Data pseudonymization: the Health Data Hub platform summed up to clarify this point before the CNIL

Pseudonymisation des données : la plateforme Health Data Hub sommée d Cybersecurity

For the Council of State, the Health Data Hub project does not infringe the right to respect for private life and data protection. In a 16-page order published this Friday following the appeal filed by the National Free Software Council (CNLL) and other associations, the highest administrative court considers that the order of April 21, 2020 which allowed the deployment The government’s accelerated Health Data Hub project in the context of the Covid-19 pandemic should therefore not be suspended.

The applicants, led by the CNLL, consider that this decree “constitutes a serious and manifestly unlawful infringement of these freedoms due to the lack of compliance with the requirements relating to data processing, concerning the anonymization of data, the rights of individuals, the independence of platform governance and securing access for subcontractors, the lack of compliance with the hosting requirements for health data (…) and the absence guarantee against a possible transfer of data in third States such as the United States due to the choice of the Microsoft company, at the end of a non-transparent procedure ”, points out the document.

After examining the subcontracting contract concluded between Microsoft (health data host) and the platform, the Council of State recognizes that the latter does indeed provide for the submission to the requirements of French regulations in terms of data hosting of health. Referring to the risk of a data transfer to a third State (and in this case, to the United States), the court observes that in the state, the data is “currently hosted in data centers located in the Countries -Bas and will soon be in data centers located in France ”.

Concerning more explicitly the “Cloud Act”, one of the points which crystallizes the concerns of opponents of the project, the Council of State recalls that “companies subject to American law may be required to provide data they control, whatever whatever the place of their accommodation, when this supply is authorized by a judge for the purposes of a criminal investigation ”. However, the Council of State also evokes that “if these provisions can apply to the Microsoft company, like besides to the French companies which have an activity in the United States”, no element proves that the pseudonymized health data are “likely to be the subject of requests for access on this basis”.

The CNLL sees it as a small victory

The CNLL still sees it as a small victory: “the Council of State requires the Health Data Hub to return to the CNIL and to comply within 5 days by publishing on their site that the health data they host transit by the USA! He reacted on Twitter.

If, in its decision, the Council of State rejects most of the applicants’ requests, it nevertheless requests the heads of the Health Data Hub to provide the CNIL within 5 days with “all elements relating to the pseudonymization procedures used, specific to allow the latter to verify that the measures taken in the matter, in particular with regard to the reservation and the recommendations which it has issued, ensure sufficient protection of the health data considered ”.

On this point, Bernard Ourghanlian, CTO and CSO at Microsoft France, provides some explanations. In a blog note shared on Thursday, he specifies the different steps that the cloud host uses to pseudonymize health data: “let’s summarize: a patient’s identification data is (1) initially transformed into a hash not allowing to retrieve the initial information allowing to identify the patient namely his social security number, (2) transmitted through an encrypted channel whose encryption keys are not known to Microsoft, (3) the hash as well received is in turn transformed into a new hash which will then be used in the processing performed on health data, (4) the correspondence table between the first hash and the second is encrypted within an isolated sub-part of the operator area with a dedicated key, the use of which will require the joint action of two employees of the HDH platform ”.

The head of Microsoft also certifies that the Health Data Hub platform only fulfills its public service mission in that it aims to “pool, to strengthen, the national heritage of health data, to enhance it by taking advantage of innovations such as artificial intelligence and in order to allow all stakeholders, hospitals, start-ups, researchers, medical personnel, to benefit from the value derived from sharing this data, “says Bernard Ourghanlian.

“We are particularly honored, at Microsoft France, to have been chosen as a technological partner of the Health Data Hub alongside the French ESN Groupe Open, because it is a major project serving the health of French men and women , the impact of which will be positive, strong and measurable. As with HDH, there are many examples throughout France’s technical and economic history where it has taken advantage of the best of technologies to put it at its service: European Airbuses use engines from the American manufacturer Pratt & Whitney as well as those of the French Safran, who built some for Boeing elsewhere. These choices did not undermine France’s technological sovereignty, on the contrary, they helped it to strengthen itself, ”explains the latter.


Rate article