Can DVG DiGA developers use US cloud providers? We shed some light on the latest updates from both BfArM and the EDPB.
The ECJ Schrems II judgement had a profound impact on DiGA developers. Since then, they have been seeking clarity on exactly what is and isn’t allowed. Here, we shed some light on the latest updates from both BfArM and the EDPB.
What is a DiGA?
A DiGA is a digital health application that is eligible for reimbursement under Germany’s DVG law. Currently, applications can be listed on the directory via a Fast-Track scheme. After that, they can be prescribed by doctors and funded by health insurers. A health application must meet certain criteria for the Fast-Track. These are set out in the relevant DiGAV law. BfArM (the Federal Institute for Drugs and Medical Devices) is responsible for assessing compliance with DiGAV. Importantly, the law states that personal data can only be processed in a 3rd country if there is an “adequacy decision” in place. It explicitly excludes the use of so-called data transfer tools like standard contractual clauses or binding corporate rules.
What happened in July last year?
In July, the ECJ delivered its judgement in a case known as Schrems II. The court effectively struck down the EU-US Privacy Shield as it was not compatible with the requirements of GDPR. As a result, the US no longer counts as a country with a GDPR adequacy decision.
Why was this a problem for DiGAs?
The ECJ judgement meant DiGAs were suddenly unable to use US-based cloud providers for processing health data. Unfortunately, it left a number of unanswered questions, such as:
- Would US cloud providers with an EU subsidiary be OK?
- Could these applications be listed on the main App stores?
- Is it possible to use standard iOS and Google notification systems?
Ever since then, DiGA developers have been seeking clarity on these issues.
What has the EDPB said about the judgement?
The European Data Protection Board (EDPB) issued new guidance in November about 3rd country data transfers. The guidance clarifies that any form of data access counts as a data transfer. E.g. if you are in the US and access data stored in the EU, that counts as a 3rd country data transfer. They also gave detailed advice on how to be compliant. The infographic below will help you identify what you need to do if you are transferring data.
The key point is that you have a duty to ensure any data that is transferred will receive the appropriate level of protection. And you should take suitable measures to help ensure this.
And what has BfArM said?
Recently, BfArM issued its own guidance on the status of 3rd country cloud providers. This provides a little more clarity. However, BfArM makes it clear that the guidance may be overruled by a data protection authority (and there are 18 DPAs in Germany alone). BfArM states that US cloud providers with an EU subsidiary:
“... can only be used for the processing of personal data [...] if strict requirements are met that provide sufficient guarantees to prevent a data transfer [...] to the parent company.”
They clarify that this means you can only use such a US provider for processing personal data if:
- the data is encrypted at record level before being stored on the cloud,
- the encryption keys are stored elsewhere.
They also highlight that:
- You are allowed to distribute your applications via the app store. You can also send push notifications for your application. However, you must make certain these notifications contain no health data.
- A US DiGA developer is effectively excluded from the Fast Track scheme. However, they could potentially become eligible if they set up a legally separate subsidiary in the EU and provide an authorised representative.
How does this affect my DVG application?
Lots of our clients have asked us how this affects them. Often, these are companies that have an existing application developed on AWS or Google Cloud. It's now clear you can only continue to use US cloud or infrastructure providers if you ensure the personal data is encrypted and store the keys elsewhere. However, that leaves you needing to cope with complex key management problems. And of course, even if you can solve the technical challenges, you will also need a proper data processing agreement (DPA) with the EU subsidiary of the provider.
So, in practice, it is usually easier to use an external EU-based storage (like our Chino.io Platform) that provides the necessary security and compliance guarantees. If you need detailed advice and assistance, we can help you with:
- Designing a suitable data architecture
- Creating the required legal documentation
- Providing assistance with completing the BfArM Fast-Track checklists
- Providing access to our secure health data platform
To learn more, just book a call with our experts.