L’École Hexagone takes note of the decision by the Commission Nationale de l’Informatique et des Libertés (CNIL) on 21 December 2023 to authorise the hosting of the EMC2 project of the public interest grouping “Platform for health data” (GIP PDS) on the Azure platform (Microsoft) for the next three years. The GIP PDS is also responsible for the Health Data Hub (HDH), the platform for processing French healthcare data, which is also hosted by Microsoft.

For the record, EMC2 is a Europe-wide health data warehouse project. This future platform will host health data from the Assurance Maladie (healthcare pathways, medical prescriptions, etc.), as well as complete medical records from the Hospices civils de Lyon, the Léon Bérard centre, the Nancy CHU and the Fondation hôpital Saint-Joseph. The ultimate aim is to use this data for pharmaco-epidemiological research into the outcomes observed in connection with medical treatments.

In its detailed arguments, the CNIL refers to the report of the expert mission led by the Digital Health Delegation (DNS), the Interministerial Digital Department (DINUM) and the Digital Health Agency. The purpose of this appraisal mission was to determine whether the EMC2 project could be implemented by a service provider subject only to the laws of the European Union, without compromising the project with regard to the conditions set by the European Medicines Agency (EMA).
Among other things, the report concluded that “no potential service provider is offering hosting services that meet the technical and functional requirements of GIP PDS for the implementation of the EMC2 project within a timeframe compatible with the latter’s imperatives”.
The CNIL deplores the fact that “no service provider currently able to meet the needs expressed by GIP PDS protects data against the application of the extraterritorial laws of third countries”.

École Hexagone agrees with the CNIL on this point; the problem is not so much the technical solution chosen, but rather the exposure of the data hosted by this future platform to US extraterritorial laws (Cloud Act, FISA) by choosing Microsoft Azure. The data will be hosted in data centres located in France. However, the geographical location of the hosting does not exempt Microsoft Azure from responding favourably to any injunctions issued by the US authorities, and therefore from disclosing the hosted data.

École Hexagone, a key player in Franco-European digital sovereignty, naturally questions the way in which this issue has been considered and the long-term consequences of the choice made by the GIP PDS.

France, with the Agence nationale de la sécurité des systèmes d’information (ANSSI), is considered to be a pioneer in the standardisation of regulatory frameworks for information systems security.

In 2016, prior to the definition of the EMC2 project and the HDH, ANSSI developed and published the SecNumCloud reference framework, to enable Cloud service providers to be qualified. This is currently the highest level of certification in terms of cybersecurity.
To date, the technical solutions of Cloud Temple, Oodrive, Outscale, OVH and Worldline have qualified. Microsoft, as an American company, is not eligible for SecNumCloud certification. France therefore had the standard-setting tool at its disposal to disqualify non-European players and favour continental players through French and European public orders.

The expert mission mentioned above heard from three French Cloud players: OVHcloud, NumSpot and Cloud Temple. These three players had the opportunity to express their views in the specialist press following the consultation. Michel Paulin, CEO of OVHcloud, points out that “the benchmark has changed six times, going from 165 requirements and criteria to 262”. Should we see this as a deliberate way of excluding French players?
École Hexagone also deplores the absence of an impartial invitation to tender, which should have been a mandatory prerequisite given the type of data that will be processed, the legal risk associated with US extraterritorial laws and the economic stakes involved.

In this respect, École Hexagone is perfectly in tune with Clever Cloud’s position on “the need to develop the HDH and reject the hosting of French healthcare data by non-European players. We can only note a discrepancy between the rhetoric that praises a France with strong technological champions and that supports its digital industry, and the decisions taken on the ground.”.

Now Secretary of State for the Digital Economy, Ms Marina FERRARI must take the full measure of the social, political and economic issues surrounding the processing of French citizens’ health data. She will also need to work closely with members of parliament who have long been involved in these issues, such as Senator Catherine MORIN-DESAILLY, MP Philippe LATOMBE and MP Aurélien LOPEZ-LIGUORI, who also chairs the Cybersecurity and Digital Sovereignty study group at the French National Assembly.

Finally, a dystopian hypothesis:

We are seeing the arrival of the major players in the healthcare market, such as Amazon and Apple. This is a fundamental trend that began several years ago. For example, Amazon has launched its own health insurance for its employees. It’s a way of gaining a foothold in this sector at little cost. Similarly, in 2018, the American online retail giant bought PillPack, an online pharmacy service.

Imagine a mutual insurance company that could have access to your entire health file, even before insuring you, and could therefore define your exact medical profile in order to offer you a specific rate, or quite simply decide not to insure you if you are considered too risky.

Do you also see the point of fiercely and uncompromisingly defending our digital sovereignty?

Sébastien DHÉRINES,
President of École Hexagone.