2024-03-11 11:49:39
The Health Data Hub was recently authorized to use the host Microsoft for a health data warehouse called “EMC2”*. Does this mean it is now possible to host healthcare data warehouses on non-sovereign clouds? The issues associated with this problem are considerable. Also, the debates associated with such authorization continue to proliferate.
By Alexandre Fievée, associate lawyer, and Alice Robert, Lawyer Counsel of the Derriennic Associés firm for La Veille Acteurs de Santé.
The case of the Health Data Hub’s “EMC2” health data warehouse
Le Health Data Hub, « charged by law with collecting the country’s most important health databases“, has concluded a service contract with the European Medicines Agency (EMA). It is in this context that the “EMC2” project intervenes in order, in particular, to “observe and evaluate patient care« , d’ »evaluate the use and/or practices, effectiveness and safety in real life of health products, in particular medicines and medical devices registered for reimbursement or early access« .
Also, this project concerns the creation of a health data warehouse for pharmatico-epidemiological analyzes. « A matching between data from the main database of the national health data system (SNDS) and medical records provided by partner health establishments » is planned there.
The Health Data Hub has requested authorization from the CNIL to implement this health data warehouse. Note, indeed, that a health data warehouse “ necessary for the execution of a mission of public interest or relating to the exercise of public authority vested in the data controller”such as the “EMC2” project, must comply with the CNIL standard relating to “ to the processing of personal data implemented for the purposes of creating health data warehouses in the health field“, to be able to be implemented by the organization, data controller, concerned.
In the event of conformity, a declaration of conformity to the CNIL is sufficient. Failing this, specific prior authorization from the CNIL must be obtained. In this case, the “EMC2” project did not meet all the requirements provided for in said reference framework and therefore required authorization.
The possibility of temporary hosting on a non-sovereign cloud, for lack of anything better
The “EMC2” project planned to use the host Microsoft Ireland Ltd (with the Microsoft Azure solution), whose head office is located in the United States. The question of extraterritorial interference arises.
Certainly, the European Commission has recognized that the “US/EU” data transfer framework ensures an adequate level of protection (adequacy decision of July 10, 2023). However, according to the CNIL, the risk of access to data hosted at Microsoft by the American authorities remains.
So, ” for the most sensitive databases“, such as health databases, the CNIL recommends using a host exclusively subject to European law and certified “SecNumCloud”. Health data warehouses matched with the SNDS are the subject of particular vigilance, “ despite the fact that this data is pseudonymized”, Insofar as ” the CNIL has always asked project leaders, public and private, to ensure that the data host is not subject to non-European legislation« .
The Prime Minister’s circular of March 31, 2023 effectively requests, recalls the CNIL, that public authorities ensure that “ “particularly sensitive” data hosted in the cloud is not subject to non-European laws”. Thus, the choice of the Health Data Hub “ appears to be in very clear contradiction with [ces] elements« .
We could then have expected a refusal from the CNIL to authorize the “EMC2” health data warehouse, hosted at Microsoft.
But, after having notably “ deplore[é] that no service provider capable of currently meeting the needs expressed by the [Health Data Hub] does not protect data against the application of extraterritorial laws of third countries“, the CNIL has decided to authorize the implementation of the “EMC2” health data warehouse with a hosting at Microsoft for a period of 3 years.
You should know that, to respond to the requests of the CNIL, an expertise, led by the digital health delegation (DNS), the interministerial digital department (DINUM) and the Digital Health Agency, had been carried out ” for the purposes of determining whether the EMC2 project could, without compromising the project with respect to the conditions set by [l’Agence européenne du médicament]be implemented via a service provider subject only to the laws of the European Union« .
The expert report, drawn up within a relatively short time frame, responded in the negative.
A subject at the heart of the debates and a position of the Council of State to come
This position of the CNIL gives rise toimportant debates.
In particular, this decision questions taking into account
Criticism has also been raised against the CNIL to the extent that it recognizes the non-compliance of the “EMC2” project with national sovereignty requirements while validating this project, while other similar projects hosted by Microsoft have already been refused by the CNIL.
The position of the Council of State, seized in the context of an action for annulment initiated by the Internet Society France, is therefore particularly awaited. To be continued…
*CNIL deliberation December 21, 2023, published January 31, 2024
For further
1710566447
#healthcare #data #warehouses #nonsovereign #cloud #compatible #Analysis