Cross-border Data Transfer

Cross-border transfers of telehealth data that contain personal information within the meaning of the Privacy Act must comply with APP 8. In short, a telehealth business must not transfer an individual’s personal information to a recipient in an overseas location without having taken steps as are reasonable in the circumstances to ensure that the recipient will not breach the APPs (e.g. by putting contractual protections in place), or otherwise being satisfied that the recipient is subject to a law or binding scheme that has the overall effect of protecting the health information in a manner that is substantially similar to the Privacy Act and APPs. Otherwise, a patient’s consent is required to any cross-border disclosure.

Where a telehealth service provider intends to transfer personal information outside of Australia, it is also required to include this information in its Privacy Policy as part of the notification obligations set out in APP 1, for example by stating that collected information may be transferred overseas, and to the extent possible, identifying those recipient locations.

In principle the GDPR and the corresponding national implementation Acts must be complied with. Attention should be paid to the fact that these data are all health data and thus special categories of data (sensitive data). Regarding cross-border transfers of telehealth data outside the European Union, the findings from the Schrems II judgment and the relevant standard contractual clauses need to be implemented.

Pursuant to the PDPL, transfers of personal data outside of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries are to be listed by the Personal Data Protection Authority (the "Authority") and published in the Official Gazette. Ministerial Order No. 42 of 2022 on the Transfer of Personal Data outside of Bahrain has listed the countries in which the Authority deems provides adequate regulatory and legislative protection for personal data. Data controllers would be permitted to transfer personal data directly to the states, countries and territories listed in the regulation, without obtaining prior authorization from the Authority. The list of 83 countries are as follows:

1. Argentina 2. Portugal 3. Czech Republic 4. Denmark 5. Sweden 6. United Kingdom 7. Norway 8. Austria 9. South Korea 10. Japan 11. Estonia 12. Croatia 13. Italy 14. Spain 15. Germany 16. Andorra 17. Uruguay 18. Ireland 19. Iceland 20. Belgium 21. Poland 22. Cyprus 23. Romania 24. Slovakia 25. Slovenia 26. Switzerland 27. France 28. Finland 29. Canada 30. Latvia 31. Lithuania 32. Liechtenstein 33. Malta 34. New Zealand 35. Hungary 36. Netherlands 37. Greece 38. Bulgaria 39. Luxembourg 40. Israel 41. Faroe Islands 42. Isle of Man 43. Jersey 44. Guernsey 45. Australia 46. Egypt 47. Morocco 48. Bolivia 49. Chile 50. Colombia 51. Ecuador 52. Falkland Islands 53. French Guiana 54. Georgia 55. Guyana 56. India 57. Macao 58. Malaysia 59. Mexico 60. Monaco 61. Paraguay 62. Peru 63. Russia 64. San Marino 65. Singapore 66. Suriname 67. Thailand 68. Ukraine 69. United States of America 70. Vatican 71. Venezuela 72. China 73. Hong Kong 74. Brunei 75. Kazakhstan 76. Brazil 77. United Arab Emirates 78. Saudi Arabia 79. Kuwait 80. Oman 81. Pakistan 82. Nigeria 83. Jordan.

Data controllers can also transfer personal data to countries that are not determined to have sufficient protection of personal data where:

• the transfer occurs pursuant to a permission to be issued by the Authority on a case-by-case basis, if it deems that the data will be sufficiently protected;
• if the data subject has consented to that transfer;
• if the data to be transferred has been extracted from a register that was created in accordance with the PDPL for the purpose of providing information to the public, regardless of whether viewing of this register is available to everyone or limited to the parties concerned in accordance with specific terms and conditions.  In this instance, one shall have to satisfy the terms and conditions prescribed for viewing the register before viewing that information; or
• if the transfer is necessary for any of the following:
  • to implement a contract between the data subject and the data controller, or
  • to undertake preceding steps at the data subject’s request for the purpose of concluding a contract;
  • to implement or conclude a contract between the data controller and a third party for the benefit of the data subject;
  • to protect the data subject’s vital interests;
  • to implement an obligation imposed by the PDPL (even if this is contrary to the contractual obligation), or to implement an order issued by a competent court, the public prosecution, the investigating judge or the military prosecution; or
  • to prepare, execute or defend a legal claim.

No specific rules under data protection Belgian law with regard to telehealth. General rules of the GDPR apply.

The LGPD provides cross-border transfer of personal data is allowed only in the following cases:

1. to countries or international organisations that provide an adequate degree of protection of personal data as specified in law (such level of data protection shall be assessed by the ANPD, considering the legislation in force in the country, the nature of the data to be transferred, compliance with the general principles of personal data protection and the data subject’s rights provided in LGPD, the security measures adopted, the existence of judicial and institutional guarantees for the respect to the rights of protection of personal data and other specific circumstances related to the transfer);
2. when the data controller provides and proves it has guarantees of compliance with the principles, the data subject’s rights and data protection regime outlined in LGPD (in the form of specific and standard contractual clauses, global corporate norms, seals, certificates and codes of conduct regularly issued, the analysis of which will be carried out by ANPD);
3. for protection of the life of physical integrity of the data subject or a third party;
4. when the national authority authorises the transfer;
5. when results in a commitment assumed in an international cooperation agreement;
6. when it is necessary for public policy implementation or legal responsibility of public service, being made public under Article 23, item I of LGPD;
7. with the specific consent of the data subject (i.e., highlighted consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from the other purposes);
8. to satisfy a legal or regulatory obligation, when necessary to perform contracts or preliminary contractual procedures, or for regular exercise of rights in a judicial, administrative or arbitral proceedings; and
9. when the transfer is necessary for international judicial cooperation between public intelligence, prosecution, and investigative agencies, according to the instruments of international law.

Please note that most of the content of such legal basis will be defined and further regulated by the ANPD.

No specific privacy laws in place.

Regulation of cross-border transfer of telehealth data varies from province to province in Canada. Generally, PIPEDA does not prohibit organisations in Canada from transferring personal information to an organisation in another jurisdiction for processing. Moreover, PIPEDA does not establish rules governing transfers for processing.

Generally, if the information is being used for the purpose it was originally collected for, additional consent for the transfer is not required. The onus is on the transferring organisation to (i) protect information in the hands of processors (typically, by way of contract), (ii) assess the risks that could jeopardise the integrity, security, and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada, and (iii) be transparent about their personal information handling practices, including advising customers / patients that their personal information may be sent to another jurisdiction for processing, and that while the information is in the other jurisdiction it may be accessed by the courts, law enforcement, and national security authorities of that jurisdiction.

As the Chilean Data Protection Laws does not expressly regulate the cross-border transfer of data, and considering telehealth data should be classified as sensitive information, any transfer of said data should be carried out in accordance to the general rules applicable to all data processing activities. Therefore, the express, prior and written consent of each data subject should be collected by the entity that will process the relevant data, expressly requiring consent for carrying out cross-border data transfers.

Notwithstanding the foregoing, it is necessary to point out that the Personal Data Bill (Bulletin No. 11.144) which is currently being processed intends to regulate this matter. That is, in general terms, the ability to, in certain cases with regard to medical matters, carry out international transfers of data for the purpose of adopting urgent measures in medical or health matters, for the prevention or diagnosis of diseases, for medical treatment, or for the management of sanitary or health services, among others.

Due to the lack of any specific law or regulation governing telehealth data, the cross border transfer of telehealth data should be carried out in accordance with the applicable law and regulation instituted for healthcare data in general.

Cross-border transfer of any personal data (including telehealth data) is forbidden by law, unless it is made to a country which offers adequate levels of data protection (as defined by the Colombian data protection authority).

To date, the following countries have been declared to have adequate levels of data protection: Australia, Austria, Belgium, Bulgaria, Costa Rica, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Korea, the Republic of Korea, Latvia, Lithuania, Luxembourg, Malta, Mexico, the Netherlands, Norway, Peru, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, the United Kingdom and the United States, and the countries that has been declared as the ones with adequate protection standards by the European Community.

The above mentioned prohibition does not apply in certain cases, including when the data subject authorises the cross-border transfer, or in the case of medical data where required for health or public hygiene reasons.

The general principles of GDPR apply.

Czech law does not provide an explicit answer as to how should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out, as there are no Czech regulations or guidelines specifically addressing privacy matters on telehealth services. However, it could be considered that the cross-border transfer of personal data must be compliant with, inter alia:

1. GDPR;
2. Health Services Act;
3. Act No. 110/2019 Coll., on the processing of personal data;
4. Act on electronization of healthcare;
5. Act No. 326/2021 Coll., amending certain acts in connection with the adoption of the Act on electronization of healthcare;
6. Decree No. 98/2012 Coll., on medical documentation, as amended; and
7. Guidelines issued by the Ministry of Health of the Czech Republic (available in Czech only).

How cross-border transfer of telehealth data should be carried out under applicable laws will depend on specific circumstances and a comprehensive assessment of those circumstances.

The transfer of personal data must be performed in compliance with the general data protection legislation. The GDPR restricts the transfer of personal data to third countries (outside the European Economic Area and European Union). These restrictions apply to all transfers, no matter the size of transfer or how often transfers will be carried out.

A Commission decision on the adequacy of data protection is the primary basis for the transfer of personal data to third countries. If the Commission has not issued a decision on the adequacy of data protection, it should be determined whether the transfer could be performed with appropriate safeguards as defined in Article 46, GDPR.

In the case there is no adequacy decision, the cross-border transfers can be done on the basis of: (i) Standard Contractual Clauses adopted by the Commission ("SCCs") or (ii) Binding Corporate Rules ("BCRs"). Using SCCs as a transfer basis does not require the permission of the data protection authorities as long as changes are not made to the content of the SCCs. The competent data protection authority will ratify the binding corporate rules in accordance with the consistency mechanism provided for in Article 63 of the GDPR. In addition to the transfer basis the organizations should assess if supplementary safeguards need to be implemented, to ensure essentially equivalent data protection.

Any transfer of personal health data outside of the EEA should be carried out in full compliance with Chapter V of the GDPR. Chapter V prohibits the transfer of personal data outside of the EEA unless there are appropriate safeguards in place to govern the transfer (for further information, please refer to Data Protection Laws of the World – France).

The most common way to ensure the obligations of Chapter V are met is by incorporation of the Standard Contractual Clauses (SCCs) in the relevant service agreement / data processing agreement supplemented by a transfer impact assessment in accordance with the ruling of the CJEU in Schrems II Decision.

To be noted, the European Commission has published a new set of SCCs to be used for the transfer of personal data from EU to ‘third countries’ which do not benefit from an adequacy decision. The new SCCs require the data exporter and importer to warrant that they have carried out a transfer impact assessment in relation to the transfer, and that appropriate contractual, technical and organizational measures are in place to safeguard the data subject to the transfer. 

To be noted, since the CJEU’s Schrems II decision, the “CNIL” and, to some extent, French Courts have taken a restrictive approach with respect to the transfer of health data outside the EU, especially to the USA. The CNIL is pleading for storage of health data in EU, by EU entities.

The cross-border transfer of personal data processed in the context of the provision of telehealth services must comply with Art. 44 et seq. of the GDPR. It must be assessed on a case-by-case basis, if these requirements are met.

The provisions of the GDPR and of Law 3471/2006 (transposing the Privacy Directive) are applicable. Patients shall be properly informed about their health data processing so that they can provide their explicit consent accordingly; as per the GDPR provisions, patients have the right of ownership, portability, transparency, access and erasure on their personal health data.

"Telehealth data" is undefined in Hong Kong. However the PDPO defines "personal data" as any data relating directly or indirectly to a living individual. This broad definition of "personal data" would likely include the data generated during a telemedical consultation between a doctor and the patient.

There are currently no restrictions on transfer of personal data outside of Hong Kong, as the cross-border transfer restrictions set out in section 33 of the PDPO were held back and have not yet come into force. Section 33 of the PDPO prohibits the transfer of personal data to a place outside Hong Kong unless certain conditions are met (including a white list of jurisdictions; separate and voluntary consent obtained from the data subject; and an enforceable data transfer agreement).

Non-binding best practice guidance issued by the Hong Kong Office of the Privacy Commissioner for Personal Data ("PCPD") encourages compliance with the cross-border transfer restrictions in section 33 of the PDPO. To that end, the PCPD has also provided suggested model clauses for organisations to use. In practice, companies in Hong Kong will typically include these clauses into their data transfer agreements where personal data is being transferred out of Hong Kong.

Standard GDPR rules shall apply when it comes to the transfer of sensitive, healthcare related data.

Any processing of data must be compliant with the GDPR and the Data Protection Act 2018, and the Data Protection Act 2018 (Health Research) Regulations 2018, if applicable.

A cross-border transfers of personal data will depend on whether the transfer is within or outside the EEA (or another jurisdiction which has been deemed adequate). In circumstances where the transfer is within the EEA or the importing country benefits from an adequacy decision in favour of it, then no specific transfer mechanism is required. The parties may be required to enter into a data processing agreement under Article 28 of the GDPR if there is a controller to processor relationship between them.

In circumstances where there is a cross-border transfer outside of the EEA, and where the importing country does not benefit from an adequacy decision as per Article 45 GDPR, an appropriate transfer mechanism specified in Article 46 must be implemented. These transfer mechanisms include:

• Binding Corporate Rules (internal mechanism which allows multinational companies to transfer personal data to affiliates located outside of the EEA);
• Standard Contractual Clauses (EU Model Clauses which contain contractual obligations on exporters and importers of personal data to safeguard the personal data and rights and freedoms of the data subject).

Some cross-border transfers may be impacted by the recent Schrems II decision which has invalidated the EU-US Privacy Shield as a lawful transfer mechanism, and which requires all transfers relying on standard contractual clauses to be risk assessed, and supplemental measures to be implemented where required.

There are several cross-border considerations for any telehealth provider, not limited to data, such as consumer rights to bring claims within their own jurisdiction (Recast Brussels Regulation (Regulation EU 1215/2012)).

Cross-border transfers must be carried out in accordance with Articles 45 and ff. of the GDPR.  This means that personal data, including health data, may be lawfully transferred in case one of the following requirements is met:

• There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
• The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 and ff. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to European Data Protection Board’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

Article 22 of the Minister of Communication and Informatics of the Republic of Indonesia Regulation Number 20 of 2016 on Personal Data Protection In Electronic Systems, provides that parties who are going to send personal data outside of Indonesia must:

• Be in coordination with the Ministry or officials / institutions that are authorised to do so; and
• Implement the provisions of laws and regulations on cross-border Personal Data exchange.
• Report the implementation plan for personal data delivery, which at least specifies the explicit name of destination country, the explicit name of the recipient, the date of implementation, and the reason / objective of the delivery;
• Ask for advocacy, if necessary; and
• Report the implementation results of the said activity.

However, please note that until now, the infrastructure at the Ministry of Communications and Information is not ready to handle the coordination. We understand that the Ministry of Communications and Information has not assigned an officer to coordinate the cross border transfer of personal data.

Under the APPI, before a medical institution can transfer telehealth data of patients, including patients’ personal information, to another institution located in a foreign country (excluding affiliates located in several specified countries such as EU countries and affiliates that have established internal data protection system as required under the APPI), the medical institutions are required to obtain consent from the patients after notifying the patients that their data might be transferred overseas.

Moreover. medical institution needs to inform the patients about the personal information protection system of the countries and affiliates to which the patients’ personal data might be transferred.

Section 48 of the DPA provides that a data controller or data processor may transfer personal data to another country only where —

• the data controller or data processor has given proof to the Data Protection Commissioner on the appropriate safeguards with respect to the security and protection of the personal data;
• the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws;
• the transfer is necessary —
  • for the performance of a contract between the data subject and the data controller or data processor or implementation of precontractual measures taken at the data subject's request;
  • for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
  • for any matter of public interest;
  • for the establishment, exercise or defence of a legal claim;
  • in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.

Section 49(1) of the DPA provides that the processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards. According to Regulation 42 of the General Regulations, a country or territory is deemed to have appropriate safeguards if it has:

• ratified the African Union Convention on Cyber Security and Personal Data Protection;
• a reciprocal data protection agreement with Kenya; or
• a contractual binding corporate rules among a concerned group of undertakings or enterprises.

Regulation 41(1) of the General Regulations also provides that transfer of personal data to another country or a relevant international organisation is based on the existence of appropriate safeguards where there is a legal instrument containing appropriate safeguards for the protection of personal data binding the intended recipient that is essentially equivalent to the protection under the DPA and its Regulations, or the data controller, having assessed all the circumstances surrounding transfers of that type of personal data to another country or relevant international organisation, concludes that appropriate safeguards exist to protect the data.

On cross-border transfer on the basis of consent, Regulation 46(1) provides that in the absence of an adequacy decision, appropriate safeguards or prerequisites for transfer as a necessity, a transfer or a set of transfers of personal data to another country shall take place only on the condition that the data subject has explicitly consented to the proposed transfer and has been informed of the possible risks of such transfers.

Any cross-border transfer of telehealth data should be carried out only after having obtained customer consent for storing, processing, transferring data of the patients in accordance with applicable data protection laws.

The general principles set out in the GDPR are applicable to cross-border transfers of telehealth data. They are as follows.

Generally, any transfer of personal data, which are undergoing processing or which will be processed after the transfer, to a country outside the European Economic Area (or the "EEA"), or to an international organisation is valid only under the following conditions:

• The telehealth service provider must either obtain explicit customer consent or provide appropriate safeguards, without the approval of a supervisory authority with the following:
  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules;
  • standard data protection clauses adopted by the European Commission;
  • standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
  • an approved code of conduct under Article 40 of the GDPR, together with the recipient data controller’s or data processor’s commitment to apply appropriate safeguards; or
  • an approved certification method under Article 42 of the GDPR, together with the recipient data controller’s or data processor’s commitment to apply appropriate safeguards;
• The telehealth service provider can also provide appropriate safeguards, with approval from the supervisory authority with the following:
  • contractual clauses between the EU-based transferor and the personal data recipient in the non-EU country; or
  • provisions inserted into administrative arrangements between public authorities or bodies that include enforceable data subject rights.

Please note that the European Union Court of Justice (or the "ECJ") in its decision of 16 July 2020 ("Schrems II") invalidated the EU-US Privacy Shield framework as a personal data transfer mechanism under the GDPR. In this decision, the ECJ held that the GDPR requires appropriate safeguards, enforceable rights and effective legal remedies for third-country data transfers. The transfers to such countries must afford a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. The standard contractual clauses agreed between the data exporter and the recipient and the relevant aspects of the legal system of the third-country are taken into consideration to determine such equivalent level of protection.

In the absence of an adequacy decision, the telehealth service provider has to prove that the transfer is necessary for:

• the performance of a contract;
• important public interest reasons;
• establishing, exercising, or defending legal claims;
• protecting the patient’s vital interests and the patient is incapable of consenting; or
• under limited circumstances, pursuing the telehealth service provider’s legitimate interests when the patient’s rights and freedoms do not override those legitimate interests.

Luxembourg law does not add further requirements to the GDPR data transfer framework in this respect.

Under Article 36 of the Data Privacy Law, as a general rule, transfers of personal data to national or foreign third parties requires the holder (i.e. transferor) to issue to the third party a privacy notice and details of the purposes for which that information can be used. The processing of the data must be done as agreed in the privacy notice (which will contain a clause indicating whether or not the owner consents to the transfer of the data), and additionally, the third party recipient, will assume the same obligations that correspond to the responsible who transferred the data.

However, there are some relevant and important exceptions to the general rule that telehealth providers should be aware of. In particular, Article 37 of the Data Privacy Law establishes that national or international transfers of data may be carried out without the consent of the holder when the transfer is necessary for prevention or medical diagnosis, the provision of healthcare, medical treatment or the management of health services. The recipient of the personal data must always assume the same obligations that correspond to the party that transferred the personal data. The party responsible for transferring the personal data may use contractual clauses or other legal instruments to provide for at least the same obligations to which the person responsible for the transfer of the personal data is subject, as well as the conditions under which the holder consented to the processing of the personal data.

Cross-border transfer of health data is subject to a prior authorization from the Data Protection Authority.

There are no laws dealing with the cross-border transfer of personal information collected and processed in the course of telehealth services (or generally).  The common law right to privacy will apply. 

For any cross-border transfers of telehealth data, additional safeguards should be in place on the basis of Chapter V of the GDPR, also taking into account any additional requirements resulting from the recent Schrems II-judgment by the European Court of Justice.

Any transfer of personal data to a foreign country is subject to the NDPR and the supervision of the Honourable Attorney General of the Federation (AGF). A transfer of personal data relating to telehealth may take if the data is being transferred to one of the countries on the whitelist of countries deemed to have adequate data protection laws by the NDPB and the AGF. In the absence of an adequacy decision in respect of the foreign country where the personal data is to be transferred, cross border transfer of personal data can still take place if any one of the following conditions are fulfilled:

• Consent is explicitly given by the data subject after being informed of the possible risks of such transfers.
• The transfer is necessary for the performance of a contract between the data subject and the controller or necessary for the implementation of precontractual measures taken at the data subject’s request.
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
• The transfer is necessary for important public interest reasons.
• The transfer is necessary for the establishment, exercise or defence of legal claims.
• The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

Many of the privacy principles in the Privacy Act 2020 apply regardless of whether the agency holding personal information holds it within or outside New Zealand.

Under the Privacy Act, the Privacy Commissioner may, by notice, prohibit a transfer of personal information from New Zealand to another state if the Commissioner (having regard to certain matters) is reasonably satisfied that the information has been, or will be, received in New Zealand from another state and is likely to be transferred to a third state where it will not be subject to comparable safeguards to those of the Privacy Act, and that the transfer would likely contravene the basic principles of national application set out in the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.

This does not apply if the transfer of the information, or the information itself, is required or authorised by law or required by any instrument imposing international obligations on New Zealand. It is an offence to fail or refuse to comply with a transfer prohibition notice.

The Privacy Act 2020, which came into force on 1 December 2020, enables the Privacy Commissioner to restrict offshore transfers of personal information. An overseas agency similarly may not enter into an information sharing agreement between agencies.

The new Act also clarifies that disclosure to an entity that holds personal information solely as an agent (e.g. for safe custody or processing) will not be considered an overseas transfer of personal information, but will if the recipient (e.g. a storage provider or data processor) also uses or discloses personal information for its own purposes.

The cross-border transfer of telehealth data is regulated through GDPR. The general principle is that the data can only be transferred to states in which secure proper processing standards apply.

The processing of health data must comply with the requirements of GDPR Art. 6 and Art. 9. The latter Article applies as health data is a special category of personal data (cf. GDPR Art. 9(1)). In order for data from the health filing systems to be transferred, the transfer must be in accordance with the purpose of the filing system. To the extent that a cross-border transfer of telehealth data implies a transfer to third countries, such transfer must take place in accordance with GDPR Chapter V.

Following recent developments in EU Case law (Schrems II decision), special precautions should be taken for data transfers to third countries even if e.g. standard contractual clauses are applied.

Based on Royal Decree No ( 6/2022)and without prejudice to the competencies prescribed to the Cyber Defence Centre, the controller may transfer personal data and permit its transfer outside the borders of the Sultanate of Oman, in accordance with the controls and procedures determined by the Executive Regulation. However, the law prohibits transferring personal data which has been processed in violation of its provisions or if the transfer would cause harm to the data subject.

Under the GDPR (see also Privacy and data protection), transfers of personal data within the EEA are permitted.

However, all extra-EEA transfers need to be based on one of the following: (i) an adequacy decision of the Commission (applicable to a limited number of jurisdictions); (ii) one of the appropriate safeguards under Article 46 of the GDPR, such as standard contractual clauses approved by the Commission ("SCC") or approved binding corporate rules; or (iii) one of the exemptions listed in Article 49 of the GDPR. In addition, as a result of the recent CJEU ruling in the Schrems II case (C-311/18), international transfers based on the SCCs will need to be preceded by an internal analysis of risks of transfer to a particular jurisdiction and necessary safeguards to be introduced by the data controller in order to ensure a safe transfer. The result of such analysis may indicate that SCC alone would be insufficient and additional contractual safeguards are necessary.

Cross-border transfers are governed by GDPR, being allowed under the terms of articles 44 to 49 GDPR.

Data controllers may collect, process and transfer personal data when the data subject consents, unless deemed necessary for realising a lawful purpose for the controller or for the third party to whom the personal data is sent. Data controllers should not take measures or adopt procedures that may curb trans-border data flow, unless processing such data violates the provisions of the Data Protection Law or will cause gross damage to the data subject. The Data Protection Law defines ‘trans-border data flow’ as accessing, viewing, retrieving, using or storing personal data without the constraints of state borders.

The Guidelines have clarified that a data controller transferring personal data outside of Qatar must:

• be able to demonstrated that the transfer is for a lawful purpose and that the transfer of data is made pursuant to the provisions of the Data Protection Law;
• keep track of personal data transferred outside of Qatar as part of its processing activities records;
• take into consideration a number of factors in assessing whether a transfer of personal data would cause “serious damage” to personal data including, but not limited to, whether the data subject would experience emotional distress or physical or material damage; and
• inform the data subject of any transfers of data to countries outside of Qatar and the information should include the location(s) the personal data is being transferred to and information regarding the safeguards in place to protect the data subject's data and privacy.

Cross-border transfers of telehealth data must be carried out in accordance with Chapter V (Transfers of personal data to third countries or international organisations) of the GDPR.

There are no specific rules on cross-border transfer of telehealth data in Russia. However, general data protection rules governing cross-border transfer of data would apply. Such rules would primarily require that any cross-border transfer of personal data is made with the patient’s consent and / or based on an agreement with the patient, and that a copy of such data is stored in Russia (data localization rules).

See Privacy and data protection.

Personal information may be transferred from South Africa to third parties in other countries if the foreign country has adequate data protection laws similar to POPIA. If the recipient is in a country that does not have adequate laws there would need to be a justification under POPIA for the transfer. In this regard, section 72 of POPIA provides that a responsible party may only transfer personal information about a data subject to a third party in a foreign country if:

• the recipient is subject to a law, binding corporate rules or binding agreement, which provide an adequate level of protection that effectively upholds principles for reasonable processing that are substantially similar to the provisions of POPIA and includes provisions relating to the further transfer of personal information that are substantially similar to what is contained in POPIA;
• the data subject consents;
• the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data-subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; or
• the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject’s consent; and if it were reasonably practicable, the data subject would be likely to give it.

Furthermore, in terms of section 57 of POPIA, a responsible party must obtain prior authorisation from the Information Regulator prior to any processing if that responsible party plans to transfer special personal information, or the personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information. A Guidance Note for Prior Authorisation has recently been published in terms of which it appears that it would not be necessary to request prior authorization if the special personal information is being transferred to a country without adequate data protection laws but the recipient of the information has concluded a binding agreement which provides adequate protection and upholds the principles in POPIA. There may, however, be more clarity on this in the months to come as the effective date of these prior authorization requirements in POPIA have been deferred to 1 February 2022.

If the telehealth data constitutes personal data, this would be governed under the PDPA. The PDPA and its subsidiary legislation provides that an organisation may only transfer personal data overseas if it has taken appropriate steps to ensure that:

1. it will comply with the PDPA obligations in respect of the transferred personal data while it remains in its possession or under its control; and
2. the recipient outside of Singapore is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to the standard under the PDPA. In this regard, legally enforceable obligations would include obligations imposed on a recipient pursuant to:
   1. any law;
   2. any contract that requires a recipient to: (A) provide a standard of protection to the personal data transferred that is at least comparable to the protection under the PDPA; and (B) specifying the countries and territories to which the personal data may be transferred under the contract;
   3. under binding corporate rules; or
   4. any other legally binding instrument.

A telehealth service provider will, however, be taken to have satisfied the requirement of ensuring that the recipient outside of Singapore is bound by legally enforceable obligations if the individual whose personal data is being transferred consents to the transfer of the personal data to the recipient in that country or territory, subject to such consent satisfying certain prescribed conditions.

In Slovakia, there is no special regulation in connection with the cross-border transfer of telehealth data and therefore the GDPR standard principles of personal data transfer (requirement of the same level of protection, etc.) will apply.

It shall be noted that GDPR plays a crucial role regarding the transfer of data (including telehealth Data) in EU Member States, however, Slovenian legislation sets out few rules that regulate the subject matter at hand at the side of and without prejudice to GDPR.

1. ZVOP-2 sets out special provisions pertaining to transfer of data in the context of the public sector. Special procedural rules which need to be adhered to are stipulated in Articles 39 et seq. ZVOP-2.
2. ZPacP which constituteslex specialis in the context at hand sets out various provisions in regard to personal data protection. According to Article 45 (8) in conjunction with Article 45 (4) and (5) ZPacP, the patient has a right to determine to whom, when and what information about their health condition may or may not be communicated by a doctor or another person authorised by the doctor. Furthermore, Article 44 (7) in conjunction with Article 44 (4) ZPacP stipulates that any use and other processing of the patient’s medical and other personal data outside medical treatment procedures shall be permitted only with the patient’s consent or the consent of persons entitled thereto if the patient is incapacitated (e.g., parents or customary care-givers, pursuant to Articles 35 et seq. ZPacP). After the patient’s death, their immediate family members may give their consent, unless the patient has disallowed this in writing. Such consent, moreover, is not required when the data is transmitted to another healthcare provider due to the needs of treatment, pursuant to Article 44 (7) in conjunction with Article 44 (6) no 4 ZPacP.
3. Finally, according to the Article 14.c of Slovenian Healthcare Databases Act, if a health provider is situated outside the European Union (a foreign health provider), the data processing is permitted only on the basis of a patient’s consent.

According to the GDPR 2016/679, data concerning health are considered a special category of data. Therefore, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (i.e., pseudonymisation and encryption of personal data).

In connection with international data transfers, as a consequence of the Schrems II judgment, data transfers to third countries (outside the EEA) under SCCs, will only be valid if the data exporter can verify on a case by case basis (by means of a risk assessment analysing the law of the recipient territory and circumstances of the transfer), that the it can be provided a level of protection of personal data which does not undermine the level of protection guaranteed to data subjects under EU law including the GDPR.

General remarks

General GDPR requirements on cross-border transfers of personal data apply. Controllers and processors intending to transfer personal data to third countries must ensure that the conditions laid down in the GDPR are met. In particular, the conditions for third country transfers in Chapter V of the GDPR must thus be observed.

Adequacy decisions

Transfers of personal data outside the EU/EEA are permitted to countries that are subject to a so-called adequacy decision from the European Commission, whereby the Commission has determined that the area provides an adequate level of data protection (Article 45(1) of the GDPR).

Appropriate safeguards

Transfers to third countries are also permitted insofar as appropriate safeguards have been provided by the controller or processor (Article 46 of the GDPR), and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The appropriate safeguards include binding corporate rules and standard contractual clauses.

On 16 July 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-US Privacy Shield in the so-called Schrems II case (judgement of the CJEU in Case C-311/18). Moreover, the CJEU clarified that exporters of personal data to third countries may continue to rely on standard contractual clauses. When doing so, however, exporters need to carry out a so-called transfer impact assessment and implement supplementary measures as necessary in each individual case, in order to be able to ensure that a level of protection essentially equivalent to that which is guaranteed within the EU can be upheld.

Derogations

By way of exception, a third country transfer of personal data may take place subject to a limited number of derogations set out in Article 49 of the GDPR. Such derogation exists, inter alia, if the transfer is necessary to safeguard the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving his or her consent.

The cross-border transfer of personal data is governed by the PDPA requiring that the destination country that receives such telehealth data must have adequate data protection standard in the views of the Personal Data Protection Committee and such transfer must be carried out in accordance with the sub-ordinated regulation to be issued under the PDPA.

The above requirement may not apply if such transfer falls under any exemption prescribed under the PDPA, including where the consent of the individual has been obtained, provided that he / she has been informed of the inadequate personal data protection standards of the destination country international organisation.

Article 13 of the ICT Health Law provides that patient information which is "provided in the UAE may not be stored, processed, generated, or transferred outside of the UAE, unless the activity has been approved by a decision of the Health Authority in coordination with MOH". This is acts as a data localisation requirement for all patient information which falls within that law.

The Dubai HA Standards reiterate the data localisation requirement set out under the ICT Health Law. There is no express data localisation under the AD DOH Standards, however the ICT Health Law may, effectively, impose this.

Under the DHCC Regulation patient information may only be transferred to a third party located in a jurisdiction outside of the DHCC if:

• an adequate level of protection for that patient information is ensured by the laws and regulations that are applicable to the third party. To this end, the DHCC adopts the same list as any list that is used by the Dubai International Financial Centre’s Commissioner for Data Protection;
• or the transfer is either: (a) authorised by the patient; or (b) necessary for the ongoing provision of healthcare services to the patient.

The rules set down in Chapter V of GDPR impose extra controls where the cross border transfer of personal data involves data sharing of EU originating data to a country outside the EU/EEA. These provisions place restrictions on the transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies (such as where there is a medical emergency and the transfer of the data is needed in order to give the medical care required – the imminent risk of serious harm to the individual must outweigh any data protection concerns).

Organisations transferring personal data need to ensure that there is adequate protection of the personal data being transferred in the country to which the data is being transferred. Certain third countries will already have an "adequacy decision" granted by the European Commission which confirms that the relevant country has an adequate level of protection for data transfers. If an adequacy decision is not in place, many organisations look to put in place Standard Contractual Clauses (which are EU-approved terms). There are other alternatives that can be consider to ensure the transfer is covered by appropriate safeguards, such as EEA-approved binding corporate rules, but the most common approach is the use of the Standard Contractual Clauses.

For transfers to the US, the European Commission had previously found that if transfers to the US were conducted in accordance with EU-US Privacy Shield framework then this would give sufficient protection as it placed requirements on US companies certified by the scheme to protect personal data and provide redress mechanisms for individuals. However, as a result of the recent Schrems II case (16 July 2020) Privacy Shield is no longer a valid route.

Due to Brexit, at the end of the transition period (31 December 2020), in the absence of an adequacy decision in respect of the UK, transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions as the UK will be regarded as a third country.

The UK will also be adopting its own equivalent rules on data transfers to countries outside the UK after that date.

HIPAA does not prohibit the cross-border transfer of protected health information so long as HIPAA requirements are otherwise met.

Outside of HIPAA, there are also no federal laws that expressly prohibit cross-border transfers, though CMS has imposed certain reporting requirements on the health plans that it regulates regarding offshoring of beneficiary health data. Because of these CMS reporting requirements, many Medicare Advantage plans include contractual limitations or prohibitions on offshoring which are flowed down by contract to all subcontractors and sometimes, participating providers of those plans. Additionally, some state Medicaid programs prohibit the offshoring of health information relating to their beneficiaries.

Therefore, entities considering cross-border transfer or offshoring of health information (both storage and access) will want to consider what legal restrictions may apply to such transfers and also whether their contractual relationships permit such transfers.

There is no legislation in Zambia regulating the cross-border transfer of personal data, nor are there laws regulating Telehealth. The cross-border transfer of personal information that is collected and processed in the course of telehealth services must comply with Zambian privacy laws. Generally, the cross-border transfer of personal information collected and processed in the course of telehealth services must be carried out to ensure compliance with medical ethics and meet the Zambian Constitutional requirement of having a compelling public need for the sharing of such information.

The service provider of the telehealth services is required to consult the Ministry before acquiring and transferring this information. Once the service provider’s proposal regarding how it intends to use to access and process information is approved by the Ministry, the Ministry then provides the service provider with a procedure outlining how the information must be processed, and this procedure must be complied with by the service provider.

Moreover, the CDPA’s provisions state that a data controller can only transfer personal information about a data subject to a third party who is in a foreign country where there is “an adequate level of protection which is ensured in the country of the recipient or within the recipient international organization and the data is transferred solely to allow tasks covered by the competence of the controller to be carried out.”