When analyzing the EU Data Protection environment, the most important act to be considered is the GDPR (the acronym for General Data Protection Regulation). This new legal instrument aims at harmonizing a great amount of rules regarding privacy and security of EU citizens’ data, which were previously (with the old directive 95/46/EC) fragmented. Together with GDPR, other sources and official bodies (such as art. 29 Working Party and ENISA) must be kept monitored, since they contribute at implementing the most recent and important guidelines on these matters.
According to the GDPR Health Data are "all data pertaining to the health status of a data subject” (See recital 35 and art. 4(15) GDPR). As such, they can be considered as a sub-category of Personal Data. The definition provided by GDPR is further broadened by the Art. 29 Working party, the EU body with advisory status on data protection matters, which allows to identify situations when personal data can be considered as Health Data.
Examples of Health data can be heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, heartbeat tracking, diseases and many others.
Although the definition provided by GDPR may seem clear, there are still some “grey areas”, where data are difficult to categorize. It is fundamental to understand what type of data you are collecting: you can assess that by downloading our Decision Tree, a 5 min. test where you will be able to understand from a legal point of view the different legal challenges depending on the type of data you collect.
To start with privacy law compliance, it is fundamental to understand the service delivery chain and to identify who's the subject responsible for the processing of data in your case.
GDPR and EU data protection laws identy different figures in the liability chain:
Data Subjects: service users to whom data belong to.
Data Controllers: the entity responsible
collection and management. If you are delivering your services
directly to consumers (e.g. a fitness/disease tracking apps), then you are the
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.
Note that Controllers have to satisfy organizational requirements that are listed later on.
Data Processors: are entities that
help you delivering a service. Chino.io for example is a Data Processor
since it provides a set of services to you.
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are usually nominated as Data Processor.
Assigning roles is the first step towards identifying what are the requirements you must satisfy and implement within your system.
A typical cloud application has different components on the backend side that are responsible for the user, data and application logic management. The list of technical safeguards affects mainly the API, user and health data. They include:
Encryption of data in transfer
Encryption of data at rest (Storage)
Secure audit log
Reliability (QoS and SLA)
Their main aim is to ensure that the developers’ data processing is legal and that their service is properly regulated. These measures must be analyzed case by case with lawyers in order to discover implications related to your specific data processing. With Chino.io documentation this is much easier. They include:
Provide you security risk assessments
Help you on documenting your data processing
Help you on Data Portability
Help you on Right to be Forgotten
Implementing technical requirements is complex, expensive, risky in case of errors, and time consuming. Chino.io implements all safeguards and offers to developers a set of API that can be easily integrated within apps or servers to store securely sensitive data.
Organizational requirements must be analysed case by case to discover implications related to your specific data processing. Chino.io makes it easier for example to clarify to Data Protection Authorities and to your customers how you process and store collected data. However you may need to involve lawyers and experts for completing the overall analysis.
The reference website for updates about Data Protection in the EU is: http://ec.europa.eu/justice/data-protection/
The reference website for updates about Cyber Security strategy in the EU is: https://ec.europa.eu/digital-agenda/en/cybersecurity
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(Text with EEA relevance)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive) Harmonises national laws which require high-quality data management practices on the part of the “data controllers” and the guarantees of a series of rights for individuals. It provides generic description about categories of data and general data protection principles. It doesn’t mention security safeguards and it has been defined many years ago so it does not mention topics such as as Cloud. It will be improved by the forthcoming GDPR.
Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data of 18 December 2000. It regulates the processing of individuals' personal data when the processing is taking place by Community institutions and bodies.
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
Agreement on the first EU-wide legislation on cybersecurity of the European Parliament, the Council and the Commission. (12/2015).
EDPS Opinion 01/2015 on Mobile Health - Reconciling technological innovation with data protection. (5/2015)
EU Commission Green Paper on mHealth (4/2014)
EU Art. 29 Working Party letter on the scope of the definition of health data in connection with lifestyle and wellbeing apps (criteria to determine when personal data qualifies as “health data").
Art. 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC
Art. 29 Working Party Opinion 3/2013 on purpose limitation, Adopted on 2 April 2013, wp 203. (2013)
Art. 29 Working Party Working Document 01/2012 on epSOS, Adopted on 25 January 2012, wp 189. (2012)
Art. 29 Working Party Opinion 15/2011 on the definition of consent, Adopted on 13 July 2011, wp 187. (2011)
The Art. 29 Working Party - Future of Privacy: joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, wp 168. (2009)
Working Art. 29 Working Party Document on the processing of personal data relating to health in Electronic Health Records (EHR), Adopted on 15 February 2007, wp 131. (2007)
The question "if and how single Member State privacy laws differ from EU Directives and among each other" is very difficult to answer.
Although EU Regulations (e.g. GDPR) are are directly enforceable within Member States, national laws can impose further and stricter requirements than those listed in supra-national laws. For this reason it is important to analyse always national laws of the state where you are delivering your service.
At Chino.io we constantly monitor the changes and evolutions especially what it relates to our business. For example we ensure that our security measures, internal practices and procedures for managing health data ensures compliance within each Member State.
It is important to point out that at EU level privacy laws do not define in detail all security requirements. Usually laws and directives state general principles such as that health and sensitive data must be encrypted, or that best security standards must be implemented. Those security standards are usually defined by specific bodies such as ENISA.
Another aspect to keep in mind is the national level certifications or specific requirements that a public body (e.g. hospital) can impose to you.
While national level certifications are present only in France ( and represent a huge obstacle for startups and innovation), specific requirements at hospital level must be considered case by case. For example frequently hospitals ask to deploy services within their own server farm, or to implement old-fashio security strategies like VPN.
At Chino.io we aim at helping companies in solving these challenges. Whenever you will have a question do not hesitate to contact us at firstname.lastname@example.org
Some useful resources:
Overview of the national laws on electronic health records in the EU Member States (2014)
Legal framework of Interoperable eHealth in Europe (2009) analyses legal and regulatory frameworks for electronic health delivery and services in each Member State.
EU Commission Justice Studies on Data Protection including single country reports.
EU Commission Comparative Study of different approaches to new privacy challenges in particular in the light of technological developments (2010)
ENISA: Security and Resilience in eHealth Infrastructures and Services investigates the approaches and measures to protect critical healthcare systems.
Handbook on European data protection law by the European Union Agency for Fundamental Rights (FRA) and the Council of Europe together with the Registry of the European Court of Human Rights.