The Snowden case revealed to the world the massive use of our computer data through globalized surveillance programs1.
In an equally brutal way, the confinement has made everyone experience the weight of deprivations of liberty imposed by a global health event.
If, according to a fundamental ethical principle that “technologies must be at the service of the individual and society” rather than “enslaved by technological giants”2, blind trust in technology carries decisive risks.
Indeed, the uncontrolled use of these new statistical tools could lead to the legitimization of anti-democratic and freedom-reducing systems.
Since November 2019, the French government has been deploying the Health Data Platform3 (or Health Data Hub) to develop artificial intelligence applied to health. It is a one-stop shop for access to all health data. The data concerned are those from hospital centers, pharmacies, shared medical records and research data from various registries. The amount of data hosted is set to explode, particularly with the emergence of genomics, imaging and connected objects. It is planned that all French health data will be stored at Microsoft Azure4, the public cloud of the American giant Microsoft.
The citizen’s refusal to abdicate this choice to use Microsoft motivates this petition.
As citizens, we want to reaffirm our digital autonomy and create Commons for the future of our health.
The problem is that American law applies to the whole world !
Thus the CLOUDAct5 (Clarifying Lawful Overseas Use of Data Act) allows the American justice to recover data stored on servers belonging to American companies, even if they are located in Europe6. Microsoft is subject to this text which is in conflict with our European Data Protection Regulation (DPR)7. Worse still, with regard to the American surveillance programs, the international texts “do not in any way highlight the existence of limitations to the authorization they contain for the implementation of these programs, nor the existence of guarantees for non-American persons potentially targeted”. The Court of Justice of the European Union has thus opened the breach by legally blocking the exchange of data between the European Union and the United States through the invalidation this summer of an agreement known as the “Privacy Shield”.
How can we support the choice of the Microsoft company when the French President of the National Agency for Information Systems Security himself publicly opposes the digital giants that would represent an attack on our “mutualist health” systems8?
How can we support this choice when the CNIL, the French supervisory authority guardian of digital freedoms, mentions in the contract binding the Health Data Platform to Microsoft “the existence of data transfers outside the European Union as part of the platform’s day-to-day operation”9?
How to support this choice when the CNIL specifies that the encryption keys for this data will be entrusted to Microsoft, thus making the stored data vulnerable to possible interference9 ?
How to support this choice when there are dozens of French and European, industrial and institutional alternatives10?
This centralized Platform at a non-European actor is neither necessary, nor proportionate, nor adapted. It is a serious and surely irreversible attack on the rights of 67 million inhabitants to have their privacy protected, especially that of their most intimate data, absolutely protected by medical secrecy: their health data.
By signing this petition, you are asking the Senate to create a commission of inquiry11 on the protection of health data. This commission will have to examine the conditions for signing an agreement entrusting the management of French health data to the Microsoft company. It will have to draw up recommendations to reinforce digital autonomy and to ensure a more secure management of health data for our health system and our fellow citizens.
The link to sign : https://petitions.senat.fr/initiatives/i-455 If you’re a French citizen. :-)
Médecins et Patients dans le monde des data, des algorithmes et de l’intelligence artificielle ↩
Données de santé : l’arbre StopCovid qui cache la forêt Health Data Hub ↩
Rapport Gauvain : Rétablir la souveraineté de la France et de l’Europe et protéger nos entreprises des lois et mesures à portée extraterritoriale ↩
Commission spéciale Bioéthique : Auditions diverses, Mme DENIS ↩
Audition de M. Guillaume Poupard, directeur général de l’Agence nationale de la sécurité des systèmes d’information (ANSSI) ↩
Délibération n° 2020-044 du 20 avril 2020 portant avis sur un projet d’arrêté complétant l’arrêté du 23 mars 2020 prescrivant les mesures d’organisation et de fonctionnement du système de santé nécessaires pour faire face à l’épidémie de covid-19 dans le cadre de l’état d’urgence sanitaire ↩ ↩2
Proposition de résolution tendant à la création d’une commission d’enquête sur la protection des données de santé ↩