The current post presents a brief overview of the place health data have in the newly adopted law on personal data, in France. Here are the main features of this national law which still awaits implementation measures. A thorough and updated version will further be published along with the other contributions to the e-conference on the adoption of national data protection laws supplementing the General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR) puts an emphasis on special categories of personal data. Specific provisions relative to data concerning health give further insight into its scope (Recital 35) or the informed consent criteria (Article 4 (11)). Other general provisions may also apply to health data (right to be forgotten (Art. 17), right to data portability (Art. 20), data protection impact assessment (Art. 35), etc.). Although it is set out to harmonize data protection legislation in the EU, the GDPR also stresses the capacity of Member States to maintain or introduce further conditions, including limitations, with regard to the processing of sensitive data: genetic data, biometric data or data concerning health (Art. 9, pt. 4; Art. 23 of the GDPR). It is in this context, that a draft law on personal data protection proposed by the Government has recently been adopted in France. The New Data Protection Act (NDPA) which amends existing law on personal data contains specific provisions on data concerning health (Art. 16 of the Act). The general purpose of the law is to strike a balance between two apparently incompatible interests: on the one side, the protection of the common interest of “freeing the potential” of health data and on the other side, the protection of the more personal interest to privacy.
Access to Health Data under French Law before the GDPR’s Entry into Force
The legal framework was made of a patchwork of legislation and regulations, more or less easy to interpret. The new law on personal data protection is meant to bring more clarity and amend existing legislation.
The main law on personal data (and probably the most “famous”) is the Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (Loi Informatique et Libertés in French). It contains specific provisions on certain categories of data, among which we find data concerning health.
The traditional principle set out in Article 8 of this Act is that collecting and processing of health data is prohibited (Art. 8-I), unless the subjects of data explicitly consent, that it concerns health care management or it is processed in a public health interest defined by the law (Art. 8-II). Article 25 provides that the processing of health data justified by public interest may be carried out only after authorization by the French Data Protection Authority (DPA), the Commission Nationale Informatique et Libertés (CNIL), unless specific provisions apply. Chapter IX of the same Act describes a special regime for personal data processed for the purpose of medical research. Research, study or evaluation projects related to health are examined by the French DPA, the National Institute for Health Data and an advisory committee on the processing of information for medical research.
Adding Flexibility to Health Data Processing
The NDPA intends to simplify formalities related to the processing of data concerning health. Most provisions on the processing of health data are to be found in a revisited Chapter IX of the Act 78-17 titled “Processing of Personal Data in Health Care” (Traitements de données à caractère personnel dans le domaine de la santé). The Chapter is made of two sections, operating a distinction between the clinical and research setting:
Section 1 “General Provisions” (Dispositions générales) and Section 2: “Specific Provisions on Processing for Biomedical Research Purpose” (Dispositions particulières relatives aux traitements à des fins de recherche, d’étude ou d’évaluation dans le domaine de la santé).
The following categories of processing of health data fall outside the scope of the chapter:
- processing that is referred to in Article 8-II of the Act No. 78-17 (see supra)
- processing by institutions managing basic social security or supplementary health insurance (namely reimbursements),
- processing within health institutions by health professionals handling medical information (patient confidentiality),
- processing carried out by Regional Health Agencies, the State or any public-law person (which may intervene in a state of emergency or health crisis, for example).
The prior authorization regime which was deemed too heavy and lengthy is replaced in most cases by a “notification of compliance” (déclaration de conformité) to instruments adopted by the French DPA (pursuant to Article 11 of the new law on personal data which amends Article 22 of Act No. 78-17). These binding tools are inspired by soft law. If a typology of guidance instruments is listed: référentiels, règlements types, their form and content remain unclear. We may assume that they describe the conditions of safe processing and that they are similar to other policy, in order to ensure free circulation of data. Especially in the research setting where national frontiers matter less, there needs to be an interoperability of standards at an international level. Those tools are also likely to participate in the education of stakeholders, as they should be written in a more accessible language than traditional legalese.
This new approach applies to any processing of personal data in the health sector that presents a public interest. The NDPA mentions that ensuring high standards of quality and safety of health care and of medicinal products or medical devices is a public interest purpose.
Authorization requests remain necessary only in the case of processing health data that cannot be carried out in compliance with the guidance previously mentioned. Restriction of the scope of the prior authorization model is not the only change brought about by the new law on personal information. The authorization process is likely to take less time. The French DPA still has two months to deliver its approval of the processing. But if the CNIL does not give an answer in this timeline, the decision is deemed positive. Until the adoption of the new law on personal data, the lack of answer from the CNIL meant an implicit refusal, which sometimes created interpretation issues. Single authorizations of different types processing for the same purpose are maintained.
The change of paradigm from an ex ante control (contrôle a priori) to a control theoretically carried out ex post (contrôle a posteriori) acknowledges the importance of health data for innovation and seems driven by internal market forces. It clearly echoes the GDPR and promises to integrate the principle of a data protection impact assessment to any processor of health data. Whether this is enough to ensure a high level of protection of personal data remains to be seen. The impact study of the new law on personal data fails to properly address the prospective challenges and investments (financial and human) that an ex ante control model entails. There is no drawn balance of benefits and risks that would make us better understand the implications of this new framework. For example, supplementary health insurance (private) companies will have free access to medical-administrative data. Concerns have been raised that on the long run reimbursement policies might shape access to health care.
If this change is officially meant to increase accountability of stakeholders, implementation of this new legal framework is likely to take some time. The French Administrative Body (Conseil d’Etat) which has both jurisdictional and consultative missions has yet to give its advice on implementation measures.
To strengthen accountability and confidence in this new approach, the CNIL benefits from increased powers to impose severe sanctions, but the sanctionary regime does not go beyond what the GDPR provides (Art. 83).
Fostering Institutional Collaboration
In the realm of health data management, the French DPA is not the only institution which is bound to play a role in defining policy. Other structures that do not specifically result from the newly adopted law on personal data complete the mechanism of health data protection.
There is the National System for Health Data (Système National des Données de Santé – SNDS) created by the Act No. 2016-41 of 26 January 2016 modernizing the French health care system, which is the biggest database of medical-administrative data in the world under the responsibility of the French Social Security System. The SNDS assembles data from already existent databases. Decrees adopted by the end of 2016 make it operational (Decrees No. 2016-1871 and No.2016-1872 of 26 December 2016). An audit committee of the SNDS (comité d’audit du système national des données de santé) is also created.
The Act No. 2016-41 also redesigns the National Institute for Health Data (Institut National des Données de Santé – INDS), formerly known as Institute for Health Data (Art. L. 1462-1 of the French Public Health Code). Its mission is to oversee the quality of data, their security and access. The INDS is supposed to cooperate with the CNIL on the development of the previously mentioned soft law tools together with other public or private representative stakeholders. It should address its annual report to the Parliament.
The INDS is competent for Chapter IX of the Act 78-17 on the Processing of Personal Data for the Purpose of Medical Research. In case the research purpose of a processing is not clearly identified (which may often occur in scientific research), the INDS assesses the public interest of the processing which will further determine the applicable legal framework (authorization from the French DPA or notification of compliance). The case may either be submitted by the CNIL or it is the INDS which acts on its own initiative.
The French DPA should work closely with established ethics committees whenever ethical standards are at stake: the competent committee for the protection of persons (comité de protection des personnes-CPP) and an expert committee for research, studies and evaluation in health (comité d’expertise pour les recherches, les études et les évaluations dans le domaine de la santé-CEREES). They play a consultative role in the prior authorization request procedure in case of research involving human subjects for the first and studies or research the does not involve human subjects for the latter. The ethics committees for the protection of persons are established regionally, so it remains to be seen if they all have the same approach towards a similar problem. (Marelli & Testa, 2018)
Finally, institutional collaborations are also necessary to reach out to stakeholders that will participate in the implementation of this new legislation. Informing health care professionals who will handle information concerning health is a priority. In this respect the French DPA together with the French National Medical Council (Conseil National de l’Ordre des Médecins) is set to issue a practical guide to clarify duties with regard with the GDPR, by June 2018 (thus echoing Art. 40 of the GDPR). Health professionals can still refer to the simplified standard No. 50 (norme simplifiée n° 50) which was the standard before the GDPR entered into force.
Reinforcing Individual Rights over Personal Data
Existing consents do not remain valid, if they do not meet new requirements set by the GDPR. The absence of grand-fathering means that consents should be sought again in the next two years. The RGPD leaves Member States the right to determine the legal age of consent to the processing of health data. Defined by the Act No. 2016-1321 of 7 October 2016 for a Digital Republic (Loi pour une République numérique), the legal age of consent for minors is set at 15 years old (Art. 56 of Act No. 2016-1321 and Art. L. 1111-5 & L. 1111-5-1 of the French Health Public Code). The NDPA maintains that limit.
Vlad Titerlea, PhD candidate in Law, University of Strasbourg