Page 214 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 214

2019 ITU Kaleidoscope Academic Conference




           wearables  are  more  of  a  two-way-street  considering  that   information. Unfortunately, there is not a lot of case law in
           they  can  also  generate  data,  the  basic  concept  and   this regard to help further clarify the matter. If one of the
           comparison to YouTube streaming is the same.       factors determining what transfer is includes the technical
                                                              nature  by  which  it  takes  place,  the  question  that  arises  is
           Processing health data in a way where data is collected by   what technical circumstances can facilitate transfer. Council
           an app or wearable and sent to a (cloud) server for (further)   of Europe Convention 108 for the protection of individuals
           processing  still  leaves  the  question  whether  sending  the   with  regard  to  automatic  processing  of personal data  [31]
           data  can  be  seen  as  a  transfer  within  the  meaning  of  the   provides some insight in this regard.
           GDPR  and  is  as  such  protected  or  whether  the  device
           functions merely as a tool for the companies to collect data   Convention  108  includes  a  chapter  on  transborder  data
           where sending the data can be seen as a mere transit of data   flows  and  determines  that  the  provisions  apply  to  the
           [28]. The concept of ‘transfer’ will therefore be discussed   transfer across national borders by whatever medium [32].
           in the next paragraph.                             It  is  aimed  at  the  free  flow  of  information,  regardless  of
                                                              frontiers,  taking  into  account  the  wide  variety  of  factors
                    4.  THE NOTION OF TRANSFER                determining  the  way  in  which  data  is  transferred.  These
                                                              factors include: the mode of representation of the data, their
           The  GDPR  aims  at  offering  a  similar  level  of  data   storage  medium,  way  of  transport,  interface,  the  circuit
           protection,  regardless  of  where  in  the  world  data  of  data   followed and the relations between the sender and recipient
           subjects who are in the EU is being processed. Therefore,   [33]. According to the explanatory memorandum the way of
           Chapter V of the GDPR includes provisions on transfers of   transport  includes  physical  transport,  mail,  and  circuit-
           personal data to third countries. This section provides rules   switched or packet-switched telecommunications links. The
           in order to ensure data protection equivalent to the GDPR,   interface, i.e. the point where two systems interact, can be,
           meaning that data may only be transferred to third countries   among  other  things,  computer  to  terminal,  computer  to
           outside the EU if the conditions of the GDPR are met. In   computer,  and  manual  to  computer.  The  circuit  followed
           short,  this  means  that  there  needs  to  be:  1)  an  adequacy   can be direct from the country of origin to the country of
           decision  (such  as  the  EU-U.S.  Privacy  Shield)  or  2)   destination or via one or more countries of transit [34]. The
           appropriate safeguards or 3) that the data subject has given   explanatory report to the Modernized Convention provides
           explicit  consent  for  data  processing  in  the  third  country.   some  more  clarity  in  determining  that  transborder  data
           With  emerging  modern  technologies,  where  data  may  be   transfers  occur  when  personal  data  is  disclosed  or  made
           processed  anywhere  in  the  world,  it  is  of  the  utmost   available to a recipient subject to the jurisdiction of another
           importance to protect the data, in particular health data. In   state or international organization. According to Article 2 (e)
           order  to  establish  whether  sending  data,  from  the  app  or   of the Convention a recipient is ‘a natural or legal person,
           wearable  onto  the  (cloud)  server  of  a  company  for  the   public  authority,  service,  agency  or  any  other  body  to
           purpose of being processed by that company, can be seen as   whom  data  are  disclosed  or  made  available.  The  GDPR
           a transfer within the meaning of the GDPR, it is important   definition of recipient is almost the same, determining that
           to  establish  what  transfer  exactly  is  in  order  to  determine   recipient means a natural or legal person, public authority,
           whether  or  not  it  falls  under  Chapter  V  GDPR  and   agency  or  another  body,  to  which  the  personal  data  are
           consequently  whether  or  not  health  data  in  this  regard  is   disclosed, whether a third party or not’ [35]. The recipient
           sufficiently protected. In literature transfer is described as   thus receives the data or is given access to the data and can
           to occur as a part of networked series of processes made to   be a controller or a processor [36].
           deliver a business result [29].
                                                              When it comes to moving data, there are two main ways to
           The GDPR is, however, unclear about what transfer is and   technically do this, namely by exchanging or sharing data.
           does not provide a definition. What is clear is that it is a   According to Doan et al.  data exchange is the process of
           process  where  data  moves  between  different  actors.   taking  data  that  is  structured  within  the  source  database
           According  to  the  European  Data  Protection  Supervisor   system  and  transforming  it  into  data  structured  under  a
           (EDPS) in its position paper on transfer to third countries   target  database  system  [37].  In  other  words,  the  data  is
           and  international  organizations  by  EU  institutions  and   transformed  so  that  it  becomes  compatible  with  other
           bodies, the lack of a definition leads to the assumption that   systems  which  receive  an  accurate  representation  of  the
           the term needs to be used in its natural meaning. As such   source  data.  Exchange  thus  allows  data  to  be  shared
           transfer  means  that  data  ‘moves’  between  different  users.   between systems and programs. The introductory report for
           However,  as  the  EDPS  also  concludes,  this  is  not  always   updating Recommendation No. R (97) 5 defines exchange
           straight forward. According to the Court of Justice of the   as  the  communication  of  information  to  (a)  clearly
           European  Union  (CJEU)  in  the  Lindqvist  case,  it  is   identified  recipient(s)  by  a  known  transmitter  (such  as
           necessary to take account of both the technical nature of the   secured  e-mailing)  [38].  When  health  data  is  exchanged,
           operations carried out and of the purpose and structure of   the data is sent from A to B using a transmitter. This can be
           the  provisions  on  transfer  in  EU  legislation  [30].  Taking   an e-mail or other way of sending the data so that it can be
           into account the technical nature of processing operations,   read and used by B. Figure 1 below shows this process. In
           transfer,  as  such  entails,  among  other  things,  the   this case, A is the original controller of the health data and
           automatically  or  intentionally  sending  or  accessing  of





                                                          – 194 –
   209   210   211   212   213   214   215   216   217   218   219