Germany bans US cloud providers for digital health apps

German doctors can now prescribe digital health apps thanks to DVG. However, apps using US cloud providers won’t be approved. Read on to learn more.

DVG, the German Digital Care Act, allows doctors to prescribe digital health apps that are paid by statutory health insurance. This gives you a potential market of 73 million app users with guaranteed payments. However, there’s a problem—you can no longer use US cloud providers for your app. Here, we explore the issue in more depth.

Ban on US cloud providers

Under German law, any health data collected by digital health apps (DiGAs) cannot be transferred outside the EU. The only exception is where a so-called Adequacy Decision exists. But in July, the ECJ overturned the EU-US Privacy Shield. This means there is now no Adequacy Decision with the US. The upshot is, BfArM (Federal Institute for Drugs and Medical Devices) will not approve apps that store health data on any cloud service owned by a US company. This even applies to US companies with EU branches and servers. So, no more AWS, Azure, Google Cloud Platform, or Digital Ocean! Instead, you must find another provider in Europe.

The impact on DiGA developers

Clearly, this decision has a major impact on anyone developing a DiGA. The DVG Fast Track sets strict rules for security, data protection, etc. All DiGAs must be approved by BfArM before they can be listed and start being prescribed. Any app using a US provider simply won’t get approved.

The chances are, you are relying on at least one US-based provider, even if you are using one of their EU clusters. So, you need to redesign your architecture to ensure all health data is stored in the EU on an EU-owned cloud.

Digital health apps (DiGAs in German) are governed by the DiGAV (Digitale-Gesundheitsanwendungen-Verordnung). Under section 4 (3) of this law, health data can only be transferred to a non-EU country if there is an Adequacy Decision in place. It goes on to explain that other GDPR exemptions like Standard Contractual Clauses or Article 49 Derogations are not sufficient because of the sensitivity of health data. This means there is currently no way a DiGA can be approved if you use a US provider. This is set out in the BfArM Manual for Fast Track Applicants (see §3.3.3).

The wider implications

During a recent International DiGA Summit, the German Health Innovation Hub made a key point relating to Standard Contractual Clauses.

SCCs are only valid if there is an adequate level of data protection in the 3rd country. Clearly, you can argue that the ECJ judgement proves there is not an adequate level of protection in the US. There is also a definite debate to be had whether a German law can overturn an aspect of EU law such as this. Looking ahead, there are three ways things may evolve:

  1. The EU and US reach an understanding and create a new version of Privacy Shield. This is possible but is unlikely to happen quickly.
  2. The German interpretation of GDPR may become more widely held. This would mean more EU countries may decide that health data cannot be stored on US servers.
  3. A challenge may be launched against the legality of the relevant section of DiGAV. Even if this does happen, it won’t be a quick process. This is because it will have to clear all the German courts before it reaches the ECJ.

In all cases, the fact remains that, for now, the only way to get BfArM approval is by removing US providers from your app architecture.

How Chino helps

Chino.io offers a complete compliance solution for digital health companies. If this issue affects your plans, we can help you in two ways. Firstly, we offer detailed legal and technical consultancy to find solutions to any compliance problems you face. Secondly, we offer an EU-based cloud platform that solves the GDPR requirements for storing health data. Click below to book a call and find out how we can help you.