Page 211 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 211
THE GDPR TRANSFER REGIME AND MODERN TECHNOLOGIES
Melania Tudorica; Trix Mulder
Rijksuniversiteit Groningen, the Netherlands
ABSTRACT doctors and empower people by putting them in control of
their own health, in particular in low income and difficult to
Health data comes within a person’s most intimate sphere reach areas, the downside is that these technologies
[1]. It is therefore considered to be sensitive data due to the generate massive amounts of health data. Considering that
great impact it could have on a person’s life if this data health data comes within a person’s most intimate sphere, it
were freely available. Unauthorized disclosure may lead to could have a great impact on a person’s life if this data was
various forms of discrimination and violation of freely available. Risks include discrimination and violation
fundamental rights. Rapid modern technological of fundamental rights.
developments bring enormous benefits to society. However,
with this digitization, large amounts of health data are There have been many reports over the past couple of years
generated. This makes our health data vulnerable, or so of data breaches and companies (routinely) sharing
especially when transferred across borders. The new EU data. The 2018 Strava and Polar incidents immediately
General Data Protection Regulation (GDPR) legal come to mind, but also Ovia (a pregnancy tracking app)
framework provides for rights for users of modern sharing intimate information with employers and insurers
technologies (data subjects) and obligations for companies [6], Facebook having access to sensitive information [7]
(controllers and processors) with regard to the processing and many more examples of health data being
of personal data. Chapter V of the GDPR protects personal compromised by the use of modern technologies [8]. Our
data that are transferred to third countries, outside the EU. health data is particularly vulnerable if it is processed
The term ‘transfer’ itself, however, is not defined by the outside the protected sphere of a medical environment
GDPR. This paper examines whether transfer within the where health data is processed by professionals who are
meaning of the GDPR applies to health data processed by under the obligation of medical confidentiality. The health
modern technologies and if the complexity of the GDPR data that is processed by these modern technologies is, most
legal framework as such sufficiently reflects reality and of the time, processed by commercial companies who are
protects health data that moves across borders, in generally unclear about their processing activities and with
particular to jurisdictions outside the EU. whom they share the collected data [9].
Keywords – Data protection, health data, transfer, transit Legally a lot can be said about modern technologies, their
use, privacy risks, infringements of rights, etc. This paper
1. INTRODUCTION focusses specifically on transfer and modern technologies.
Inherent to the nature of these technologies is that data is
In our rapidly evolving digital world, people use various not bound by borders. Users of modern technologies may
modern technologies to track and measure their health and be located anywhere in the world and data may move
fitness. Modern technologies such as mobile applications across the globe while being processed by companies
and wearables (including watches, bracelets and smart established anywhere in the world. One of the main
fashion) are used to get into shape, keep fit, lose weight, challenges of the borderless nature of data processing is that
reduce stress, manage mental health disorders, test and it is difficult to track the data and as a consequence difficult
diagnose for specific diseases such as malaria, help with to determine jurisdiction, which may lead to difficulties in
family planning and ovulation tracking, etc. The data subjects exercising rights in cases of infringements.
technologies enable people to monitor their own health and
fitness by entering personal health data and using (pressure) Within the European Union (EU) data is protected by the
sensing technologies which measure vital signs (such as General Data Protection Regulation (GDPR) [10]. The
heartrate) and track progress (such as counting steps) [2]. GDPR protects data, among other things, when it is
st
New health technologies are a key area of 21 century transferred across borders. This research aims to answer
knowledge societies and economies, offering potential for how the GDPR transfer regime applies to data processing
growth and economic development [3]. It is one of the by modern technologies, if at all, and whether the GDPR
largest growing global markets. According to a recent legal framework as such offers sufficient protection. When
article, there are more than 300 000 health related mobile using modern technologies, the data is collected by a device
device applications [4]. While the use of these technologies (such as a smartphone or wearable) by using applications
may bring benefits to society as they reduce the burden on developed by commercial companies. The applications
978-92-61-28401-5/CFP1968P-ART @ ITU 2019 – 191 – Kaleidoscope
