Recent years have witnessed a significant rise in the importance of protecting health data, especially as a result of the Covid-19 pandemic. European Union (EU) data controllers must not only shield their data from unauthorized commercial use, but equally from undue access to such data by United State (US) surveillance authorities. In that regard, the safety and reliability of transatlantic transfers of health data has been seriously threatened since the Schrems II ruling of the European Court of Justice, which invalidated the Privacy Shield.
The aftermath of the elimination of a major legal basis for transfers impacts extended fields of data protection; including voluntary transfers of health data to the US, or processing of health data hosted on EU soil by a US company, that may therefore be subject to US surveillance laws.
The aim of this contribution is thus to assess, based on guidance from the national Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB), using the French Health Data Hub (HDH) ruling as a recurring example, what legal routes are available to EU health data controllers. Based on an explanation of the factual and legal constellation relevant to the danger displayed by US surveillance programmes, this article first examines the relevance of Article 49 General Data Protection Regulation (GDPR) as a legitimate legal basis in the expectation of a better adequacy decision. It equally considers the available approaches towards risk assessment under Article 48 GDPR, and the evident shortcomings in the legal and technical solutions adopted so far to mitigate said risks, especially in France. Ultimately, political alternatives to Chapter v. legal bases, such as the possibility for data localization requirements, or the compromises made in the recent draft adequacy decision, are explored and scrutinized.