14 February 2022
The latest GDPR Brief, written by Mikel Recuero Linares, addresses recent developments by the EDPB and implications for genomic and health data sharing.
Seasoned readers of the GA4GH GDPR Brief will note that the GA4GH GDPR and International Health Data Sharing Forum have addressed the topic of international data transfers on numerous occasions. However, the concept of ‘international data transfer’ has not yet been examined. The reason for this is that neither the GDPR, nor case law, nor European authorities have so far provided a robust definition of this term.
As an attempt to shed some light on this issue, the European Data Protection Board (EDPB) adopted its ‘Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR’ and opened a public consultation period, which ended on January 31st, 2022.
What constitutes an ‘international data transfer’?
According to the EDPB, an international data transfer will exist when the following three criteria are cumulatively met:
What are the implications for genomic and health data sharing?
Firstly, although an organisation from a third country may already be subject to the GDPR, one or more transfer tools will nonetheless be required in order to export the data to this controller or processor.
For example, consider the case of a US-based organisation importing clinical personal data from a Spanish hospital to develop and test a health data management software to be commercialised in the EU. The US entity would already be subject to the GDPR by offering its services and products to data subjects in the Union but, in addition, it would have to rely on a data transfer mechanism. Certainly, at this stage, they may not rely on the Standard Contractual Clauses (SCCs) adopted by the Commission as this is expressly precluded by Recital 7 thereof in those cases where the importer is already subject to the GDPR based on Article 3.
Secondly, since ‘transfer’ is defined as the ‘disclosure of data by transmission or otherwise making it available’, the scenarios in which the rules on international transfers would apply, even if the data remains in the EU, are significantly extended. The expression ‘otherwise making data available’ is not further described but only alluded to, and a reference is made to previous EDPB Guidelines. This is critical for genomic and health data sharing, e.g. for burgeoning federated infrastructures, platforms or databases.
Consider a European federated platform that allows Canadian researchers to search and discover European data sets stored on European servers. Although the data may never ‘leave’ the EU, would the fact that these data can be displayed or remotely processed (even inside the EU) by the Canadian researchers fall within the concept of ‘otherwise making it available’? The EDPB fails to clarify this extent, and, if anything, such an omission would entail the risk of equating or confusing the terms of ‘processing’ and ‘transfer’. Therefore, it does not seem to be the intention of the European legislator to restrict any data processing operation carried out by controllers or processors in a third country, but only those that may undermine the level of protection of natural persons guaranteed both by the GDPR and Union law.
Lastly, as mentioned, direct disclosure of data at the initiative of the data subject does not constitute an international transfer, e.g. directly entering data in an online form. The GDPR may still apply but without the transfer tools being necessary. Hence, data and rights could be treated differently depending on who is transferring such data outside the EU boundaries. If the data are transferred directly by the data subject, this may result in a different degree of protection and of rights enforcement, since the implementation of Chapter V tools and other safeguards will no longer be required.
Relevant GDPR provisions
Mikel Recuero is legal counsel and researcher at the Chair in Law and the Human Genome of the University of the Basque Country.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.