Germany: DIGA digital health applications can’t use Standard Contractual Clauses

in German:
According to the external legal blog post below, DIGA does not allow for standard contractual clauses for transfer of data in countries without an EU adequacy decision. (Note: Not all health apps fall under DIGA).
– This leads to an impact to apps, if US Privacy Shield would not survive Schrems II in mid-July 2020 – in the context of US 3rd parties used (e.g. Google Firebase, etc).

https://www.reuschlaw.de/news/risiko-fuer-betreiber-von-gesundheits-apps-datenuebermittlung-in-die-usa-wegen-eugh-urteil-bald-unzul/

Five Safes Framework

http://www.fivesafes.org/

The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:

  • projects (Is this use of the data appropriate?),
  • people (Can the users be trusted to use it in an appropriate manner?),
  • settings (Does the access facility limit unauthorised use?),
  • data (Is there a disclosure risk in the data itself?) and
  • outputs (Are the statistical results non-disclosive?).

The combination of the controls leads to ‘safe use’.

See also https://en.wikipedia.org/wiki/Five_safes

Germany BfDI: Position paper on Anonymization (with focus on telecoms)

https://www.bfdi.bund.de/DE/Infothek/Transparenz/Konsultationsverfahren/01_Konsulation-Anonymisierung-TK/Positionspapier-Anonymisierung-DSGVO-TKG.html?nn=5216976

My high-level reading (I’m not a lawyer..):

  • Anonymization is viewed as a processing activity and requires a legal basis. (The paper argues different approaches).
  • Transparency obligations must be met.
  • Anonymization can be used as an alternative to deletion.