Can you use AWS/Azure/Google Cloud in digital health in the EU in 2023?
After the invalidation of the previous adequacy decision on the EU-US Privacy Shield, the US is still considered TODAY a Third country without an Adequacy Decision according to GDPR.
As most companies in digital health are aware, using 3rd country cloud service providers (such as US cloud service providers) is a choice with many consequences in this space.
This is due to clients (hospitals, clinics, HCPs, and others) perceiving these service providers as “high risk” due to the complex legal scenario we have been living in the last few years. Well, you are in the right place!
Want to know if you can use a US service provider today or in the next months?
Today, there is no Adequacy Decision in place to ease the usage of a US cloud service provider.
TLDR: Using US cloud providers in this space still carries risks and several questions from potential clients. It is still doable, and it may become easier over the next months if the European Commission moves forward with the draft of the Adequacy Decision.
Where did it all start? The Privacy Shield
The Privacy Shield was a framework between the EU & Switzerland, and the US for cross-border data transfers. In a nutshell, it was the basis for the EU-US Adequacy Decision (a decision provided by the European Commission which recognised that the US guaranteed an adequate level of protection and safeguards for EU citizens' personal data), and it enabled companies that needed to comply with the GDPR to transfer data to US-based cloud service providers lawfully.
July 2020 saw the ECJ (European Court of Justice) strike down the Adequacy Decision after the Schrems II Case, on the basis that the US has certain laws (like the Cloud Act and Patriot Act) that give faculties to the NSA and CIA to potentially access the data of American and European citizens alike without court orders, against the governing principles of data protection in the EU.
As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
What has happened since then?
➡️ In general, using your US-based Cloud Service Providers of choice became much harder. The legal assessment made by the European Court of Justice has clearly stated that European entities are able to transfer personal data in the US only on the basis of the SCCs provided by the European Commission and the implementation of additional security measures and data protection safeguards. In short, companies are required to implement legal (Standard Contractual Clauses), technical, and organisational measures (Transfer Impact Assessments) to be able to lawfully transfer data to the US and reduce the risk of such transfers.
Data transfers are a topic of concern even when relying on US-Based cloud providers that have implemented EU data centers, EU Data residency, and/or separate EU entities, since there is always the possibility of sharing and transferring data to the US parent company.
How did Data Protection Authorities react to the Privacy Shield being revoked?
➡️ Many European Data Protection Authorities ruled that the usage of Google Analytics was breaching GDPR. Check our blog article on Google Analytics and Austrian DPA
The main points that led to that decision were:
- 1) Data transfer to a US company without users’ consent.
- 2) No appropriate safeguards implementation.
- 3) The possibility of data matching from GA with other Google Services because of the weak pseudonymisation implemented.
➡️ For companies looking to get their digital health apps reimbursed in Germany, US cloud providers became a huge problem. BfarM, the entity responsible for approving the DiGAs for reimbursement, declared US Cloud Providers as not suitable for the processing of personal health data.
What is happening now?
After the invalidation of the previous adequacy decision on the EU-US Privacy Shield, the US is still considered TODAY a Third Country without an Adequacy Decision according to GDPR.
However, recently the European Commission and the US Government entered into discussions on a new framework (draft of an adequacy decision on the new EU-U.S. Data Privacy Framework) that addressed the privacy and data protection issues raised by the EU Court.
If the adequacy decision is adopted, European entities will be able to transfer personal data to companies in the US (participating in the Framework), without using SCCs and without having to put in place additional data protection safeguards.
So, can you use a US cloud provider now?
So far, nothing has changed in terms of risk. This means: yes, you can use a US cloud service provider, but you have to put in place the proper organisational and technical safeguards and the SCCs to do it.
Unfortunately, at the moment, we don’t know what is going to happen. For the time being, the European Commission has to give an answer to the draft of the adequacy decision
How to deal with it?
To conclude, there is a possibility of an Adequacy Decision within the immediate future. If, in the meantime, you want to rely on a US service provider, you’ll have plenty of homework to do.
We have summarised the main concept that may help you understand if and when to act:
1️⃣ Does the existence of a Draft Adequacy Decision mean that US Cloud Providers and EU Cloud Providers are perceived the same way under the GDPR?
No, not until the Adequacy Decision is officially adopted by the European Commission.
2️⃣ When is the earliest time that we could expect the adequacy decision to come into effect?
The decision could be adopted as early as March 2023, although it is more likely in 2024.
3️⃣ Can the adequacy decision be invalidated once approved?
Yes, as it happened already with the Privacy Shield. Should this happen, companies will have to return to using SCCs and additional security measures, like today.
4️⃣ If the adequacy decision is implemented, does it mean we can consider ourselves compliant if we use AWS/Azure/Google Cloud?
No, remember that because your cloud provider is compliant, it doesn't mean that your product (or company!) are GDPR compliant. Even with GDPR compliant providers, you need to implement all the required GDPR measures yourself (not only in your backend but at application level and at company level too) to ensure your clients that you are GDPR compliant - even if you use EU cloud providers!
How Chino.io can help you
We are the one-stop shop for solving all digital privacy and security compliance aspects.
Successful compliance strategies evolve with you: for this reason, we have kickstart programs for startups developing their digital product. As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.
Chino.io makes compliant-by-design happen faster, combining legal know-how and data security technology for innovators.
To learn more, contact us and book a free 30-minute call with our experts.