Gunnar Sachs, partner of Clifford Chance Law firm, has rapidly criticized the requirements for the use of clouds in the healthcare system, which is not compatible with the European Union law. A third-party company from classic outsourcing countries such as India or China prevented only theoretical-recession reach, the legal advisor on Wednesday complained to an expert conference of the BOCOCOM Industry Association in Berlin. Even General Data Protection Regulation (GDPR), which is already global as a complete over-regulation, is quite more generous.
Advertisement
Since the Federal Republic distracts from the standards of the European Union, in addition to the violation of the law, “German nationalization of the system”, and in the cloud, which was in principle designed to cross the national borders. Innovations in the health sector will be interrupted. The violation of GDPR that he has done means that the unfairness of local rules. An entrepreneur may say: “The German approach does not care” and concludes a contractual agreement with a Chinese partner. Such a case will definitely go to the European Court’s Justice (ECJ):
Kick -offstone is comparatively young Paragraph 393 Social Code (SGB) VAccordingly, social and health data can only be processed through cloud computing service in Germany, European Union or third country, provided that sufficient decision according to GDPR. The European Union Commission should determine that these countries provide a data protection level which is “essentially equivalent in the community”. This privacy applies to 15 countries such as the USA as part of the European Union-US data protection structure as successor to Shield, Argentina, Great Britain, Great Britain, Great Britain, Great Britain, Japan, Canada, New Zealand, South Korea or Switzerland.
Similar “disaster” on apps on prescription
According to paragraph 393 SGB V, the data processing body should also have a branch in Germany, that is, a responsible contact person in this country. It is also incompatible with “EU full-harmonization”, Sachs is usually complaining. So -Binding Corporate Rules (BCR), according to which corporations committed themselves to all branches and daughters on GDPR will be recognized. The ECJ clearly identified both these devices as an alternative to the end of the privacy shield.
The lawyer said that national MLAs in European Union countries may only be distracted under the nearest conditions of terms like GDPR. For example, they had to be placed on important causes of public interest, but it should be evaluated in health care for all member states. In addition, the Commission should be given a clear notification, which the federal government did not.
According to Sachs, a uniform legal “disaster” first occurred with local regulation for digital health treatment (DIGA). In July 2023, due to comparable strict versions, 95 applications were withdrawn for admission in the relevant register at the Federal Institute for Medicine and Medical Devices (BFARM). At that time, the Testing Authority gave many big customers that American subsidiaries could use health data if necessary and this entry into the list was rarely perceived. Currently there are only about 65 DIGAs in the directory. Sachs is angry: “The matter is a completely accident accident.”
Additional C5 status is required
“We are talking about sensitive data,” said Thomas Suptitz, head of the Cyber Safety Department and interoperability in the Federal Health Ministry (BMG). This is why it is important to follow minimum standards. Süptitz clarified that personal health information should be processed in states with only a uniform legal framework. If the data was stored in the cloud service in Ireland, for example, it would be contracted to ensure that there was no access to India. The MLA does not need that data is processed “in Germany or France”, when large providers such as Amaame, Google or Microsoft are trusted large providers such as Amazon. With these hypersscalers, however, they will have to encrypted or secure through techniques for additional agreements as well as anonymity or pseudo -name.
In addition, paragraph 393 Social Code (SGB) V determines that the data processing body must follow the Catalog of Cloud Cloud Computing C5 of the Federal Office for Information Technology (BSI) and have a related current testing. A test report for this includes between 100 and 300 pages, explaining the IMMO Rejner from PWC auditing. The cloud operator first had to create a system details around architecture, sub-service providers and procedures (“control”). It was important to prepare for the actual audit then.
If the C5-TYP1 test is required as per the law by June 30, 2025, then according to the regar, a point related examination is given. Best of all, it confirms that the control system is currently aligned properly. For Type 2 testing, which is to be displayed from the middle of the year, an observation period is defined about several months and sample tests have been done to test the effectiveness of control. In the future, it is becoming clear on the horizon EU Cloud Certification Scheme (EUC) From, the circle of attached areas increased, but even more high screw to the security level. However, the testing of controls will continue according to type 1 and 2.
Hypersscalers are in position
BMG has started a C5 equivalence regulation, Süptitz said. It wants to clarify which options for cloud criteria are, under which conditions are acceptable. It was heard in several statements about it that the type 2 test switch was not to be made until July. Therefore, BMG now discusses with BSI what options and time limitations are understood. In spring, all associated with an update regulation should be still. Many “community clouds”, that is, from several companies with a limited user group, started a C5 exam, as it would also have a high advertising effect.
“We killed C5,” emphasized AWS health expert Peter Mol. All services offered by Cloud Market Leader are GDPR-Complent, 141 Services Type 1 or 2. AWS with European sovereign cloud, which included at least three data centers in a separate area in secret places in Brandenberg, which was a “completely sovereign cloud”. As an operator, a Luxembourg or German society is expected to plan from the 4th quarter.
(Mac)
