Sending a letter to the Commission Nationale de l’Informatique et des Libertés CNIL following the order of the Conseil d’Etat of 19 June.

Subject

Request for an answer regarding the quality of the encryption and pseudonymisation processes within the “Health Data Platform” or “HealthDataHub”.

Content of the letter

Madam President,

The deployment of a “Health Data Platform” through the creation of a Public Interest Grouping, was proclaimed by law n° 2019-774 of July 24, 2019 relating to the organization and transformation of the health system1. This “Health Data Platform” aims to develop artificial intelligence in the health sector and to become the one-stop shop for access to all health data on the national territory. The data concerned are those from hospitals, pharmacies, shared medical records and research data from various registers. The amount of data hosted is set to explode with the emergence of genomics, imaging and connected objects.

Currently this data is stored at Microsoft Azure2, the public cloud of the American giant Microsoft. This choice has been criticized by many public3 4 5 and private6 actors.

Opinion No 2020-044 of 20 April 2020 of your Commission7 refers to the risks of data transfers to third countries and unauthorised disclosures under EU law in the context of the subcontracting of the technical solution of the “platform” to Microsoft Azure.

Following this opinion, on 19 June 2020, the Council of State enjoined the “Platform for Health Data” to inform citizens of the “possible transfer of data outside the European Union, taking into account the contract with its subcontractor”8. We note that this information is very difficult to access on the website health-data-hub.fr since it is only visible in the “Projects” section, in project number 3173 “Exploitation of data from emergency room visits for the analysis of the use of health care and the follow-up of the health crisis of Covid-19”.

The “Health Data Platform” was also to provide “all elements relating to the pseudonymisation procedures used, in order to enable [your Commission] to verify that the measures taken ensure sufficient protection of health data”8. The CNIL’s position had been requested, especially since the obsolescence of the encryption system (named FOIN) had already been criticized by the Court of Auditors and the National Agency for the Security of Information Systems ANSSI in 20169.

We also warn about the quality of the encryption since “to benefit from all the capacities of the technical solution of the host these keys will have to be entrusted to him”7.

Finally, the CNIL and the Conseil d’État recalled that at the end of the state of health emergency the all the data collected had to be deleted and that the processing no longer had a legal basis. However, the decree of 10 July 2020 “prescribing the general measures necessary to deal with the covid-19 epidemic in the territories that have emerged from the state of public health emergency and in those where it has been extended” extends the use of these data until 30 October 202010.

Given the particularly large number of people concerned (more than 67 million users) and the sensitive nature of the personal data contained in the “Health Data Platform”, we have decided to make this letter public. This publicity contributes to the objective of transparency defended by your Commission11.

Pending your reply, please accept, Madam President, the assurances of our highest consideration.

Association interhop.org