Germany’s DiGA - Secure data in the cloud?

As of last July, developers of digital health apps (DiGA) in Germany could no longer host sensitive personal data on American cloud servers. Dr Philipp Kircher from the Health Innovation Hub reveals what startups and cloud providers may think.
By Anna Engberg
11:41 am
Share

A recent document released by the German Federal Institute for Drugs and Medical Devices (BfArM) has revealed that despite the invalidated Privacy Shield there are exemptions in place for Germany to allow data storage from digital health applications, so-called DiGAs, in European and even US clouds under specific terms.

MobiHealthNews has looked into what it means for DiGA developers and startups – and how this affects the cloud providers’ business.

WHAT HAPPENED

In July 2020 the Court of Justice of the European Union (ECJ) declared the EU-US Privacy Shield invalid meaning that European companies could no longer transfer person related data to US clouds. The Privacy Shield had previously regulated and thus, allowed that data storage and processing.

Consequently German and European DiGA developers have been prohibited to store sensitive health data of their applications using a foreign cloud service, unless the required level of data protection could be guaranteed by an adequacy decision as per article 45 DSGVO.

In order to get their apps approved and listed in the DiGA directory, so that these could be prescribed and reimbursed within the German healthcare system, DiGA developers had to turn away from common US cloud services such as Microsoft’s Azure, Amazon Web Services (AWS) or Google Cloud Platform as of last July and find alternative local providers.

The most recent BfArM document outlines what this means for startups and DiGA developers and elaborates on how, with the Privacy Shield not in force, those specific conditions can be met by US subsidiaries and other 'third countries'.

WHAT’S THE IMPACT

DiGA developers who want to continue processing their data at a subsidiary of a parent company from the US or another country for which there is also no adequacy decision must now make efforts and concrete contractual adjustments with this provider. In doing so, they must exclude the transfer of data as readable personal data to this third country”, clarified Dr Philipp Kircher, Director Data Protection & Medical Law at the Health Innovation Hub (hih), the German Federal Ministry of Health (BMG)’s in-house think-tank on digitalisation. 

He further outlined: “This goes so far that, in extreme cases, subsidiaries must take legal action against the parent company, and even if they are defeated, they may only hand over the data if there is a corresponding agreement between the EU and the US - which is currently not the case.” The legal expert stressed that subsidiaries must therefore commit to considering European data protection law as a priority over American data protection law.

According to the expert’s knowledge, none of the DiGA developers is likely to be housed in a real US cloud anymore, because this is no longer permissible for DiGA since the ECJ ruling.

As he pointed out, there are still some startups using US cloud services via subsidiaries in Europe. Depending on whether it is only about data storage or additional services and support, DiGA developers choose different cloud providers depending on their application. Among those, AWS or Microsoft, have been very popular so far.

Kircher declared that after the immediately effective June 2020 ruling, it took some time for the BfArM to reposition itself and confirm the current path as viable: “Everyone had to consider how to deal with this in the meantime - and some actually switched to German or EU providers shortly before their application was submitted.”

THEIR TAKE

For cloud providers though, that has obviously had various impacts: “For European cloud providers, this is an incentive. They get a good opportunity to establish themselves as trustworthy providers in Europe and to provide suitable offers for DiGA”, Kircher stated.

For the subsidiaries of providers from the US and other third countries without an adequacy decision, on the other hand, it means a necessity to check very carefully whether one can actually deal with and fulfil the requirements set by the BfArM: “It may well lead to problems in existing company structures if processes and contracts have to be worked out and implemented for DiGA developers, especially in view of the fact that the DiGA market is still quite small and only accounts for a small part of turnover”, Kircher continued.

Nevertheless, these companies might benefit from positioning themselves in terms of trustworthiness and security against American access. 

ON THE RECORD

In order to learn the US-cloud providers' views, MobiHealthNews reached out to Microsoft, but the company declined to comment.

For AWS, Dr Rowland Illing, Director & CMO, International Public Sector Health, commented that AWS fully comply with all applicable laws in every country in which they operate. Furthermore, he confirmed strengthened contractual commitments that "go beyond what’s currently provided by other cloud providers to protect the personal data that customers entrust AWS to process.”

AWS pointed out that customers would have complete control over where and how to store their data including tools for access rights and encryption keys management.

Those strengthened contractual commitments seemingly apply to all the AWS customer data subject to GDPR, whether transferred outside the European Economic Area (EEA) or not, and include disclosing the minimum amount necessary for example. “We also commit that if, despite our challenges, we are ever compelled by a valid and binding legal request to disclose customer data, we will disclose only the minimum amount of customer data necessary to satisfy the request,” Illing told MobiHealthNews.

THE LARGER TREND

Legal data protection expert Kircher indicates that the industry should expect a successor agreement to the Privacy Shield. He assumes though that such an agreement would soon be overturned again by the ECJ after a few years if no substantial changes are made to US data protection law.

 

Share