Slowdown for French E-Health Start-Ups?

Bill No. 1514 to secure and regulate the digital space in France, known as SREN (Securing and Regulation of the Digital Space) was adopted by the Senate on July 5, 2023.

During its first reading in the National Assembly, the text was the subject of numerous amendments by the special committee, one in particular raising concerns about its impact on start-ups in the e-health sector in France.

Before examining the content of this amendment, it is necessary to briefly recall the legal framework for the hosting of health data in France.

I – BRIEF REMINDER OF THE LEGAL FRAMEWORK FOR THE HOSTING OF HEALTH DATA

Health data is special personal data because it is considered sensitive and is therefore subject to special protection. They are defined as: “data relating to the past, present or future physical or mental health of a natural person (including the provision of health care services) that reveal information about that person’s state of health”.

In France, the protection of personal health data and in particular its hosting has been the subject of a significant strengthening of its legal framework.

Since 1^er In April 2018, Article L.1111-8 of the French Public Health Code defines the activity of hosting health data (HDS) collected “during prevention, diagnosis, care or social and medico-social monitoring activities”) and specifies the rules applicable to the hosting of health data carried out on behalf of a data controller, or on behalf of the patient himself.

The main requirements of this article are as follows:

• The hosting of health data must be carried out after informing the data subject, unless he or she legitimately objects to such hosting.

• The hosting of personal health data must be formalised by a contract, clearly establishing the rights and responsibilities of the host and the natural or legal persons on whose behalf the personal health data is stored.

• Hosts of digital data are required to obtain a certificate of conformity issued by duly accredited certification bodies. These certificates attest that hosting providers adhere to strict security and data protection standards, ensuring the safety of the hosted health data.

II – THE “SECNUMCLOUD” AMENDMENT: A CHALLENGE FOR E-HEALTH START-UPS

The special committee of the National Assembly proposed to insert a new article 10 bis B into the bill, providing that:

« The second paragraph of III of Article L. 1111-8 of the Public Health Code is supplemented by a sentence worded as follows: “From 1 July 2024, in the case of digital archiving by means of a cloud computing service, the conditions for approval shall comply with the conditions in force provided for by the standard requirements for cloud computing service providers published by the National Agency for Information Systems Security. » 

The National Agency for the Security of Information Systems (ANSSI) in France was created in 2009 and is attached to the General Secretariat of Defence and National Security.

In 2016, the ANSSI developed the evolving “SecNumCloud” standard to qualify cloud computing service providers. Its objective is to promote trusted service providers for the hosting of data, applications and information systems, both for public and private entities seeking to outsource their IT services.

The Commission Nationale de l’Informatique et des Libertés (CNIL) has also specified that this standard is recommended for cloud service providers, in order to ensure their compliance with European requirements relating to the protection of personal data, in particular with the case law of the Court of Justice of the European Union relating to the transfer of data outside the Union (“Schrems II” judgment).

In this context, The amendment under discussion stipulates that French health data must be hosted by operators labelled “SecNumCloud” by 1^er July 2024. This means that all companies, including start-ups in the e-health sector, will have to migrate their data to SecNumCloud-certified cloud providers within nine months of the law coming into force.

The main concerns of start-ups are:

• The nine-month timeframe is considered insufficient to securely migrate all of their data. Start-ups are worried that this could disrupt their services or even force them to suspend their activities, which would have a very negative impact on their customers and operations.

• The SecNumCloud-certified cloud solutions currently available in Europe are perceived as less competitive in terms of cost and performance compared to US giants such as Amazon Web Services (AWS), Google Cloud or Microsoft Azure.

In response to these concerns, some start-ups suggest replacing the reference to SecNumCloud with the “HDS” (Health Data Hosting) certification. This certification, which has been in force since 2018, is already being used by some companies in the e-health sector. It also aims to strengthen the protection of health data and to establish a climate of trust conducive to patient follow-up.

The question of which certification will ultimately be retained is currently the subject of debate and discussion within government and industry, with the aim of finding a balance between safety, performance, and costs for the entire e-health sector in France.

The next few days will be decisive because the SREN project is currently being discussed in the National Assembly.

Ginestié Magellan Paley-Vincent, France, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact france@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.