Germany: DIGA digital health applications can’t use Standard Contractual Clauses

in German:
According to the external legal blog post below, DIGA does not allow for standard contractual clauses for transfer of data in countries without an EU adequacy decision. (Note: Not all health apps fall under DIGA).
– This leads to an impact to apps, if US Privacy Shield would not survive Schrems II in mid-July 2020 – in the context of US 3rd parties used (e.g. Google Firebase, etc).

Five Safes Framework

The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:

  • projects (Is this use of the data appropriate?),
  • people (Can the users be trusted to use it in an appropriate manner?),
  • settings (Does the access facility limit unauthorised use?),
  • data (Is there a disclosure risk in the data itself?) and
  • outputs (Are the statistical results non-disclosive?).

The combination of the controls leads to ‘safe use’.

See also

Germany BfDI: Position paper on Anonymization (with focus on telecoms)

My high-level reading (I’m not a lawyer..):

  • Anonymization is viewed as a processing activity and requires a legal basis. (The paper argues different approaches).
  • Transparency obligations must be met.
  • Anonymization can be used as an alternative to deletion.