Legal regulation of the transmission of health-related data: Balance of public interests and individual rights in the context of cross-border health care

Размещено на http://www.allbest.ru/

Legal regulation of the transmission of health-related data: Balance of public interests and individual rights in the context of cross-border health care

M. Akulin¹, E.A. Chesnokova¹, U. Genovese², R.A. Presnyakov³, A.E. Pryadko⁴

¹ St. Petersburg State University,St. Petersburg, 199034, Russian Federation

² University of Milan,, Milan, 20122, Italy

³ Association of Medical Law of St. Petersburg,., St. Petersburg, 199178, Russian Federation

⁴ Committee for Social Protection of the Population of the Leningrad Region, St. Petersburg, 191124, Russian Federation

The article provides a comparative analysis of the regulatory and legal regulation for the processing of a special category of personal health data in the European Union and in the Russian Federation in regard to the digitalization of national health systems. Special attention is paid to the legal framework for the transmission of health information at the cross-border level. It is established that within the framework of European and Russian legislation at this stage, in the context of the formation of digital medicine, there is a comparability in the definition of legal mechanisms for the protection of medical data. It is also noted that in the issue of the transfer of personal health data to third countries, both the Russian Federation and the European Union choose the path of strict restrictive regulation and the introduction of a closed list of grounds for overcoming the ban on cross-border transfer. The reasons for this approach to issues of supranational interaction in healthcare are analyzed, as well as the potential risks of inertia of national legislators in this issue. Based on the analysis, the authors proposea number of amendments and additions to the national legislation on personal data, aimed at simplifying the interaction between jurisdictions on the transfer of confidential medical information. The authors suggest an international agreement on the exchange of medical data in digital format, which potentially should include not only the Russian Federation and the EU states, but also other countries, including Eurasian Economic Union member states, China, and countries of the American continent. The proposed concept is intended to create an opportunity for the formation of a supranational information system in the field of healthcare, which allows for the effective exchange of medical data, taking into account the sovereign interests of the countries participating in the agreement.

Keywords: legislation of the European Union, legislation of the Russian Federation, personal data, medical confidentiality, e-health, data exchange, personal data protection.

Introduction

medical information regulatory legal

In recent years, we have witnessed and participated in a digital rethinking of almost all fields of social relations. This transformation, on the one hand, facilitates access to information and various services, and on the other hand, fundamentally changes the model of social interaction of people and forms a new kind of public institutions.

One of the most important public institutions undergoing transformation is healthcare. Developed world economies are becoming more and more active in implementing modern digital tools: electronic medical cards, electronic prescriptions, online appointments, etc. Information and telecommunication technologies are becoming a common reality, designed to improve the quality and availability of medical care, to ensure maximum respect for the rights of patients. However, digital transformation in medicine, along with the obvious advantages, creates prerequisites for new risks. Such prerequisites are a rapid increase in the number of information repositories with sensitive data, emergence of new typologies of information, uncontrolled or insufficiently controlled number of persons who can potentially access them, as well as participation of unscrupulous organizations in processing of confidential medical information.

Another factor influencing healthcare transformation is globalization: an increase in migratory activity and in-depth economic integration are the factors driving the familiar national model of healthcare organization to transition to a supranational level and build new structures of interaction between different legal systems. Such convergence of national systems becomes inevitable in the new realities of the digital economy.

The primary link of the supranational model is the cross-border transfer of confidential medical information, which has the same potential risks as the national regulation of “reception” and “transfer” countries. In this regard, it is interesting to summarize the experience of supranational regulation in the European Union (hereinafter -- the European Union, the EU, the Union) and the Russian Federation in regard to legal regulation of processing personal data in conditions of economic and political integration of states. In this aspect, the analysis of the relevant Russian and European regulations may be particularly noteworthy for both the EU member states and the Eurasian Economic Union (EAEU) member states.

1. Basic research

Regulatory and legal framework for personal data with in the European Union: providing security during the exchange of confidential medical information on May 25, 2018 the EU Regulation 2016/679 General Data Protection Regulation (hereinafter -- the Regulation, GDPR) entered into force in the European Union¹. The GDPR is designed to respond to new technological challenges in order to achieve higher legal certainty, harmonization of legal systems and ease the regulation of transferring personal data outside the EU to third jurisdictions. Thus, in accordance with paragraph 10 of the Preamble of the EU Regulation 2016/679 GDPR in order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all member states. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union.

This regulation superseded the previous Directive 95/46/EC of the European Parliament and of the Council of the EU Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). EUR-Lex. European Union law. Accessed July 16, 2019. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1563114709430&uri=CELEX:32016R0679. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. EUR-Lex. European Union law. Accessed July 16, 2019. https://eur-lex.europa.eu/legal-content/en/ TXT/?uri=CELEX%3A31995L0046.which, in fact, is no longer able to fully regulate legal relations between entities in the face of new challenges posed by scientific and technological progress. Yet the objectives and principles of Directive 95/46/EC remain sound (paragraph 9 of the Preamble of the Regulation (EU) 2016/679 GDPR).

Thus, according to the Regulation, the European Parliament and the EU Council pursue an ambitious goal of harmonizing legislation on the protection of personal data in the EU member states and creating a united digital information space throughout the European Union.

The General Data Protection Regulation is an act with a direct effect, its provisions are binding for all EU member states and do not need to be ratified at the level of each EU member state, and the Regulation applies to the European Economic Area. However, the regulation still provides EU member states a free hand to determine requirements, including for the purpose of processing special categories of personal data. Thus, the Regulation does not exclude the legislation of the EU member state, which establishes the circumstances for special processing situations, including a more precise determination of conditions when the personal data will be based on the principle of legality. This fact raises concern for some authors as the provisions of the Regulation to some degree betray the original European idea of harmonization of legislation and may become the reason for the emergence of contrasts between the Regulation and the national laws enacted just because of the need to align national and European regulations (Cataleta, Longo, Natale 2020).

The Regulation establishes the principle of extraterritoriality. Provisions of this act shall be applied if the data processing is related to offering goods or services to natural persons -- data subjects located in the Union, regardless of payments (paragraph 23 of the Preamble of the Regulation (EU) 2016/679 GDPR) and when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union, irrespective of the place of establishment of the controller or the person in charge of data processing (paragraph 24 of the Preamble of the Regulation (EU) 2016/679 GDPR). The stated above provisions clearly show a degree of orientation of the European legislator in the first place towards data processing in the field of commercial activity. This is evidenced by the reference to the supply of goods or services, as well as an emphasis on data processing for making decisions related to a natural person located in the EU, or for the analysis or prediction of his/her personal preferences, types of behaviour and attitudes.

At the same time, it should be emphasized that the guarantees of protection provided by the Regulation apply to all natural persons in the EU, regardless of their citizenship, place of registration or place of residence. In paragraphs 23 and 24 cited above, any natural person who is in the Union without indication of their citizenship is considered a data subject. In addition, paragraph 2 of the Preamble of the Regulation states: “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data”.

Accordingly, the Regulation for the range of data subjects is applied to all citizens of the Union, persons permanently residing in the territory of the Union, as well as to all individuals in the Union regardless of the purpose and duration of their stay. In this case, the location of the operator processing the data of the above entities does not matter. Therefore, the subject of Regulation also includes cases when citizens and residents of the Russian Federation seek medical care in medical organizations in the territory of the Union.

It should be noted that the Regulation does not provide for a special discipline governing the processing of personal data concerning health, but it does contain a number of provisions related to this category of personal data.

The definition provided in paragraph 15 of article 4 of the Regulation, where the term “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Paragraph 35 of the Preamble of the Regulation discloses the content of data affecting the state of health, which states that health-related personal data should include all data that is related to the state of health of the data subject and disclose information about the past, current and future physical or psychological state of the data subject's health. This also includes complete information about an individual collected in the course of registration or provision of medical services according to the Directive 2011/24/EU of the European Parliament and of EU Council In accordance with the provisions of Directive 2011/24/EU of the European Parliament and of the Council of the EU, the information about a natural person collected during registration or the provision of medical services includes: a number, symbol or mark assigned to an individual to uniquely identify that person for health purposes; information obtained from a study or examination of a body part or body material, including genetic data and biological samples; and any information, such as disease, disability, risk of disease, medical history, clinical treatment, or physiological or biomedical condition of the data subject, regardless of the source of the data, for example, it may be obtained from a physician or other medical professional, hospital, medical equipment, or laboratory diagnosis (Accessed February 17, 2021. https:// eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:088:0045:0065:en:PDF)..

At the same time, it should be noted that the legislator pays special attention to the problem of circulation of data, which to some extent is related to the subject's state of health. In particular, this is evidenced by the specification given in paragraph 35 of the Preamble of the Regulation, which states that all data that is related to the state of health of the data subject and discloses information not only about current but also about the past and future health of the data subject, and the health status concerns both the subject's physical and psychological status.

Further, the definition contains quite a detailed description of the content of the concept. Data concerning health includes:

— information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person;

— a number, symbol, or mark particularly assigned to a natural person to uniquely identify the natural person for health purposes;

— information derived from the testing or examination of a body part or body substance, including from genetic data and biological samples;

— and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

The final provision establishes an open and indicative nature of the list. Thus, the main criterion for classifying data as special is their relevance to information about the physical or psychological state of the subject.

Of particular interest is the fact that in the Regulation the European legislator includes in the “data concerning health” category not only data on examinations and medical services, but also genetic and biometric data. It should be noted that this decision is to some extent a novelty in European norm-setting: the provisions of Directive 95/46/EC preceding the Regulation did not include this category of information in the category on data concerning health.

Health information, as the most sensitive (confidential), belongs to a special category of data and is subject to enhanced protection in terms of guarantees of observance of fundamental human and civil rights and freedoms. However, it is obvious that such close attention to the protection of the data concerning health is also based on the understanding of the importance of providing security of this information in the public interest, and, above all, in order to maintain competitiveness, state security, and national sovereignty. In the European Union, where national borders are more or less non-existent and integration is based on four fundamental European freedoms: freedom of movement of persons, capitals, goods, services, freedom of information flow is a prerequisite for successful integration and implementation of a single policy. In this regard, the Regulation establishes unified rules for circulation of personal information and introduces unified rules for the transfer of information to third parties. It is interesting, however, that the Regulation leaves room for member states, at the legislative level, to provide additional conditions or even restrictions on the processing and transmission of information. At the same time, an extent of readiness of the EU States to make autonomous decisions that strengthen the legal regime for the protection of data concerning health, in our opinion, will be determined by political, social and economic factors.

Thus, the Regulation establishes a basic, minimum level, of personal data protection, which should be provided in all member states, and throughout the EU. Part 1 of article 9 of the Regulation proclaims a general principle prohibiting any processing of data concerning health Part 1 of article 9 of the EU Regulation 2016/679 GDPR specifies that the processing of personal data revealing racial or ethnic origin, political views, religious beliefs or philosophical views, membership in a trade union, as well as the processing of genetic data, biometric data for unambiguous identification of an individual, data relating to the health, sexual life or sexual orientation of an individual, should be prohibited.. However, this prohibition does not apply to a number of situations related to medical services as a whole. In particular, the provisions of § 2 of article 9 of the Regulation allow processing of data concerning health in special public interest, as well as if it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (sub-paragraphs g, j § 2 of article 9 of the Regulation (EU) 2016/679 GDPR). Processing in the public interest is also allowed when it is necessary in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (sub-paragraph i § 2 of article 9 of the Regulation (EU) 2016/679 GDPR). This provision is particularly significant in terms of European integration. The Regulation establishes the priority of public interests in the field of public healthcare in its cross-border understanding, allowing the processing of personal data, including protection against serious cross-border threats to health, regardless of the will of the personal data subject. It can be assumed that this provision will contribute to the development of a new model of public healthcare that goes beyond national borders and involves more active interaction of all participants in the healthcare system at the EU level.

Processing of health data is also allowed in other cases In this case, the authors want to point to other cases provided by the provisions of sub-paragraphs b, d, f § 2 of article 9 of the EU Regulation 2016/679 GDPR, as well as the provisions of sub-paragraph h § 3 of article 9 of the EU Regulation 2016/679 GDPR., but the most interesting, in our opinion, are the provisions that lift a ban on processing data concerning health when:

— the data subject has given explicit consent to the processing of personal data for one or more specified purposes, except where Union or member state law provide that the prohibition may not be lifted by the data subject (a);

— processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (c);

— processing relates to personal data which is manifestly made public by the data subject (e).

This list of exceptions should be considered closed and not subject to broad interpretation. It should be noted, however, that § 4 of the cited article still provides the EU member states with the possibility of national regulation of health data protection. Thus, the EU member states will be able to maintain or introduce additional conditions, including restrictions, regarding the processing of genetic data, biometrical data or health data (Article 4 of the Regulation (EU) 2016/679 GDPR). It seems that this provision should be considered in the sense of possibly further strengthening the protection mechanisms and limitation of the possibilities for personal data processing. For example, as mentioned above, the Regulation establishes a general rule that a ban on the processing of health data can be overcome by the will of the data subject, but it also indicates that the national legislator is allowed to impose a restriction on the ability to dispose of their data.

The basic principles established by the Regulation are the principles of maximum transparency when working with personal data and awareness of the data subject. According to part 1 of article 15 of the Regulation, in the case of processing of personal data belonging to an individual the data subject has the right to access their own personal data, as well as information about the purposes of processing, the category of processed personal data, the recipients to whom the data will be disclosed, the terms of data storage or the criteria used to determine the specified period, the right to request correction or deletion of data (“the right to be forgotten”), restrictions on its processing, or objections, the right to file a complaint with the supervisory authority, the presence of an automated decision-making process, as well as the source of data in case personal data is not received not from the data subject.

Articles 13 and 14 of the Regulation establish a minimum list of information that the controller must provide to the personal data subject.

Articles 33 and 34 regulate the obligation to report data leakage. In accordance with article 33, in case of data leakage the controller should within 72 hours from the time when they have became aware of it, notify the supervisory authority about the leak with a description of the nature of leakage of personal data, indicating where possible the categories and approximate number of data subjects and the categories and approximate number of records of personal data, the possible consequences of the data leakage, as well as measures taken or planned by the controller to eliminate violations and measures to mitigate its possible negative impacts.

Article 34 imposes a duty of the controller to inform the data subject within a reasonable time on the leakage of personal data in case of a potentially high degree of risk for rights and freedoms of individuals. At the same time, as follows from the meaning of the article, if the leakage of personal data can lead to a high degree of risk for rights and freedoms of individuals, the controller shall report the incident to the data subject only if it requires a disproportionate effort, and if the controller resorted to public notification.

In accordance with part 1 of article 12, the above-mentioned information should be provided in a concise, transparent, understandable and easily accessible form that uses clear and simple language. The Regulation establishes a written form of the information document, but it is additionally provided that at the request of the data subject information may be provided verbally on the condition that the identity of the data subject is confirmed in another way.

It seems that these provisions are of particular importance in relation to health data as a special category of personal data.

As mentioned above, the Regulation does not contain a special section establishing rules for processing of data concerning health. The European legislator puts this information into a special category of personal data, and it is subject to protection in accordance with the provisions of the Regulation on personal data and the rules referring to a special category of personal data.

In terms of principles of legality and transparency, the general condition for data processing rests on the consent of the personal data subject. Deviation from this rule is possible only in the cases directly stated in the Regulation. Article 7 of the Regulation establishes conditions for obtaining the consent of the subject. Part 2 of article 7 of the Regulation determines the criterion of awareness and regulates situations when consent to data processing is given in writing in the context of a comprehensive agreement on various issues: the request for consent should be presented in an understandable and easily accessible form in clear and layperson terms in a manner that distinctly distinguishes it from any other circumstances.

Interestingly, the Regulation does not impose on the operator the obligation to obtain consent in writing, but it contains the obligation “to be able to prove that the data subject has agreed to the processing of their personal data” (part 1 of article 7 of the Regulation (EU) 2016/679 GDPR).

Also, part 3 of the cited article establishes the right of the subject at any time to withdraw previously given consent. In that event it is provided, the procedure for consent withdrawal should be as simple as the procedure for granting consent.

It is of interest in the comparative aspect that article 20 of the Regulation contains the right of the subject to receive from the controller copies related to personal data in a structured, universal and machine-readable format, as well as the right of the subject to transfer the data to another controller.

Special categories of personal data are also subject to enhanced protection in the context of an automated decision-making process, including the formation of a profile. Thus, in particular, the general rule establishing the right of the subject of any personal data not to fall within the scope of a decision based solely on automatic processing, including the formation of a profile that creates legal consequences in relation to them or significantly affects them, does not apply if decision-making is permitted by the legislation of the Union or the EU member state, under which the controller falls. It also establishes acceptable measures for protection of the rights, freedoms and legitimate interests of the data subject, as well as, upon the controller's implementation of acceptable measures for the purpose of protection of the rights, freedoms and legitimate interests of the data subject, in cases where there is a direct consent of the data subject, or when this is necessary for conclusion or execution of a contract between the data subject and the data controller.

Thus, in order to overcome the general ban on processing in the context of automated decision-making, including the formation of a profile, it is sufficient, in fact, to introduce an appropriate regulatory framework in the legislation of the EU member state. However, the Regulation significantly limits abilities of the national legislator when it comes to formation of a profile based on data concerning health.

As we can see, at this stage in the EU there is very detailed legal regulation in the field of personal data processing, which forms a primary link for all digital services and systems, as well as for other international systems of interaction that transmit information between individuals and between different jurisdictions.

1.1 Legal regulation of cross-border transfer of medical information in the European Union

As mentioned above, the European Union has taken a number of significant steps over the past few years to intensify the digitalization of healthcare in member states and to create a united European digital circuit system that provides easy access to information and the flow of electronic documents throughout the EU.

On April 25, 2018, European commissioners with reference to the mid-term review on the implementation of the digital single market strategy Communication from the commission to the European Parliament, the Council, the European Eco-nomic and Social Committee and the Committee of the regions on the Mid-Term Review on the implemen-tation of the Digital Single Market Strategy A Connected Digital Single Market for All. COM/2017/0228 fi-nal society. EUR-Lex European Union law. Accessed July 18, 2019. https://eur-lex.europa.eu/legal-content/ EN/TXT/?uri=COM%3A2017%3A228%3AFIN. indicated three areas of development of the united digital circuit:

— citizens' secure access to and sharing of health data across borders;

— better data to advance research, disease prevention and personalised health and care;

— digital tools for citizen empowerment and person-centred care Communication from the commission to the European Parliament, the Council, the European Eco-nomic and Social Committee and the Committee of the regions on enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society. 2018. European Commission. Accessed July 18, 2019. https://ec.europa.eu/digital-single-market/en/news/commu- nication-enabling-digital-transformation-health-and-care-digital-single-market-empowering..

As a next step, the European Commission presented a number of recommendations to the EU member States on 6 February 20 1 9 Press release. Commission makes it easier for citizens to access health data securely across borders, Brussels (6 February 2019). European Commission. Accessed July 10, 2019. http://europa.eu/rapid/press- release_IP-19-842_en.htm.. In support of the current need for digital healthcare integration, Vice-President Andrus Ansip, in charge of the Digital Single Market, pointed to requests from citizens to allow unhindered and full on-line access to medical information related to them, regardless of which state they are currently in Ibid..

Currently, the exchange of data and the possibility of forming an electronic prescription for cross-border application is already functioning between such states as Estonia, Finland, Luxembourg, and the Czech Republic. By the end of 2021, 18 additional member states should join Communication from the commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the regions on enabling the digital transforma-tion of health and care in the Digital Single Market; empowering citizens and building a healthier society. 2018. European Commission. Accessed July 18, 2019. https://ec.europa.eu/digital-single-market/en/news/ communication-enabling-digital-transformation-health-and-care-digital-single-market-empowering. It should be assumed that the speed and completeness of accession to the European information exchange system will be largely dependent on internal social, economic and organizational factors.

The provision of access to electronic databases containing data concerning health within the framework of this system will take place between the EU member States in accordance with the provisions of the GDPR and, in particular, article 9 of the Regulation (Article 9 of the Regulation (EU) 2016/679 of GDPR).

At the same time, the EU's goals, inspired by the need to implement the rights of the EU citizens, will be achieved only in part. Thus, it can be assumed that in the coming years the relocation of EU residents outside the EU and the number of cases that involve receiving medical care outside the EU will steadily increase, but the problem of cross-border exchange of health data with third countries outside the EU remains unclear.

According to the analysis of the current European legal framework, in this case the provisions of the Regulations regarding cross-border data transmission should be applied, taking into account the provisions of article 9 of the above-mentioned normative act.

There are particular provisions of the Regulation which cover cross-border data transfer: articles 44-50 of chapter V. Provisions of this chapter are based on the main rule that data protection is transferred together with data. Thus, the provisions of article 44 of Chapter V of the Regulation indicate that all the provisions of this Chapter should be applied to ensure that the level of protection of individuals guaranteed by the Regulation remains unchanged.

According to the provisions of article 45 of Chapter V of the Regulation, cross-border data transfer can take place, first of all, if there is a Decision on Compliance. To this date, such Decisions were taken by the European Commission in respect to the following states: Andorra, Argentina, Australia, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay.

In the absence of a Decision on Compliance, data may be transferred only if the controller or the data processor has provided appropriate safeguards and the data subjects have legally protected rights and effective remedies (Article 46 of the Regulation (EU) 2016/679 of GDPR). Among such safeguards, a special place is held by legally binding corporate rules (Article 47 of the Regulation (EU) 2016/679 of GDPR), including among them binding on each member of a group of enterprises or a group of companies engaged in joint economic activities, including their employees, and which in fact serve as a tool for ensuring the transfer of data from the territory of the EU member state to other states between enterprises of one group. At the same time, according to part 2 of article 15 of the Regulation where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 related to the transfer (Article 15 of the Regulation (EU) 2016/679 of GDPR).

In the absence of the European Commission's Decision on Compliance and in the absence of the above guarantees, cross-border transfer of personal data may take place only if one of the conditions provided for in § 1 article 49 of the Regulations is met. As already mentioned above, with respect to special categories of personal data, the provisions of article 49 of the Regulations shall be applied taking into account the provisions of article 9 of the said regulatory act.

Classic medical justification for partial derogation from the general prohibition on cross-border data transfer lies in obtaining informed consent from the data subject (paragraph a § 2 of article 49 of the Regulation (EU) 2016/679 GDPR). On the same basis, in accordance with paragraph a § 2 of article 9 of the Regulation, the processing of special categories of personal data, which include health data, is permitted. Accordingly, informed consent from the data subject makes it possible to process information about their health and to transmit it outside the state of residence, that is, cross-border. This provision is fully consistent with the modern worldview of the rule of state law, recognizing and protecting the principle of autonomy of the individual, the priority of an individual's and citizen's freedom of will. However, it should be noted that although the provisions of § 1 of article 49 of the Regulation do not provide for the possibility of a member state to restrict the freedom of expression of will by the data subject, the relevant clause is available in § 2 of article 9 of the Regulation, according to which the processing of health information is possible if the data subject has given direct consent to the processing of personal data for one or more of the established purposes, except for the cases when the legislation of the Union or the EU member state provides that the prohibition specified in § 1 of article 9 of the Regulation cannot be repealed by the data subject.

According to paragraph d § 1 of article 49 of the Regulation, it is possible to derogate from the ban on cross-border data transfer if the transfer is necessary for reasons of public interest. In order to understand the content of the concept “reasons of common interest”, one should refer again to article 9 of the Regulation, according to which the processing of special categories of personal data is not prohibited, if it is necessary for reasons of special public interest on the basis of the legislation of the Union or the EU member state, which should be proportionate to the goal and correspond to the essence of the right to data protection and provide acceptable and specific measures to protect the basic rights and interests of the data subject (paragraph g § 2 of article 9 of the Regulation (EU) 2016/679 GDPR). Data processing is also not prohibited in instances of public interest in the field of public health, for example protection against serious cross-border threats to health or to ensure high standards of quality and reliability of medical care and medicines or medical equipment, on the basis of the legislation of the Union or the EU member state that provides acceptable and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy (paragraph g § 2 of article 9 of the Regulation (EU) 2016/679 GDPR).

Another important reason for the healthcare sector to transfer data to third countries and international organizations in accordance with article 49 of the Regulations is the following: the transfer is necessary to protect the vital interests of the data subject or other persons, if the data subject is physically or legally unable to give consent. In accordance with paragraph c § 2 of article 9 of the Regulation, processing is necessary to protect the vital interests of the data subject or other natural persons, if the data subject is physically or legally unable to provide his consent.

Accordingly, in emergency and urgent care situations in order to save the life or ensure the health of the patient, information can be transferred to a third country without the consent of the data subject, if they are unable to give consent. At the same time, the consent of the guarantor is not required, which greatly speeds up the decision-making process and provides access to information without additional bureaucratic delays.

However, not all issues are fully resolved by the Regulation and other European documents. There are still controversial issues with the procedure in regard to the confirmation of severity of the condition and individuals' inability to express their will. This information must be provided by the person requesting the information. Adequacy and validity of the request should be assessed by the access provider.

In addition, as follows from the meaning of the analyzed regulations, the information should be transmitted exactly to the extent that is required for immediate medical decision making aimed at providing medical care in a particular clinical situation, and it cannot be used for remote prediction and clinical decision-making. Accordingly, the

European operator cannot provide access to the entire electronic medical card of the patient (hereinafter -- EMC) upon this request. This is an additional difficulty, since the doctor in this case should clearly formulate what specific data they need (drug allergy, anamnestic information about kidney disease when deciding on a treatment for acute renal failure, etc.). Consequently, the doctor may initially not have a comprehensive view of what information they will need, which will lead to repeated requests, entailing an extremely undesirable time input.

At the same time, it is not unreasonable to assume that in the absence of a clearly regulated procedure of cross-border interaction in the healthcare system, with insufficient technical coordination of the interaction processes as well as in the absence of legal instruments binding the involved persons on both sides of the border to interact and exchange information provided for in paragraph f § 1 of article 49 and paragraph C § 2 of article 9 of the Regulation, an option that allows to derogate from the general ban on the disclosure of medical secrecy, in the vast majority of cases will not be implemented. This may adversely affect the efficiency and promptness of medical care.

On the other hand, in the absence of a relevant international agreement, there is no legal obligation to the requesting person in a foreign country or in an international organization to ensure the transfer of data obtained in the process of providing medical care to the EMC of a patient -- a resident of the EU. Possible consequences include the incompleteness of information in the EMC or the absence of clinically relevant information for subsequent observation and treatment. In particular, for the purposes of continuity, information on the performed surgical intervention, on the features of anesthetic aid and resuscitation assistance, on the drugs used, laboratory and instrumental data may be extremely important.

Theoretically, there is still a problem of data compatibility in the case of various standards of formation and storage of digital information.

Thus, the European legislator, being motivated primarily by the aim of observing the realization of human and civil rights and freedoms, adopts a normative act potentially capable of providing a legal basis for protection of rights in the context of new technological challenges and, in particular, in the context of transition to the digital economy. However, it seems that this act does not take into account all the nuances regarding such a socially important sphere of relations as healthcare. The general conditions for cross-border data transfer generally apply to special data categories. Priority is given to the principle of individual autonomy and protection of the fundamental rights to life and health. But the data subject is faced with a choice: to transfer medical data to a third jurisdiction and assume all risks of improper storage or use of this data, or to disagree with the transfer and expose themselves to risks of inadequate medical care. The state of residence does not provide the data subject with the tools to protect data transferred.

In the current political environment, given the large number and diversity of states and international organizations potentially able to engage in interaction and exchange of medical data, it would be premature to assume the possibility of a permanent exchange.

Based on the above, it can be concluded that at this stage the EU has legal regulation and technical capabilities for implementation of cross-border transfer of medical information, which is appropriate in view of modern progressive globalization. Separately, of course, we can note the lack of a single legal basis and the need for the formation of supranational regulation, which will make it possible to create a more dynamic system of exchange of medical information. However, even the legal and technical tools that exist in the EU presently, to some extent is sufficient to implement its main goal -- the transfer of significant medical information.

1.2 Legal regulation of personal data processing in the Russian Federation: cross-border transfer of Private Health Information

Nowadays we see a gradual increase in the flow of tourists between the Russian Federation and the European Union, as well as an increase in the number of Russian citizens who visit the European Union for medical care. Such movement of citizens to foreign jurisdictions may sometimes, on a planned or urgent basis, require information on the state of health of a person in the country of residence. This leads to the issue of crossborder transfer of health data, which is becoming particularly relevant and requires the development of legal mechanisms to facilitate this transfer within the framework of digital healthcare.

In the Russian Federation, the fundamental normative legal act regulating the processing of personal data is the Federal law of 27.07.2006 No. 152-FZ “On personal data” (hereinafter -- Law No. 152-FZ) Here and below all references to Russian legal acts are given by “ConsultantPlus”. Accessed February 17, 2021. http://www.consultant.ru/document/cons_doc_LAW_61801..

According to this act, medical data refers to special data (Article 10 of Law No. 152- FZ). Processing of such data, as a general rule, is not allowed except as provided for in part 2 of article 10 of Law No. 152-FZ. The cases of processing specifically medical data are the following:

— existence of consent from the personal data subject to the processing of their data (paragraph 1 part 2 of article 10 of Law No.152-FZ);

— processing of personal data is necessary to protect the life, health or other vital interests of the personal data subject or life, health or other vital interests of other persons and obtainment of the consent of the personal data subject is not possible (paragraph 3 part 2 of article 10 of the Law No. 152-FZ);

— processing of personal data is carried out for medical and preventive purposes, in order to make a medical diagnosis, for provision of medical and medical-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to maintain medical confidentiality (paragraph 4 part 2 of article 10 of Law No. 152-FZ).

Also, the main regulatory legal act regulating judicial relations in the field of public health protection is the Federal law of 21.11.2011 No. 323-FZ “On the basics of public health protection in the Russian Federation” (hereinafter -- Law No. 323-FZ), which also reflects the processing of personal data, namely medical data.

According to this law, medical data can be processed either with the consent of the citizen (legal representative), and it should be written, or without their consent, in cases established by the law, for example:

— for the purpose of medical examination and treatment of a citizen who as a result of their condition is not able to express their will, taking into account the provisions of paragraph 1 of part 9 of article 20 of Law No. 323-FZ (provision of medical assistance in emergency cases) (paragraph 1 part 4 of article 13 of Law No. 323-FZ);

— in case of the threat of infectious diseases spreading, mass poisonings and injuries (paragraph 2 of part 4 of article 13 of Law No. 323-FZ);

— in case of the exchange of information between medical organizations, including those placed in medical information systems, in order to provide medical care, taking into account the requirements of the legislation of the Russian Federation on personal data (paragraph 8 of part 4 of article 13 of Law No. 323-FZ).

At the moment in the Russian Federation, the majority of medical documents are submitted in paper form, however the tendency to further transition to electronic documents management is planned.

As a part of this transition, the Government of the Russian Federation adopted resolution No. 555 of 5 May 2018 “On unified state information system in the field of healthcare”, which is a key act that is guiding Russian legislation in the field of healthcare towards digitalization. This act defines the tasks, structure, order of management and access and other provisions related to the unified state information system in the field of healthcare, which should accumulate most of the medical information.

The main document containing data concerning the health of a citizen and other information is the medical card of the patient receiving medical care on an outpatient ba- sis Order of the Ministry of healthcare and social development of the Russian Federation of November 22, 2004 No. 255 “On the procedure for the provision of primary healthcare to citizens entitled to a set of so-cial services”. Order of the Ministry of healthcare of the Russian Federation of December 15, 2014 No. 834н“On approval of unified forms of medical documentation used in medical organizations providing medical care in outpatient settings and procedures for their filling”.. This document contains private medical information. However, this is not the only medical document that is used in medical organizations. For example, unified forms of medical documentation are used in medical organizations that provide medical care on an outpatient basis, and the procedures for their completion, are approved by the order of the Ministry of healthcare of Russia of 15.12.2014 No. 834н.

The Order of the Ministry of healthcare of Russia of 29.06.2016 No. 425н(hereinafter -- the order № 425н) contains an approval of the procedure of familiarization of the patient (their legal representative) with medical documentation, which reflects the patient's state of health.

This order establishes that the patient (their legal representative) who wants to receive data concerning health, should send a written request, which should be answered within 30 days from the date of registration of the written request The Order of the Ministry of healthcare of Russia of 29.06.2016 No. 425н“On approval of the Pro-cedure of familiarization of the patient or his legal representative with medical documentation, reflecting the state of health of the patient”.. The possibility to send a request in electronic form is not clear. In our opinion, the opportunity of sending a request in the form of an electronic document should be provided to the patient or their legal representative, although this does not follow from the literal interpretation of order No. 425н.