Care Act (DCA) (only in german), which was enacted at the end of last year, states that insured persons are entitled to benefits in the form of digital health applications, or DHAs. These special health apps are expected to revolutionize health care and are therefore to be made available to insured persons as quickly as possible. As a result, efforts to shape the legal framework which will be necessary for doing so are going forward at full steam right now. Key milestones to date include enactment of the Digital Health Applications Ordinance by the Federal Ministry of Health (only in german) and publication of the Guidance on the Fast Track Procedure by the Federal Institute for Drugs and Medical Devices (only in german). But the rapid progress towards digital care may soon be stopped in its tracks by a judgment from the ECJ, posing considerable challenges for health app manufacturers.
The EU-US Privacy Shield may be overturned
The judgment in question is that of the European Court of Justice (ECJ) in Case No. C-311/18 (Facebook Ireland and Schrems – Schrems II), which is expected on 16 July 2020. In the course of the decision, the ECJ is expected to address the question as to whether standard contractual clauses in accordance with Commission Decision 2010/87 conform to European law as well as the validity of the EU-US Privacy Shield (Commission Implementing Decision (EU) 2016/1250). The Privacy Shield program is based on an adequacy decision by the EU Commission in terms of Article 45 of the GDPR (and the legislation formerly in effect: Directive 95/46/EC, the Data Protection Directive) and, as such, allows data transfers to companies in the US, as a "third country." Controllers may transfer data to US companies which are certified under the EU-US Privacy Shield without coming into conflict with the GDPR. However, the Privacy Shield has long been criticized e.g. by the Article 29 Data Protection Working Party, on the grounds that the level of data protection it affords is too low. In particular, criticism expressed by the EU Advocate General in his Opinion in the Schrems-II case has raised doubts as to the continued validity of the EU-US Privacy Shield. While the Advocate General's Opinion is not binding for the ECJ, it may certainly be viewed as an indication of how the ECJ will rule. It therefore seems at least possible that the ECJ will overturn the EU-US Privacy Shield.
Potential consequences for digital health care
If that happens, data transfers by manufacturers of digital health applications, a category which may include health apps, would be prohibited under § 4(3) of the Digital Health Applications Ordinance, which states that personal data in digital health applications may only (!) be transferred to third countries based on an adequacy decision. It does not provide for any way of carrying out the transfer on an alternative basis, unlike the other cases specified in the GDPR. In the departmental draft of the Digital Health Applications Ordinance (p. 59) (PDF / only in german), this restriction is justified by pointing out the standard assumption that the processed data requires special protection. This departure from the GDPR in the form of a restriction on mechanisms for data transfers to third countries is viewed by German lawmakers as likely permissible in accordance with Article 49(5) of the GDPR (cf. legislative intent to § 80(2) of Book 10 of the Social Code Abs. 2 SGB 10, p. 115) (PDF / only in german). If this argument prevails and the Privacy Shield is overturned, health app manufacturers would have to arrange for the rapid and reliable supply of health apps without resorting to US providers (particularly IT service providers and hosting services with access to data). This would be an enormous challenge given the fact that US providers offer advanced technologies, particularly in the field of app development, as well as comprising a significant portion of the infrastructure.
Examine duty to comply with the DHA Ordinance
In light of the current situation, health app manufacturers should first examine whether they are required to comply with the requirements of the Digital Health Applications Ordinance. This will typically be the case for manufacturers which offer a digital health application for which they are seeking health insurance coverage.
In accordance with § 33a of Book V of the Social Code, "digital health applications" are medical devices in a low-risk class whose primary function is largely based on digital technologies and which are designed to facilitate the diagnosis, monitoring, treatment or alleviation of illnesses or the diagnosis, treatment, alleviation or compensation of injuries or handicaps in insured persons or in the course of care from a care provider.
If the health application in question meets these criteria, it will have to be included in the directory of digital health applications maintained by the Federal Institute for Drugs and Medical Devices (BfArM) in order to be eligible for health insurance coverage. In accordance with § 139e(2) of Book V of the Social Code, manufacturers seeking inclusion in the directory are required to file an application with BfArM and attach e.g. documentation of their adherence to data protection and data security requirements. Accordingly, non-compliance is no longer an option for DHA manufacturers.
Check whether data is transferred to US providers
Manufacturers which are required to comply with the requirements of the DHA Ordinance should check right away whether data is being transferred to the US. If that is the case, they should waste no time searching for possible alternatives so that they can react to the lifting of the EU-US Privacy Shield in a timely manner. Data protection and data security aspects should be taken into consideration in selecting possible alternative providers.
Perform a legal assessment
Our consulting practice has demonstrated that the other requirements of the Digital Health Applications Ordinance also pose a challenge for manufacturers. Accordingly, a comprehensive analysis of legal requirements should be performed in each case as part of the application process.
Update of 16 July 2020
In its decision today, the ECJ ruled that the EU-US Privacy Shield is invalid, so that digital health applications will not be able to transfer data to the US for the time being. It is therefore of urgent importance for manufacturers of digital health applications to examine their concepts and applications for possible data transfers to the US.