Why Most Health Apps Store Data Outside the EU — and Why It Matters

When you install a health or wellness app, your first question is probably about features, not infrastructure. But underneath the interface, a practical decision has already been made: where your data lives, and under what legal framework it can cross international borders. For users in the European Union, that decision is governed by some of the strictest data transfer rules in the world.

Why health app data often ends up outside the EU

The digital health industry grew up largely in the United States. The cloud infrastructure that powers most of the internet — storage, computation, machine-learning pipelines — was built and scaled there first. Many health and wellness apps were created by companies whose entire data stack was anchored to non-EU infrastructure before the GDPR came into force in May 2018. Migrating data residency is expensive, technically complex, and requires renegotiating vendor relationships across the stack. For a team building quickly, routing data to the nearest available infrastructure is often the default — not a deliberate decision made against European users.

None of this is inherently problematic in intent. But it creates a structural pattern: a European user generates health data on their device, it is processed by an app, and it flows to infrastructure that may be located outside the European Economic Area (EEA). Under the GDPR, that flow is a transfer — and it requires a legal basis of its own, separate from the legal basis for processing the data in the first place.

What GDPR says about data leaving the EEA

Chapter V of the GDPR (Articles 44–49) governs international data transfers. The core principle, set out in Article 44, is that personal data may only leave the EEA if the level of protection guaranteed by the GDPR is not undermined — including any onward transfers once the data has already left.

Three pathways exist for a lawful transfer.

Adequacy decisions (Article 45). The European Commission can formally declare that a third country provides an essentially equivalent level of data protection to the EU. Transfers to "adequate" countries can then proceed without further safeguards. As of May 2026, the EDPB's list of adequate countries includes Andorra, Argentina, Canada (commercial organisations), Japan, New Zealand, Switzerland, the United Kingdom, the United States (commercial organisations certified under the EU–US Data Privacy Framework), and a small number of others. Adequacy decisions can be — and have been — revoked.

Appropriate safeguards (Article 46). Where no adequacy decision exists, organisations may still transfer data if they put appropriate safeguards in place and ensure that individuals retain enforceable rights and effective legal remedies. The most widely used safeguard is Standard Contractual Clauses (SCCs) — a set of standardised contract terms adopted by the European Commission. Others include Binding Corporate Rules, approved codes of conduct, and certification mechanisms.

Derogations (Article 49). In exceptional circumstances — including with the explicit consent of the individual, or where the transfer is strictly necessary for a contract — transfers may take place without an adequacy decision or safeguards. The EDPB has made clear that Article 49 derogations are genuine exceptions, not a routine compliance route, and cannot be used on a repeated or structural basis.

What Standard Contractual Clauses actually require

SCCs are common, but they are not a formality. Since the CJEU's ruling in Schrems II (Case C-311/18, 16 July 2020), using SCCs obligates the exporting organisation to conduct a Transfer Impact Assessment (TIA) — a documented evaluation of whether the destination country's laws and practices could impair the protections the SCCs are supposed to provide. If, for example, a country's surveillance legislation allows authorities to access data in ways that go beyond what is necessary and proportionate under EU fundamental rights standards, supplementary technical or contractual measures must be implemented. If no adequate supplementary measures exist, the transfer should not proceed.

The EDPB's Recommendations 01/2020 lay out a detailed six-step assessment process. This obligation exists regardless of the size of the organisation deploying the SCCs, and regardless of whether the data is sent to a processor or a group affiliate.

Why health data raises the stakes

Ordinary personal data — a name, an email address — already triggers GDPR's transfer requirements. Health data sits in a different legal category entirely.

Under Article 9 GDPR, health data is a "special category" of personal data. Processing it requires satisfying not only a general legal basis under Article 6, but also a separate, specific condition under Article 9 — typically explicit consent (Article 9(2)(a)), or a narrowly defined basis such as medical treatment, public health, or scientific research. This is the "double lock."

The double lock applies equally to transfers. An organisation transferring health data outside the EEA must satisfy both a valid Chapter V transfer mechanism and a valid Article 9 processing condition. Consent obtained through a generic checkbox during sign-up — without a clear explanation of where the data is going and under what safeguards — is unlikely to qualify as the "explicit consent" that Article 9 requires.

For users, this means that when a wellness app processes data about your heart rate, sleep, or activity, the legal requirements are materially stricter than for most other consumer apps. The question is not just whether a transfer is happening, but whether every layer of the legal framework has been properly satisfied.

The transfer framework has been disrupted before

This is not a theoretical concern. The legal basis for EU-to-US data transfers has already been invalidated twice by the Court of Justice of the European Union.

Safe Harbor — the first EU–US data transfer arrangement — was struck down on 6 October 2015 (CJEU Case C-362/14, Schrems I). The CJEU found that it failed to ensure an essentially equivalent level of protection because US surveillance law gave US authorities access to European personal data beyond what is necessary or proportionate.

Privacy Shield, Safe Harbor's successor, was struck down in July 2020 (Case C-311/18, Schrems II, 16 July 2020). The same core concern — the reach of US intelligence surveillance programmes under legislation such as FISA Section 702 — produced the same outcome. Organisations that relied solely on Privacy Shield as their transfer mechanism were left in a legally uncertain position overnight.

The EU–US Data Privacy Framework (DPF) was adopted as the current adequacy solution by the European Commission on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795, CELEX: 32023D1795). A first judicial challenge — brought by French MP Philippe Latombe — was dismissed by the EU General Court on 3 September 2025; an appeal to the Court of Justice is reportedly pending. Privacy advocacy group NOYB has publicly stated it considers the Latombe case "too narrow" and is reviewing options for a broader challenge of its own, and Max Schrems has indicated that more expansive arguments — including the impact of recent US Executive Orders and changes to independent oversight bodies — should yield a different result. Structural changes to US oversight bodies in 2025–2026 have also raised questions about whether the redress mechanisms that justified the DPF adequacy finding remain intact.

The pattern — framework adopted, framework challenged, framework invalidated — has repeated twice. Organisations that rely on the DPF for health data transfers should monitor its legal status actively and maintain contingency arrangements.

What this means when you use a health app

If you are an EU resident using a health or wellness app that processes your data outside the EEA, these are your rights under GDPR:

Right of access (Article 15). You can request confirmation of whether your health data is transferred to a third country, which countries are involved, and what safeguards apply to the transfer.

Right to data portability (Article 20). You can request a machine-readable copy of your data to move elsewhere.

Right to withdraw consent. Where processing is based on consent — which Article 9 typically requires for health data in consumer contexts — you can withdraw that consent at any time and the organisation must stop processing.

Before installing a health app, the most practical check is to look at its privacy policy for three things: where data is stored and processed; which legal mechanism it uses for any transfers outside the EEA; and whether it addresses health data separately as a special category, or treats all personal data identically. The third point is often the most revealing.

Where Sam Health fits in

Sam stores and processes your Apple Watch health data on Google Cloud infrastructure within the European Economic Area. The third-country transfer requirements of Chapter V — adequacy decisions, Standard Contractual Clauses, Transfer Impact Assessments — do not apply to that core processing, because your data does not leave the EEA.

Sam is a wellness app, not a medical device. It does not diagnose, treat, or screen for any medical condition. For any health concerns, always consult a qualified healthcare professional.

Try Sam Health

Sources

• Regulation (EU) 2016/679 (GDPR), including Chapter V (Articles 44–49) and Article 9. EUR-Lex. https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed 16 May 2026.
• International data transfers — EDPB Data Protection Guide for SMEs. European Data Protection Board. https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en. Accessed 16 May 2026.
• EDPB Recommendations 01/2020 on measures that supplement transfer tools, Version 2.0. European Data Protection Board. https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en. Accessed 16 May 2026.
• Judgment of the Court of Justice (Grand Chamber), Case C-311/18 (Schrems II), 16 July 2020. CURIA. https://curia.europa.eu/juris/liste.jsf?num=C-311/18. Accessed 16 May 2026.
• Commission Implementing Decision (EU) 2023/1795 on the EU–US Data Privacy Framework, 10 July 2023. CELEX: 32023D1795. EUR-Lex. https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj/eng. Accessed 16 May 2026.
• EU–US Data Privacy Framework adequacy decisions list. European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Accessed 16 May 2026.