Data Protection in Digital Consulting: How CLOUD undermines GDPR

In order to contain the epidemic, more and more doctors and medical nursing staff rely on digital services via video and messaging in addition to traditional hours of consultation and on-site communication. In the context of this digitization of the health system, it is therefore important to review the legal status of data protection.

Because in Internet visits and the use of mobile devices for rapid communication, particularly sensitive personal data is exchanged, and the relevant metadata is also saved in rare cases.

The General Data Protection Regulation (GDPR) has been in effect in the member states of the European Union since May 2018. Meanwhile, the CLOUD Act has been in effect in the USA since March 2018. Many international telecommunications and cloud service providers are mainly based in the states United. Thus European users using offers from well-known US IT companies are dealing with both laws at the same time. But what does these two conflicting pieces of legislation mean, and what does this mean for security of virtual health services?

“Clarification of Legal External Use of Data”, or the “CLOUD Act,” is a law that allows US authorities to access data that is stored by IT service providers in the United States or Internet companies abroad. Under this law, it doesn’t matter whether the data is in a cloud or in a local data center in or outside the US. Affects all data in the custody of the company. So from clients and users too. CLOUD requires US companies to disclose data even if local laws prohibit it in the data storage location. In the event of an investigation, companies must disclose both personal and company data. There is no protection for trade secrets or intellectual property.

The General Data Protection Regulation (GDPR) of the European Union regulates the use and processing of personal data by private companies and public bodies. The aim of this law is to protect the fundamental rights and freedoms of European Union citizens. It includes protection of personal data as well as trade secrets. According to the GDPR, personal information may only be displayed on an ad hoc basis. According to this regulation, non-EU countries such as the USA are not allowed to leak data unless there is a mutual legal aid agreement or if users expressly agree to it. There is no such agreement between the United States and the European Union and only a very small number of users will refuse to transfer data that is not technically and professionally necessary to the United States.

The critical question: Can US programs be compliant with the GDPR?

The US company’s offer is no longer compliant with the General Data Protection Regulation (GDPR) once service providers or users arouse the interest of a US authority for whatever reason. If the CLOUD Act applies, the US company must disclose all available data. It cannot guarantee the protection of its users’ private information, which is included in the General Data Protection Regulation, without being accountable to a US court. Therefore, the GDPR announcement cannot be relied upon from the start in this case. If the tools are used in the healthcare sector that have their origins in the USA or are hosted on the servers of American companies, then unrestricted access to the work of medical staff as well as to the personal information of the patient in case of doubt is possible. In another step, it is doubtful that medical confidentiality, which should be a precondition in this relationship of trust, can be guaranteed.

What do the US authorities care about the medical records of German patients?

Even if nurses, medical practices, and hospitals operate with data that at first glance is irrelevant to US authorities, that is not a good excuse to use a US provider’s server in good faith. Especially in the context of the epidemic, globalization and cross-border digitization, health data for European users could also become interesting to US authorities. Medical files and medical data from doctors ‘and clinics’ surgeries and confidential conversations via communication tools such as video or messenger at hand. It also undermines the basic idea of ​​the General Data Protection Regulation, which ensures that users protect their data and intellectual property. It is therefore advisable for the healthcare sector to critically examine the effects of the CLOUD Act on themselves. In addition, there are no consistent American or European legislation. The CLOUD Act could be expanded accordingly and expanded US authorities’ access to information in the future, which was hardly actually a hindrance.

Is it sufficient to fully encrypt the data before it reaches the US server?

Not all IT or cloud applications allow encryption. Often times, the data must be entered in its pure form. And even if encryption by the user is possible, this is not an absolute security, on the other hand, since most cryptocurrencies also store their keys in the cloud. On the other hand, US legislation allows its authorities to decrypt data. Even if the service provider promises in its general terms and conditions that encrypting information will not be disclosed, this has little benefit in emergency situations. CLOUD is federal law and thus takes precedence over a labor agreement. However, there is one exception: if the video consultation is end-to-end encrypted, the communication keys are generated directly on the two computers and at least the content of that conversation is encrypted so that it cannot be accessed by others.

Conclusion: the data must remain firmly in the European Union when it is digitized

Anyone, such as health teams, who works digitally with sensitive private data or as a company with commercially relevant trade secrets, should be critical when choosing an IT service. Users of US service providers are always legally stuck between chairs and cannot rely on the GDPR due to the CLOUD Act. It is therefore advisable to pay special attention to the selection of the IT provider whose headquarters and servers are located within the European Union. In the case of telecom services, at least end-to-end encryption must be enabled, which cannot be reopened through the back door. All personal data, trade secrets and intellectual property are protected under European legislation.

Dr. Matthias Koss, CEO of Tyme Group

https://tyme-group.com/