Page 215 - ITU KALEIDOSCOPE, ATLANTA 2019

P. 215

ICT for Health: Networks, standards and innovation

B becomes the new controller of the data and will build on • Transfer has a natural meaning, i.e. data moves
the received data for their own purpose. between users.
• Transfer may be the exchange or sharing of data.
• Data movement takes place by whatever medium.
• Data is disclosed or made available to a recipient.
Exchange
5. TRANSFER OR TRANSIT?
A B When applying the notion of transfer to our case, where
health data is being processed by commercial companies by
modern technologies and the data is sent from the user’s
Via transmitter device to the (cloud) server of the company, sending this
data can be seen as movement, even as an exchange of data
Figure 1 – Exchange between the user and the company, which takes place
automatically and electronically. However, the GDPR
Data sharing on the other hand is making data available to applies to the processing of personal data of data subjects
others through a variety of mechanisms [39]. According to who are in the EU by a controller or processor regardless of
the introductory report for updating Recommendation No. whether the controller or processor is established in the EU.
R (97) 5 sharing is making information accessible to third The actors in this case are the data subject who is the user
parties not necessarily identified at the time of the pooling of the app or wearable and the controller which is the
and according to a principle of permissions (such as shared company processing the data by modern technologies. The
electronic medical records) [40]. Figure 2 below shows data subject does not determine the purpose and means and
how, in a sharing system, various recipients (A – H) can cannot be the controller of the data. Taking into account
access the data for the purpose processing it. A – H are not that the data exists separately from, i.e. outside the app, it is
necessarily known at the time of pooling and need not the data subject who (actively) transfers the data to the
permission to access the data. company. The company as the controller cannot be both the
controller of the data and the recipient to whom the data is
Sharing disclosed. While sending the data may be seen as
A movement of data which can be a transfer of data, it
remains difficult to classify processing by modern
H B technologies as transfer of data. Consequentially, two
questions arise. The first question is: if it is not a transfer of
data, what is it then?

G Data C The Article 29 Working Party in its 2010 opinion on
applicable law [41] mentions transit through EU territory,
for example by way of telecommunication networks or
postal services which ensure that communications are
reached in third countries. While the context is slightly
F D different, in our view the analogy can be made with modern
E technologies. When data is processed by modern
technologies, the processing may take place anywhere in
the world. For the data to reach the (cloud) server, a transit
Figure 2 – Sharing from the device to the server is necessary. Like an envelope
containing data sent by post to a company outside the EU
Both sharing and exchange of data are thus commanded by where it will undergo processing, a transit is required for
interoperable data processing systems and by common the data to reach its destination. The data is simply being
reference frameworks [40]. This allows health data to be passed on and not being processed along the way [42]. In
moved or to be made accessible to a variety of actors. this case sending the data from the user’s device to the
Considering that transfer can be automatically or (cloud) server of a company where it will undergo
intentionally sending information or making it accessible to processing can be seen as a mere transit of data and cannot
a recipient by whatever medium, transfer can be both be classified as transfer within the meaning of the GDPR.
exchange and sharing of data. While exchange and sharing The device on which the app is installed is a mere tool for
describe different ways of moving health data, both ways companies to collect the data, which does not exist on the
are a transfer of data. Taking the above-mentioned into device, but on a (cloud) server owned by the company,
account, the following conclusions can be drawn about which can be located anywhere in the world.
transfer:
The second question is: if it is not transfer and the GDPR
• Transfer does not have a legal meaning. rules on transfer do not apply, is processing of health data
by modern technologies sufficiently protected? Previous

– 195 –

210 211 212 213 214 215 216 217 218 219 220