Slowdown for French e-health start-ups?
By Nathalie Boudet-Gizardin, Marine Vanhoucke, associates and Linah Bonneville, intern
Bill No. 1514 aimed at securing and regulating the digital space in France, known as SREN (Securization and Regulation of Digital Space) was adopted by the Senate on July 5, 2023.
During its first reading in the National Assembly, the text was the subject of numerous amendments by the special commission, one of which in particular raised concerns about its impact on start-ups in the e-health sector in France.
Before examining the content of this amendment, it is appropriate to briefly recall the legal framework for hosting health data in France.
I - Brief reminder of the legal framework for hosting health data
Health data is special personal data because it is considered sensitive and is therefore subject to special protection. They are defined as: “data relating to the past, present or future physical or mental health of a natural person (including the provision of health care services) which reveals information about the state of health of that person”.
In France, the protection of personal health data and in particular its hosting has been the subject of a significant strengthening of its legal framework.
Since the 1er April 2018, article L.1111-8 of the public health code defines the activity of hosting health data (HDS) collected “ during prevention, diagnosis, care or social and medico-social monitoring activities ") and specifies the rules applicable to the hosting of health data carried out on behalf of a data controller, or on behalf of the patient himself.
The main requirements of this article are:
- The hosting of health data must be carried out after having informed the person concerned, unless they legitimately object to this hosting.
- The hosting service for personal health data must be formalized by a contract, clearly establishing the rights and responsibilities of the host and the natural or legal persons on whose behalf the personal health data are stored.
- Data hosts on digital media are required to obtain a certificate of conformity issued by duly accredited certification bodies. These certificates attest that hosts comply with strict security and data protection standards, thus guaranteeing the security of the health data hosted.
II - The “SecNumCloud” Amendment: a challenge for e-health start-ups
The special committee of the National Assembly proposed to insert into the bill a new article 10 bis B providing that:
« The second paragraph of III of Article L. 1111-8 of the health codeé public is completeété by a sentence thus réyouéand: «À from July 1, 2024, in the case of digital archiving by means of a cloud computing service, the accreditation conditions comply with the conditions in force provided for in the requirements framework for cloud computing service providers published by the National Information Systems Security Agency. »
Remember that the National Information Systems Security Agency (ANSSI) in France was created in 2009 and is attached to the General Secretariat of Defense and National Security.
In 2016,, ANSSI has developed the evolving “SecNumCloud” benchmark to qualify cloud service providers to user needs in the fields of distributed systems, software engineering, or artificial intelligence. Its aim is to promote trusted providers for hosting data, applications and information systems, both for public and private entities seeking to outsource their IT services.
The National Commission for Information Technology and Liberties (CNIL) also specified that this reference framework was recommended to cloud service providers, in order to ensure their compliance with European requirements relating to the protection of personal data, in particular to the case law of the Court of Justice of the European Union relating to the transfer of data outside the Union (“Schrems II” judgment).
In this context, the amendment under discussion provides that French health data must be hosted by operators labeled “SecNumCloud” by 1er July 2024. This means that all companies, including start-ups in the e-health sector, will have to migrate their data to SecNumCloud certified cloud providers within nine months from the entry into force of this law.
The main concerns of start-ups are:
- The nine-month period is considered insufficient to safely migrate all of their data. Start-ups fear that this will disrupt their services, or even force them to suspend their activities, which would have a very negative impact on their customers and operations.
- SecNumCloud certified cloud solutions currently available in Europe are perceived as less competitive in terms of cost and performance compared to American giants such as Amazon Web Services (AWS), Google Cloud or Microsoft Azure.
In response to these concerns, some start-ups suggest replacing the reference to SecNumCloud with the certification “HDS” (Health data hosts). This certification, in force since 2018, is already used by certain companies in the e-health sector. It also aims to strengthen the protection of health data and to establish a climate of trust conducive to patient monitoring.
The question of knowing which certification will ultimately be retained is currently the subject of debate and discussion within government and industry, with the aim of find a balance between security, performance, and costs for the entire e-health sector in France.
The next few days will be decisive because the SREN project is being discussed before the National Assembly.
Nathalie Boudet-Gizardin
Partner
She joined the firm the same year in the Civil and Health team of Catherine Paley-Vincent. She advises health professionals particularly in terms of:
Civil, disciplinary and criminal defense of health professionals, professional orders and medical and veterinary biology laboratories
Advice and assistance for health professionals to structure their activities, including in the context of public/private cooperation, particularly in medical imaging.
Marine Vanhoucke
Partner
Marine Vanhoucke advises companies on Intellectual property and accompanies them on their subjects of Compliance.
Head of Hong Kong office, she assists French companies in their establishment and growth in Asia and has built up expertise in legal issues of international law, notably combining French and Asian interests.