In April 2021, many questions about the GDPR have been raised in the european political sphere. Amendments and motions for a resolution have been proposed for an urgent, targeted revision aimed at rectifying the identified problems and shortcomings, especially with respect to digital revolution.
On this basis, one Member of the European Parliament, Axel Voss, proposes that the EDPB be supported ‘with a board of stakeholders from research, industry, consumer and other civil society organisations as well as religious associations’.
Indeed, 3 years later, we can notice that some things could be improved with the GDPR.
It seems that the GDPR is not enough accurate regarding the sector, especially with clinical trials. This logic can clearly be explained due to the GDPR practitioners who don’t master properly the topic to take the right decision.
Examples of misuse of the GDPR in Belgium
You already probably know that in Belgium you can receive a fine from the regional public environmental institution in case of littering. In any event, this fine should only mentioned the person directly related to this infraction.
At the end of 2020, a regional public environmental institution of Belgium fined a citizen who unlawfully placed garbage containing his/her name on it. One of the main mistakes that the institution made was to refer to the civil partner of the citizen, found through the National Register of the convicted person, in addition to his /her alleged stepfather.
Consequently, these 3 people had lodged a complaint with the Belgian Data Protection Authority (‘DPA’) against this regional public environmental institution.
Since the end of July 2020, managers of catering establishments have been obliged to collect the contact data of their customers as part of the fight against the spread of Covid-19. This obligation was subsequently extended to other establishments or events, such as group sports courses, casinos, etc. In fact, this obligation was imposed by the Ministerial Orders of 30 June 2020 and 28 July 2020 (hereinafter ‘the Orders’).
In this context, the DPA sees various initiatives emerging in the context of the implementation of these Orders. While they do not provide precise indications, in particular as to the specific roles of the various actors involved in the collection of data, or as to the means to be used to carry out this collection, they leave various questions open.
On this basis, the DPA wishes to clarify for the managers of establishments the essential elements to be taken into account when setting up systems, whether manual or electronic, for the collection of the data referred to in these orders.
Examples of reaction, decision of the Belgian Data Protection Authority
The Litigation Chamber of the Belgian DPA upheld that the mentioning of the name of the civil partner, its link to the citizen, as well as the alleged family link between the 3 people, based on information retrieved from the National Register, constitutes unlawful processing regarding Article 6(1) of the GDPR.
Indeed, the legal ground for this processing activities is deemed to be carrying out a task in the public interest. This additional processing was not necessary to carry out the task in such a context.
Especially, they upheld that the mentioning family connection between the civil partner and the alleged father-in-law was unsure, and based on not necessary assumptions, meaning the personal data of the 3 people was not processed in accordance with the principles of accuracy and data minimization in response to Article 5(1)(c) and 5(1)(d) of the GDPR.
Consequently, the Litigation Chamber declared that the institution breaches these GDPR-provisions and issued a warning and reprimand to the institution in accordance with Articles 58(2)(a) and 58(2)(b) of the GDPR.
At the beginning of the COVID-19 outbreak in Belgium, the DPA realized that a lot of organizations were not properly using the GDPR to collect or manage the data regarding the situation. Consequently, they published an update with privacy guidelines and an FAQ section especially made for Belgium. They recall some principles and conditions for processing (sensitive) data specifically in an employment context in order to mitigate the impact of COVID-19 (e.g., the presence of an appropriate legal basis).
Belgian Health Data Transferred to Russia
End of March 2021, Le Soir and Médor revealed a survey with the blatant conclusion that the path of Belgian health data is not the one we think. Patients’ health data are currently being transferred to Russia without compliance with the essential guarantees as provided by the GDPR.
Hospitalization data, known as ‘sensitive’ or even ‘very sensitive’, are currently held in the offices of a subcontractor of the American company 3M in Russia.
Eighty-three Belgian hospitals use a benchmarking portal, i.e., software that allows hospitals to analyze the quality of treatment, care and efficiency of hospital management. In 2003, the American company 3M, through its Belgian subsidiary, developed this program with the aim of improving data collection and comparing the performance of hospitals.
Explicitly, the dependence of hospitals on the software developed by the American 3M, based in Russia, as an aid to financial management is very real….
How does patient data end up in Russia after hospitalisation?
First, the hospital encodes the medical records in the 3M portal. Logically, a transfer of data from the hospitals to 3M Belgium takes place, but the transfer does not stop there. Second, after retrieving the data, 3M Belgium has it stored in Germany and then makes it available to Smart Analytics. This American subcontractor then updates the databases from one of its offices in Russia. The company 3M therefore physically stores the data in Europe, but it is made accessible from Russia.
What is the risk of this international transfer?
Almost all Belgian patients are concerned by these risks regarding their health data. Consequently, failure to adequately protect all the data collected and processed, particularly medical data, could cause serious harm to the persons concerned.
The main risk is that one day we will see a data leakage that is considered legal for Russia, but not for the European Union (‘EU’). ‘For example, personal data could be used by Russian intelligence services or sold to data brokers. So that would be an illegal use of the data for the EU’, explains Jean-Marc Van Gyseghem, a lawyer specializing in the protection of personal data, who was able to analyze contracts between hospitals and 3M.
Considering the above, the GDPR clearly specifies that all companies in the EU must apply the regulation with the same rigor. Despite this explicit indication of the GDPR, it seems that the main problem remains the fact that the hospital’s data is processed from Russia.
How 3M justify itself?
Smart Analytics, which has offices in Russia, has contractually agreed to provide the same level of protection that 3M Belgium offers to Belgian hospitals. The limited data, remotely accessible by Smart Analytics from Russia, seems to be protected by extensive security measures and GDPR-compliant Standard Contractual Clauses (SCCs).
What should be done?
In this context, the DPO’s role of informing and advising, as well as monitoring compliance with the GDPR, is essential. This is important to be transparent about the process of the data, especially when it concerns sensitive data. Additionally, they must ensure that contracts respect the essential guarantees as provided by the GDPR.