MEDICAL DATA GOVERNANCE: FROM INDIVIDUAL PROTECTION TO A COLLECTIVE OPEN DATA RESOURCE

Preprint (PDF Available) · June 2020with 50 Reads 
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
Cite this publication
Preprints and early-stage research may not have been peer reviewed yet.
Abstract
Medical data governance is a major issue in the evolution of new technologies in the medical field as it is the learning material for algorithmic models. As sensitive personal elements, health data are governed according to the protection of individual fundamental rights to avoid potential misuse. Nevertheless, the social utility of these health data invites to consider their governance through a collectivist doctrine, considering them as common open data resources, more favourable for research, statistics and improvement of the quality of care. Such a system based on an open data health database, where patients become donors of anonymised data, is still based on means that are not without risks to fundamental rights.
Advertisement
MEDICAL DATA GOVERNANCE: FROM INDIVIDUAL PROTECTION TO A
COLLECTIVE OPEN DATA RESOURCE.
French Case
Darnault Cécilia,
Doctor of Law,
cecilia.darnault@gmail.com
Abstract : Medical data governance is a major issue in the evolution of new technologies in the
medical field as it is the learning material for algorithmic models. As sensitive personal
elements, health data are governed according to the protection of individual fundamental rights
to avoid potential misuse. Nevertheless, the social utility of these health data invites to consider
their governance through a collectivist doctrine, considering them as common open data
resources, more favourable for research, statistics and improvement of the quality of care. Such
a system based on an open data health database, where patients become donors of anonymised
data, is still based on means that are not without risks to fundamental rights.
Keywords : Data Privacy; Technologies; Health data; Governance; Legal risks; Fundamental
rights.
INTRODUCTION
According to the Statista Digital Economy Compass
1
, report, thirty-three zettabytes of
digital data were created worldwide in 2019. This is an impressive number that each of us feeds
every day, and the health sector is no exception. Indeed, the healthcare sector is overwhelmed
with data, the scope and volume of which increase exponentially
2
, a flow of data that feeds
artificial intelligence algorithms and enables the development of new technologies in the
medical sector. In oncology, for example, an algorithm created by a team at the Massachusetts
Institute of Technology (MIT, U.S.A.) is capable of identifying on x-rays of apparently healthy
breast tissue the precise area where cancer would develop four years later. This result could
only be obtained by providing the data needed to learn the algorithm, the researchers having
fed « a deep learning system of 72,000 mammograms by associating them with clinical data
evaluating the risk of breast cancer (diet, genetics, hormones, weight, pregnancy, breastfeeding,
etc.) of 30,000 patients »
3
. Personal information relating to the health of patients which
constitutes a database essential to the development, learning and successful operation of
artificial intelligence algorithms in health matters. Nevertheless, the accessibility and use of
this data is still under debate, often for fear of misuse. As such, the governance of medical data
represents a major social issue, dependent on the choices made by public policy actors, which
will shape the evolution of research and new medical technologies. Indeed, the orientation of
the system of medical data governance that legal regulators choose to apply is of paramount
importance in the sense that it directly impacts the possibilities offered by the exploitation of
health data. Consisting of a wide variety of data (medical and hospital records, claims, surveys,
biobanks, laboratory reports, pharmacy transactions, research and monitoring devices or
applications, imaging components, etc.), health data could improve the quality of care for
patients and directly support the development of medical research (including the discovery of
new treatments, improved diagnostics, the advancement of personalised medicine, etc.).
Despite the possibilities they offer, these data are still largely unused due to global governance
focused on the protection of the individual fundamental rights of patients, considering personal
data as being specific to the persons they concern. However, the general interest nature of the
1
T. Gaudiaut, « La totalité des données créées dans le monde », Statista Digital Economy Compass 2019 in
Statista.com, 24 April 2019, https://fr.statista.com/infographie/17793/quantite-de-donnees-numeriques-creees-
dans-le-monde/ (accessed 1 April 2020).
2
J. Oderkirk, E. Ronchi, « Governing data for better health and healthcare», OECD Observer, n°309, T1, 2017.
3
H. Jalinière, « Des cancers bientôt révélés par l’imagerie intelligente ? » in L'intelligence artificielle en 50
questions, Sciences et Avenir, Special Issue, n°199, October-November 2019, p. 26.
medical field and the social utility of this information invites to question this individualistic
governance model and to question the legal principles required to consider the model
differently.
This article proposes to develop an analysis of our personal data governance system to
explore it from new perspectives. No longer through on health data with a focus on the
individual as originally, but as a collective resource at the service of general health interest and
the improvement of care, by studying the case of the French legal system, which combines
European standards and national specificities. The apprehension of medical data, considered as
particularly sensitive personal information, has led to the application of privatist legal principles
centred on individual rights. A vision that tends to evolve in the prism of a dissenting doctrine,
relying more on publicist notions such as the primacy of the general interest that these data may
represent, and advocates a more collective legal governance where medical data becomes a
common resource available to all. At the crossroads of dissent between the privatist and public
paradigms, it is possible to conceive of public medical data governance as a common resource
while ensuring respect for individual fundamental rights (I). The issue does not stop at a simple
legal debate on the categorisation of health data, in privatist or publicist terms, or on their
current regime, but focuses on the current developments that are part of a genuine project to
develop an open data health system, both at the national and European level. A common
medical database open to all which, despite progressive and educational national development
in order to develop under the best conditions, nevertheless raises some questions and exposes
the fundamental rights of the persons concerned to many significant risks (II).
I. A HYBRID MODEL OF MEDICAL DATA LEGAL GOVERNANCE
The initial regulatory intentions converge towards a privatist ideology of analysing personal
data as specific to the persons they concern, and thus governing their processing by exception
under specific conditions. However, the private perception of these data is altered when one
considers the general interest parameters covered by some of this information, particularly
health data, which are set up as common resources that can constitute significant opportunities.
Collectivist governance is only conceivable through the respect of an adapted legal regime that
allows the necessary reconciliation of both fundamental personal rights and common objectives
of general public interest in the field of health.
A. The specificity of the medical data governance model
The legal governance model for personal data is built on the basis of a privatist ideology
considering data as belonging to the individual, as elements composing his privacy to be
protected from external processing. This view evolves when we conceive of health data, which
are particularly sensitive, from the perspective of general interest, no longer as individual
information relevant to private life, but as an aggregated public network whole that promises
opportunities for the future of medicine.
1) The basics of the data governance model: a private element logic
The digital data. More specifically, personal data are legally defined as any information
relating to an identified person or which can be identified, directly or indirectly, by reference
to an identification number or to one or more factors specific to that person
4
. As the « new black
gold of the Internet and the new currency of the digital world »
5
, they represent the genesis of
the economic valorisation of information in the era of the digital revolution. Economic agents
quickly understood the value of these data and used them as raw material that could be
exploited. The collection and processing of this constantly growing mass of information is a
source of value creation and represents a real economic opportunity
6
at the heart of a data
4
Law No. 78-17 of 6 January 1978 on data processing, data files and individual liberties, OJ of 7 January 1978
(article 2); Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 (article 4.1).
5
V. M. Kuneva, European Commissioner of Consumption, Keynote Speech, Roundtable on Online Data
Collection, Targeting and Profiling (31 march 2009), quote in Personal Data : the emergence of a new asset class,
World Economic Forum, jan. 2011, p.5.
6
J-M Deltorn, « La protection des données personnelles face aux algorithmes prédictifs », RDLF 2017, chron.
n°12 (www.revuedlf.com).
economy
7
. Thus, as a raw material for a rapidly expanding economic market, under the cover
of a privatising legal influence, digital data has quickly been exploited as a market good. A
good that can be traded on the market, and this before individuals realise the nature, the
existence of the data they produce, its value and the resulting exploitation, whether economic,
public or social. The fact that the market has seized upon the issue, processing and exploitation
of digital data, and that they come from users, as an element attached to the individual who
generates them, has deeply anchored them in the private sphere. A commercialisation of a
personal element that has not failed to generate difficulties. The succession of widely publicised
revelations about the misuse of personal data has helped to raise awareness of individuals and
has generated a growing interest among the general public of the right to personal data. Among
these scandals, it is essential to mention the shock wave produced by Edward Snowden's
denunciations in 2013
8
concerning US surveillance programs, but more recently and in this
context, it is impossible to omit Facebook and its leader, particularly following the setbacks
caused by the Cambridge Analytica case, in which the company was accused of having used
data from 30 to 70 million Facebook users, collected without their consent, and then used for
targeted political canvassing in the context of Donald Trump's
9
U.S. election campaign. These
two high-profile cases from the basket should not obscure the many other breaches in recent
years, those that have yet to be discovered, and those that will come. Of the many whistle-
blowers that follow the various condemnations that have been pronounced, these are feats of
arms that are particularly striking today, but whose struggle began a few decades ago now, in
the light of a governance model that advocates the protection of the individual rights of the
digitised.
In the words of the economist J. Stiglitz, we are a community « and like all communities,
we have rules to live together », rules that must be « just and equitable, and this must be clearly
seen (and) give due attention to the poor as well as to the powerful, and must show a deep sense
of honesty and social justice »
10
. As a source of information, whether about identity, behaviour,
habits or preferences, the use of data inevitably conflicts with some of the rights of those
concerned. In order to prevent the misuse, or those that could be ill-intentioned, of personal
7
European Commission, Towards a thriving data economy, Brussels, 2 July 2014, COM(2014) 442 final,
https://ec.europa.eu/transparency/regdoc/rep/1/2014/EN/1-2014-442-EN-F1-1.Pdf .
8
V. not. the documentary by L. Poitras, Citizenfour, 2015.
9
A. William, « Ce qu’il faut savoir sur Cambridge Analytica, la société au cœur du scandale Facebook », in Le
Monde, 22 march 2018, https://www.lemonde.fr/pixels/article/2018/03/22/ce-qu-il-faut-savoir-sur-cambridge-
analytica-la-societe-au-c-ur-du-scandale-facebook_5274804_4408996.html (accessed 1st avril 2020).
10
N. Ferry-Maccario, Gestion juridique de l’entreprise, Paris, Pearson Education, 2006.
data in the context of the development of new technologies, and to prevent an algorithm from
turning into a tool that discriminates or infringes the fundamental rights of individuals,
regulatory intervention was more than necessary. This was reflected in the adoption of a
governance model the objective of which was to implement a set of processes, roles, rules,
standards and metrics to ensure effective and efficient use of information, while defining
procedures and responsibilities to ensure respect for the fundamental rights of users by
safeguarding the security of data collected by companies or institutions
11
. To this end, and for
forty years now, a legal arsenal has been deployed at both the national and European level. The
Data Protection Act
12
, amended by Law No. 2004-801 of 6 August 2004 to transpose the
provisions of EU Directive 95/46
13
; amended again by Law No. 2018-493 of 20 June 2018 on
the protection of personal data following the adoption of the now famous EU Regulation
2016/679 known as the EU General Data Protection Regulation (GDPR)
14
, are the reference
texts in this area. Each of these provisions establishes a fundamental right to the protection of
personal data on behalf of the security of individuals, considering the data as belonging to the
person, as a private individual per se, in order to guarantee a framework for their use that
ensures respect for privacy. In this sense, Council of Europe Convention 108 already underlined
in 1981 that « under certain conditions, the exercise of complete freedom to process information
may prejudice the enjoyment of other fundamental rights or other legitimate personal interests
(for example, in matters of employment or consumer credit). It is in order to maintain a fair
balance between the different rights and interests of individuals that the Agreement imposes
certain conditions or restrictions on the processing of information »
15
. A warranty is included
in the first recital of the Regulation, which states that « the protection of individuals with regard
to the processing of personal data is a fundamental right. Article 8(1) of the Charter of
Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning
of the European Union provide that everyone has the right to the protection of personal data
concerning him »
16
. A recognition reiterated by the European Court of Human Rights, which
11
Term « Governance », S. Guinchard and T. Debard, Lexique des termes juridiques, 25th éd., Dalloz, 2017-2018 ;
J. Dionne-Proulx and G. Larochelle, Éthique et gouvernance d’entreprise, in Management & Avenir, 2010, Vol.
32, no 2, p. 36 ; S. Pearlman, « Qu’est-ce que la gouvernance des données et pourquoi en avez-vous besoin ? »,
Talend.com, 10 june 2019, https://fr.talend.com/resources/what-is-data-governance/ (accessed April 2, 2020).
12
Law No. 78-17 of 6 January 1978, ibid.
13
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L
281/31.
14
Regulation (EU) 2016/679, ibid.
15
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981, ETS
108 (item 25).
16
Regulation (EU) 2016/679, ibid (recital 1st).
considers that, as a matter of principle, the mere fact of storing data relating to the private life
of an individual constitutes an interference within the meaning of Article 8 of the European
Convention on Human Rights
17
, which guarantees the right to respect for private and family
life, home and correspondence, regardless of whether or not the information stored is
subsequently used
18
. The protection of personal data is thus envisaged, let us even say elevated
as a fundamental human right whose abuse constitutes a violation, an invasion of privacy. From
the protection of the individual rights of individuals to their exploitation by private or public
institutions as a raw material, digital personal data are fully part of a legal governance model
with a privatising sound. However, due to their nature and social utility, some data could have
a more collective dimension.
2) The singularity of medical data: a common property resource logic
Among personal data, the Regulation distinguishes between data which are understood in a
general way and certain data which are considered particularly sensitive. Indeed, the processing
of personal data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs or trade union membership, as well as the processing of genetic data, biometric data for
the purpose of uniquely identifying a person, data concerning health or data concerning the
sexual life or sexual orientation of a person are prohibited
19
. Given the nature of this kind of
information, the reason for prohibiting processing as a matter of principle is obvious, given its
possible impact on the protection of the rights and freedoms of persons who would be harmed
20
.
Among the exceptions to processing, mention is made of personal data concerning health. More
specifically, the category of health data includes information relating to the past, present or
future physical or mental health of a person (including the provision of health care services)
which reveals information about the state of health of that person
21
. This is a particularly broad
definition that includes a great deal of information « about a natural person collected when
registering for or providing health care services : a specific number, symbol or element assigned
to a natural person to uniquely identify him or her for health purposes; information obtained
from the testing or examination of a body part or bodily substance, including from genetic data
and biological samples; information relating to a disease, a disability, a risk of disease, medical
17
European Convention for the Protection of Human Rights and Fundamental Freedoms, Sept. 3, 1953, ETS 5,
213 UNTS 221.
18
ECHR 4 December 2008, S. and Marper v. the United Kingdom, Applications Nos. 30562/04 and 30566/04.
19
Regulation (EU) 2016/679, ibid (article 9).
20
A. Banck, « RGPD : la protection des données à caractère personnel, 19 fiches pour réussir et maintenir votre
conformité », 3rd éd., Droit en poche, Gualino, Lextenso, 2020, 88p.
21
Regulation (EU) 2016/679, ibid (article 4, recital 15).
history, clinical treatment or the physiological or biomedical condition of the person concerned
(regardless of its source, whether it comes from, for example, a doctor or other health
professional, a hospital, a medical device or an in vitro diagnostic test) »
22
. This singular
information represents a sui generis ambivalence that goes to the very essence of what the texts
seek to protect, the privacy of individuals, which should thus benefit from enhanced protection
through the prohibition of treatment, but which, on the other hand, could embody the future of
health democracy through the development of medical research and care offers.
Indeed, it turns out that the processing of the mass of data collected, « although already
developed in the sciences, has led to radical paradigm shifts in the health field where it is still
emerging », moving from a search for hypotheses to research deduced from the exploitation of
data. Prohibited processing by principle, for which « the various legislations (national and
European) nevertheless provide for a certain number of exemptions to this principle of
prohibition based either on individual interest (in particular for care) subject to obtaining the
consent of the person whose information is collected, or on collective interest such as that of
research »
23
. Thus, on behalf of the notion of general interest, fundamental to French law but
also taken up in European law, in other words what is good for the public
24
, for the community
as a whole, the model of legal governance of personal data is changing paradigm and taking on
a new dimension. A real challenge for the development of medical research is that data is no
longer a raw material that can be exploited in the economic sense of the term, but rather a
material, a common property resource serving as a basis for enriching both individual and
collective health
25
. Within a model built around the protection of the fundamental rights of
individuals, where data are considered as belonging to the intimate domain of the individual
private life, health data establishes an exception that shifts the conception of data from a matter
of a personal nature to the notion of a common resource for the public good. Despite the risks
to individual rights, the use of health data would contain a treasure trove for health security
insofar as it « contributes, in particular, to the transparency and efficiency of the health system
(;) the collection and dissemination of this information make it possible to feed the public debate
22
CNIL, « Qu’est-ce qu’une donnée de santé ? », cnil.fr, https://www.cnil.fr/fr/quest-ce-ce-quune-donnee-de-
sante (accessed 3 April 2020) ; Regulation (EU) 2016/679, ibid (article 4, recital 35).
23
E. Rial-Sebbag « Chapitre 4. La gouvernance des Big data utilisées en santé, un enjeu national et international
», Journal international de bioéthique et d'éthique des sciences, 2017/3 (Vol. 28), p. 39-50.
24
V. General interest in G. Cornu (ed.) and Association Henri Capitant, Vocabulaire juridique, Paris, Presses
universitaires de France, "Quadridge" coll. 2005, 7th ed. 970 p.
25
F. Lesaulnier, « Recherche en santé et protection des données personnelles à l’heure du RGPD », in E. Netter,
V. Ndior, J-F. Puyraimond, S. Vergnolle, « Regards sur le nouveau droit des données personnelles », Centre de
droit privé et de sciences criminelles d'Amiens, 2019.
on health and, in particular, to inform the development, conduct and evaluation of public health
policies (...) to provide a decisive contribution to pharmaco-epidemiological vigilance, to
improve the effectiveness of care pathways, to promote long-term research on care protocols
and to allow for enhanced health monitoring »
26
. Personal health data are thus moving away
from the traditional individualistic approach, through the global mass of information that they
constitute, to be considered as a common good, which per se belongs to no one and whose use
is common to all. Common property of personal data, a fine oxymoron that is in reality only
superficially so, as they are no longer understood individually but through the prism of a
network that gives them a collective dimension. That said, if the general interest advocates
considering health data as a common property public resource in the name of the collective
good, this particularly sensitive information must be used with the utmost caution within a legal
framework that carefully delimits its conditions. On this point, the European Regulation has
chosen to leave significant room for manoeuvre to the States to determine at the national level
the legal regime applicable to derogatory authorisations for processing operations involving
health data and processing operations for scientific research purposes
27
. This national freedom
has been taken advantage of by the French legislature through the adoption of a new chapter IX
of Act No. 2018-493 of 20 June 2018
28
on the processing of health data applicable to research,
studies and evaluations, which determines the applicable French legal regime.
B. The derogatory legal regime for medical data governance
« Technology must be at the service of every citizen. (...) It must not infringe on human
identity, human rights, privacy or individual or public freedoms »
29
. These words from 1978
mark the general state of mind of the Data Protection Regulations and national standards in this
area. If the exemption from the prohibition on processing sensitive data has been granted to
health data because of the general interest dimension that they represent, this is only possible
in the context of a legal regime that is sufficiently clear and that complies with a principle of
proportionality between the interest of the processing and the invasion of privacy that it entails.
26
J-M. Sauve, « Intervention de Jean-Marc Sauvé lors des septièmes entretiens du Conseil d’État en droit social »,
Health and Data Protection, Conseil d'État, 1st December 2017, https://www.conseil-etat.fr/actualites/discours-et-
interventions/sante-et-protection-des-donnees (accessed 3 April 2020).
27
Regulation (EU) 2016/679, ibid (article 9.4).
28
Law n°2018-493 of 20 June 2018 relating to the protection of personal data, JORF n°0141 of 21 June 2018.
29
J-M. Sauve, « Intervention de Jean-Marc Sauvé lors des septièmes entretiens du Conseil d’État en droit social »,
Op. cit.
Indeed, the Constitutional Council has recalled that respect for fundamental rights
30
implies the
right to respect for private life; thus the collection, recording, storage, consultation and
communication of personal data must be justified on the grounds of general interest and
implemented in an appropriate and proportionate manner in order to reconcile the various
interests at stake
31
. A decision which echoes European case law on the subject, enshrining the
importance of the protection of medical data for the enjoyment of an individual's right to respect
for his private life, and holding that the applicable law must define with sufficient clarity the
scope and modalities of the exercise of the discretion granted to the competent authorities in
the context of the medical data processing. The Court thus concluded that there had been a
breach of privacy on the ground of vagueness of the provisions of domestic law authorising
access by a public institution to the applicant's medical file
32
. In accordance with the principle
of proportionality, which governs the reconciliation of respect for private life and the general
health interest of processing health data, such data may be used only in the circumstances
determined by the European Regulation as follows :
- If the data subject has given his explicit consent to the processing of such personal data for
one or more specific purposes;
- If processing is necessary for the purposes of fulfilling the obligations and exercising the
rights specific to the controller or the data subject in the field of employment law, social
security and social protection;
- If processing is necessary to protect the vital interests of the data subject or of another person
where the data subject is physically or legally incapable of giving his or her consent;
- If the treatment is necessary for the purposes of preventive or occupational medicine,
assessment of the worker's capacity for work, medical diagnosis, health or social care, or
the management of health care or social protection systems and services on the basis of
Union law, the law of a Member State or pursuant to a contract concluded with a health
professional;
- If the processing is necessary on the grounds of public interest in the field of public health,
such as protection against serious cross-border threats to health, or for the purpose of
30
Mentioning specifically the Freedom proclaimed by Article 2 of the Declaration of the Rights of Man and of the
Citizen of 1789.
31
Constitutional Council. n°2019-797 QPC of 26 July 2019, Unicef France and others.
32
ECHR 29 April 2014, L.H. v. Latvia, Application 52019/07: The Court found that the applicable law had not
indicated with sufficient clarity the extent of the discretion conferred on the competent authorities and the manner
in which it was exercised to collect medical data.
ensuring high standards of quality and safety of healthcare and medicinal products or
devices;
- If the processing is necessary for archival purposes in the public interest, for scientific or
historical research or for statistical purposes in a manner proportionate to the objective
pursued
33
.
Apart from the circumstances referred to in the Regulation, which may justify the
processing of medical data, other processing conditions, both substantive and procedural, must
be complied with. It does indeed appear that the processing of health data must be necessary,
since the data subject must provide explicit consent for one or more specific purposes.
1) An express consent
Persons whose medical data are collected have rights. For example, any processing of health
data must be based on the consent of the persons whose data are collected and used if it is to be
lawful
34
. In order to comply, the Regulation requires that the data subject's consent must be
given by any freely given, specific, informed and unambiguous indication of his wishes by
which the data subject signifies his agreement, by means of a declaration or a clear positive act,
to personal data relating to him being processed
35
. Free, in the sense that the data subject must
be able to refuse or withdraw his consent without suffering any influence, coercion or prejudice.
This would be the case, for example, in a situation where power relations are not equal (in
particular in the context of employment relations through the subordinate relationship between
employer and employee); but also to impose additional costs or sanctions on persons who would
wish to withhold or withdraw their consent
36
. Specific then, insofar as consent is given by the
data subjects for a specific purpose or several purposes in a granular manner, in the event that
several processing operations are necessary for the same purpose. Informed, since the data
subjects must have been informed prior to the collection of their consent to be able to give or
refuse consent in full knowledge of the facts. This is done by means of comprehensive
information
37
communicated in a clear, accessible and understandable manner for full
intelligibility. In other words, the information must have been provided in a concise, transparent
and affordable manner by the general public, and in an adapted manner, according to the
33
Regulation (EU) 2016/679, ibid (article 9.2).
34
Regulation (EU) 2016/679, ibid (article 6.1).
35
Regulation (EU) 2016/679, ibid (article 4.11).
36
A. Banck, « RGPD : la protection des données à caractère personnel, 19 fiches pour réussir et maintenir votre
conformité », Op. cit.
37
Regulation (EU) 2016/679, ibid (Article 13.1).
person's pathology, age, and the circumstances of the data collection (minors, incapable adults,
etc.); the objective being to enable these persons to retain control of the data used concerning
them. This obligation may be fulfilled as long as it is ensured by a mention appearing on the
website of the data controller, the health insurance organisations and on media that make it
possible to bring it to the attention of individuals, in particular on posters in premises open to
the public or in documents given to them
38
, or even in the welcome booklet given to the patient
when he or she is hospitalised. And finally, consent must be unambiguous; given by an express,
positive, clear act that stands out from all others and leaves no room for ambiguity as to the
content and scope of consent. For example, if a data controller sends an e-mail to a person
39
, «
informing him/her of his/her intention to process medical information, this message must
formalise a request for consent and explain the characteristics and purposes of the processing
(...) the data subject must expressly consent to the use of his/her data, for example, by replying
that he/she consents (by return e-mail) or by clicking on a verification link or by entering a code
received by SMS »
40
. However, it is necessary to specify that the processing of personal health
data is authorised without the prior consent of the user, if it is for example for the purpose of
managing health systems and services or social protection, the preservation of public health (to
prevent the spread of diseases), medical assessment (care, diagnosis, preventive medicine) or
the preservation of the vital interests of a person unable to give consent
41
.
2) A treatment necessary for specific purposes
Once the data subjects have been informed and have given their consent, the processing of
health data must be accompanied by the collection and processing arrangements that provide
appropriate safeguards to ensure security and privacy. To this end, « five principles govern this
protection: 1) data must be collected fairly and lawfully; 2) for a specified and legitimate
purpose; 3) the data collected must be relevant and adequate for that purpose; 4) they must be
complete and accurate; and 5) they must be kept for a specified period »
42
. Being an integral
part of the principles governing many legal systems, like good faith, loyalty « is also said to be
38
CNIL n°2018-365 of 20 December 2018, Union nationale des organismes d'assurance maladie complémentaire,
Referral no. 918103.
39
Article 29 Working Party, ‘Opinion 2/2003 on the application of the data protection principles to the WHOIS
directories’ (WP 76, 13 June 2003), at 4.
40
C. Galichet, « Un consentement valide au sens du RGPD », Village de la Justice, 15 January 2019,
https://www.village-justice.com/articles/consentement-valide-sens-rgpd,30428.html (accessed 6 avril 2020).
41
S. Goldstein, « Le RGPD et les données de santé », Legalplace, https://www.legalplace.fr/guides/rgpd-donnees-
sante/ (accessed 6 avril 2020).
42
J-M. Sauve, « Intervention de Jean-Marc Sauvé lors des septièmes entretiens du Conseil d’État en droit social »,
Op. cit.
the good quality of things, which has the condition required by the law, by the ordinance known
as the Dictionary of Ferretière. In this sense, when it comes to things, the notion of loyalty
becomes very close to that of legality. It is a point of passage between the moral notion and the
legal notion »
43
. It is, therefore, no surprise that it is raised as a condition for the processing of
personal data, in particular so-called sensitive medical data. Together with the notions of
lawfulness and transparency, it is enshrined in the Regulation
44
. Thus, in order to comply with
the obligation to process data lawfully, fairly and transparently in relation to the data subject,
the processing must be based on processing which is necessary
45
and lawful for the purposes of
avoiding any concealed or hidden processing operations
46
. Necessary processing is also
processing which fulfils a specified, explicit and legitimate purpose, that is to say, a specific
aim pursued by the data controller
47
. Consequently, the specific purpose or purposes must be
determined prior to the processing of the data, communicated to the data subjects in the context
of their information, and legitimate in relation to the activity of the organisation carrying out
the processing. Once again, and in order to allow the efficient implementation of processing
operations in the general interest, the Regulation and the national rules may provide for certain
management facilities; for example, further processing for archival purposes in the public
interest, for scientific or historical research or for statistical purposes is not considered
incompatible with the initial purposes
48
. If the processing is to have a specific purpose, it is
necessary to specify that the data collected must be relevant and adequate for that purpose. A
principle which seeks to ensure that the data to be collected by the processing organisation are
strictly necessary for the purpose. Thus excluding any other data which are not related to the
objective pursued, under penalty of sanctions
49
. The same relevant data must also be complete
and accurate, in the sense that they must be up to date; the controller must ensure, through the
implementation of appropriate measures, that it is processing a database that is up to date and
not obsolete. Regular updating of the data processed leads to the last point, establishing that the
data must be kept for a specified period. Unless there is an exception on the grounds of public
interest, these data may not be stored ad vitam aeternam but must be stored as an active database
43
W. Cherbonnier, L. Crochet, and Collectif, « La loyauté : de la règle morale au principe juridique », Revue
juridique de l'Ouest, 2012-3. pp. 327-342.
44
Regulation (EU) 2016/679, ibid (article 5.1).
45
Regulation (EU) 2016/679, ibid (article 6).
46
A. Banck, « RGPD : la protection des données à caractère personnel, 19 fiches pour réussir et maintenir votre
conformité », Op. cit.
47
CNIL n°2018-365 of 20 December 2018, ibid.
48
Law No. 2018-493 of 20 June 2018, ibid. (article 54 I) ; Regulation (EU) 2016/679, ibid (article 5.1).
49
CNIL No. 2011-205 of 6 October 2011, Company X ; CNIL No. SAN 2019-010 of 21 november 2019, Futura
International.
when they are necessary for a specific project within a specified period of time to meet this
objective
50
. A definite period which does not, however, prevent the exercise of certain rights of
individuals relating to the storage of their data. These include the right of access, rectification
and opposition, enabling data subjects both to ask the controller whether their data are subject
to processing and if so, to obtain a copy of that information, to modify data which prove to be
incomplete or inaccurate, and to object to the processing of data except for purposes which
pursue the performance of a task carried out in the public interest or which appear necessary
for the legitimate interests pursued by the organisation
51
. Faculties which may be accompanied
by a right to erasure, also called the right to be forgotten, consisting of the right of persons who
so wish to obtain the erasure of information relating to them under the conditions laid down in
the Regulation
52
, in particular where the processing is no longer necessary, is unlawful or where
the person concerned withdraws his consent. Necessarily, the use of medical data implies
arrangements for exercising these rights which are adapted to the interests pursued. In the field
of scientific research, for example, defined very broadly in the Regulation
53
, an exception is
granted to the principle of prohibition of the health data processing, a presumption of
compatibility of the purpose of scientific research with a different initial purpose, and the
possibility of storage beyond the processing operation, the collection of consent for one or more
specific purposes, the possibility of derogating from the obligation to provide information in
the case of secondary re-use of data if this proves impossible or would require disproportionate
efforts, as well as specific conditions for the application of the right to erasure
54
.
The whole issue at stake in the above-mentioned legal conditions for the processing of
medical data is to achieve the delicate but necessary reconciliation between respect for the rights
of individuals, which is the priority of the EU General Data Protection Regulation (GDPR), and
the interest, both personal in terms of improving care, and general for the purpose of promoting
medical research; this can be achieved by setting both security measures and derogations.
General health interest motives which lead us to see things in a broader perspective,
50
Berlin Commissioner for Data Protection and Freedom of Information v. Deutsche Wohnen SE, October 30th
2019, in “Berlin Commissioner for Data Protection Imposes Fine on Real Estate Company”, European Data
Protection Board, 5 november 2019, https://edpb.europa.eu/news/national-news/2019/berlin-commissioner-data-
protection-imposes-fine-real-estate-company_fr (consulted le 7 April 2020).
51
Regulation (EU) 2016/679, ibid (articles 15, 16 et 21).
52
Regulation (EU) 2016/679, ibid (article 17).
53
Regulation (EU) 2016/679, ibid (recital 159).
54
F. Lesaulnier, « Recherche en santé et protection des données personnelles à l’heure du RGPD », Op. cit.
encouraging the European model, but also the respective national systems, to see the prospect
of a general opening up of the health data processing.
II. THE PERSPECTIVE OF AN OPEN DATA GOVERNANCE MODEL FOR
MEDICAL DATA
Technologies are becoming more and more powerful every day, a performance that requires
more and more data necessary for the development of deep learning systems. Thus, in our
digital capitalist societies, where production must be ever faster and cheaper, the data
governance model must be adapted. This adaptation is expressed by the desire to facilitate the
processing of health data through categorisation as common property resources in a movement
towards greater openness, known as open data. However, this liberalisation of health data must
be carried out with the utmost caution, in an educational manner so that users can appropriate
this information in accordance with respect for the rights of individuals, and in a progressive
manner so that its implementation methods can be specified and adjusted. A system of health
data governance that will have to adapt to the difficulties of security and the risks to the
protection of fundamental rights.
A. The opportunity for open data governance of medical data
The prospect of moving away from the traditional individualistic paradigm of data
governance to consider them as an open common resource, the use of which would be open to
all, is part of the desire to establish a large-scale global governance system. Openness in data
represents opportunities that must necessarily be envisaged in a progressive and pedagogical
manner in order to guarantee respect for people's rights, in particular via security processes that
make it possible to detach medical data from the identity of the people they concern.
1) The European ambition of an anonymised open health database
Paradigms of governance reconciling the processing of health data and respect for the
fundamental rights of individuals that are not incompatible and some of their respective
concepts can be brought together by the specificity of medical data in the structural hypothesis
of adapted security. A reconciliation that is only at its beginnings, the will being to go far
beyond the current system, promoting a global governance model, common to all European
Union member countries, which tends towards the generalised opening of access to health data.
The idea being that the governance of health data should be as global as possible, in the sense
of a common policy at European level, but also by using a maximum spectrum of data in the
context of the most widely diversified treatments. In other words, it is a question of integrating
the processing of health data into the open science movement in order to create a basis, a
common ground for the development of medical research and the improvement of personalised
care in Europe. Indeed, « at the heart of this change, new forms of automated decision-making
processes have recently made possible an unprecedented processing of mass data, raw,
heterogeneous, dynamic data, characteristic of Big Data »
55
thanks to artificial intelligence
systems and deep learning algorithms that are increasingly efficient. A change that does not
spare the health field insofar as, in the same way as man acquires new knowledge, the machine
offers new perspectives
56
by using the information made available to it. Thus, the more medical
data the machine has at its disposal, the more intelligent the system is and the more
autonomously it enriches itself. The whole issue of the development of new technologies in the
medical field revolves around access to its famous health data; and the general intention to
facilitate its processing via an open collective system. If current regulatory and research models
are based on restricted access to health data, including individual patient data, then
strengthening and extending the use and reuse of health data is essential for medical innovation.
For example, liberalisation would not only help health authorities to make decisions about
health systems but would also contribute to the competitiveness of European industry while
significantly supporting the work of health system regulators, evaluating medical products,
demonstrating their safety and efficacy, improving patient care. In order to move in this
direction, the European Commission specified its ambition to establish a common European
health data space in the Communication of 19 February 2020 on the European Data Strategy
57
.
The aim is to develop « sectoral legislative or non-legislative measures for the European Health
Data Space, complementing the horizontal framework of the Common Data Space to remove
barriers to the cross-border provision of digital health services and products » ; but also to
« deploy the data infrastructures, tools and computing capabilities for the European Health Data
Space by supporting the development of national electronic health records (EHRs) » and the
interoperability of medical data. A common European health data space which, although it
seems essential for progress in the prevention, detection and cure of diseases, cannot operate
55
J-M Deltorn, « La protection des données personnelles face aux algorithmes prédictifs », Op. cit.
56
Collectif (2017), « Une stratégie pour la France en matière d’intelligence artificielle », Synthesis Report
FranceIA, French Government, presented on 21 March 2017 at the Cité des Sciences et de l'Industrie,
https://cache.media.enseignementsup-recherche.gouv.fr/file/Actus/85/9/Rapport_synthese_France_IA_738859.pdf .
57
European Commission, "A European Data Strategy", COM(2020) 66 final, Brussels, 19 February 2020,
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf .
under just any conditions. The Commission recalls that European citizens must be reassured
that their fundamental rights are protected in the context of this common and open provision of
health data, which must be carried out in a manner consistent with the GDPR.
Beyond the guarantees offered by the GDPR, with the intention to consider medical data as
an open common property resource, whether at the European or national level, the main tool
for securing health data offered to data subjects is essentially, on the basis of the fundamental
right to privacy, the preservation of their identity. After all, when the famous Ulysses was
captured by the Cyclops Polyphemus, in Homer's illustrious work, the King of Ithaca claimed
to be called Person in response to the giant who forced him to give his name; a ruse that allowed
him and his fellow misfortunes not to be chased by the other Cyclops once out of the clutches
of Polyphemus. Like the anonymity to save Ulysses and his companions, the challenge of open
processing of health data lies in the identification, or a contrario in the impossibility of
identifying the persons concerned by the medical data disseminated and exploited. And this is
true whether this identification is direct or indirect, by reference to an identifier or any element
that is specific to him and which, alone or with others, would make it possible to trace
individuals. It should be noted that medical data is particularly sensitive information within the
meaning of the GDPR
58
, which requires that the data be processed in such a way as to guarantee
appropriate security by means of appropriate technical or organisational measures, in particular
through integrity and confidentiality. To this end, numerous tools, with different techniques and
effectiveness, are available to provide guarantees relating to data security and the efficiency of
fundamental rights. Among these techniques, it is essential to mention pseudonymisation,
which is widely used and referred to in the Regulation as processing of personal data carried
out in such a way that they can no longer be attributed to a specific person without additional
information
59
. A definition that covers various techniques commonly used in health research
such as « the use of a table of correspondence between the pseudonymous (coded) dataset and
separately stored identity data, typically used in clinical trials; hash functions used with secrecy
that allow data relating to an individual to be chained together and tracked over time without
making it possible to identify the individual (Mandatory Reporting of Diseases, PMSI,
SNIIRAM, etc.) »
60
. These data remain subject to the GDPR insofar as, being simply
pseudonymised, they still allow the re-identification of individuals, whether it is via a key or an
58
Regulation (EU) 2016/679, ibid (article 5.1).
59
Regulation (EU) 2016/679, ibid (article 4.5).
60
F. Lesaulnier, « Recherche en santé et protection des données personnelles à l’heure du RGPD », Op. cit.
encryption code. Conversely, anonymisation, on the other hand, consists in making it totally
impossible, in practice, to identify the person by any means whatsoever and in an irreversible
manner; an irreversibility which, if it is effective, implies that the anonymised data are no longer
of a personal nature, and therefore no longer fall within the scope of the GDPR. However, in
order for an anonymisation solution to be efficiently constructed, the G29
61
proposes three
indicative criteria which are the test of individualisation, i.e. the impossibility to isolate some
or all of the records identifying an individual in the dataset ; correlation, i.e. the inability to link
together two or more records relating to the same data subject or group of data subjects (either
in the same database or in two different databases); and finally inference, i.e. the inability to
infer, with a high degree of probability, the value of an attribute from the values of a set of other
attributes
62
. In any case, « since no technique can make data 100% anonymous, it is
recommended either to fully inform individuals or to obtain the opinion of the CNIL on the
proposed anonymisation process before proceeding with such a project », particularly with
regard to sensitive data such as health data
63
. This is a particularly interesting technique since,
in the context of open data, anonymisation could represent, according to the CNIL, a possible
track for open processing of health data by implementing a system for online publication of
public information without personal data
64
. The general idea of anonymisation is expressed
both by transforming data so that they no longer refer to a real person and by generalising them
so that they are no longer specific to an individual but common to a group of people
65
. A
technique that fits relatively well with the ambition of a European system of medical data with
a view to processing them as common property resources open to all. Thus, « although the
unavoidable constraint of anonymisation limits the use of data in certain cases, making it
available to the public is complementary to making it available to more specialised actors and
also has a significant potential for social utility and enhancement »
66
while providing the
61
Article 29 Working Party, Op. Cit.; CNIL, "Le G29 publie un avis sur les techniques d'anonymisation", cnil.fr,
16 April 2014, https://www.cnil.fr/fr/le-g29-publie-un-avis-sur-les-techniques-danonymisation (accessed 9 April
2020).
62
C. Galichet, « Données personnelles : anonymisation ou pseudonymisation ? », Village de la Justice, 17 January
2017, https://www.village-justice.com/articles/donnees-personnelles-anonymisation-pseudonymisation,26194.html (accessed 9
April 2020).
63
C. Galichet, « L’anonymisation des données personnelles selon le conseil d’État : arrêt JCDecaux du 8 février
2017 », Village de la Justice, 21 March 2017, https://www.village-justice.com/articles/anonymisation-des-donnees-
personnelles-selon-Conseil-Etat-arret-JCDecaux,24541.html (accessed 9 avril 2020).
64
CNIL, « L’anonymisation des données, un traitement clé pour l’open data », cnil.fr, 17 October 2019,
https://www.cnil.fr/fr/lanonymisation-des-donnees-un-traitement-cle-pour-lopen-data (accessed 9 avril 2020).
65
CNIL, « Le G29 publie un avis sur les techniques d’anonymisation », cnil.fr, 16 April 2014,
https://www.cnil.fr/fr/le-g29-publie-un-avis-sur-les-techniques-danonymisation (accessed 9 avril 2020).
66
H. Caillol, « Ouverture des données de santé : l’expérience de l’Assurance maladie », Informations sociales,
vol. 191, no. 5, 2015, pp. 60-67.
necessary guarantees for the respect of fundamental rights by not allowing the identification of
individuals. However, the deployment of such a database that can be used by all in open data
is not done overnight, but must necessarily be implemented step by step to guarantee the
efficiency and security of the envisaged system.
2) A French educational and progressive approach to the protection of persons
A health database system in open data, available to everyone, which does not leave anyone
indifferent, constituting countless opportunities for medical research and development for
some, and a source of fears and queries for others. It is clear that « technological and social
developments, such as the rise of general or private interests in access to medical data, create a
particularly unstable situation and call for fine-tuning which, in principle, is the responsibility
of the legislator and, for their implementation, of the regulatory authority and the judge »
67
.
These adjustments have been made in an educational manner by the French legislator in the
course of the reforms that have followed one another since the first data regulation in 1978
68
.
It is one thing to envisage a global health database in open data, but to have this famous data at
one’s disposal is quite another; and on this point, the source has been found entirely in the
valorisation of the health insurance system given the multitude and heterogeneity of the
information at its disposal. The French approach, whether it was anticipated in the long term or
simply improved over time, was built on the creation of a database gradually enriched by
progressively enhanced openings. Thus, the creation of a National Inter-scheme Health
Insurance System (SNIIRAM) was provided for in the Social Security Financing Act for 1999
and « after several years of technical work and with the agreement of the CNIL, a data
warehouse was set up in 2003, then supplemented and enriched (in particular through the
creation of the shared medical file and the pharmaceutical file) over the years, constituting today
a very rich source of information on the health of the population and the functioning of the
health care system »
69
. Modalities for implementing access, collection and processing of health
data were specified by the law of 26 January 2016
70
which completely redefines the policy of
access to health data in favour of greater openness; resulting in the grouping of all health
databases into a single file, the National Health Data System (NHDS), composed, among others,
67
J-M. Sauve, « Intervention de Jean-Marc Sauvé lors des septièmes entretiens du Conseil d’État en droit social »,
Op. cit.
68
Law No. 78-17 of 6 January 1978, ibid.
69
C. Gissot, D. Polton, « Les bases de données de l’assurance-maladie : un potentiel pour l’amélioration du
système de santé et pour la recherche », Statistique et Société, Vol. 2, No.2, May 2014, p. 19-24.
70
Law No. 2016-41 of 26 January 2016 on the modernisation of our health system, JORF No. 0022 of 27 January
2016.
of the SNIIRAM, and the creation of a national institute to process requests for authorisation to
access data in accordance with the authorised purposes of processing. A movement towards
open data has recently continued with the adoption of the Law on the Organization and
Transformation of the Health System,
71
which provides both for the expansion of the National
Health Data System (NHDS) and the creation of the Health Data Hub. In other words, the text
provides for the expansion of the NHDS to include a large number of data sources, particularly
clinical data and data collected during procedures covered by the health insurance system
(results of biological analysis, imaging, medical reports, etc.), by creating a Health Data Hub
that constitutes both a technological platform and the institute that administers it. It is necessary
to specify that it is not yet a question of « setting up a single national database, but of ensuring
that for all these data sources, the rules of access and secure processing are the same to allow
better legibility for all stakeholders »
72
.
An opening that has been strengthened as the texts have gone through, gradually achieved
in stages, which has made it possible to take advantage of the various subsequent experiences.
It does indeed appear from the experience produced by the Sniiram system that opening up the
data in itself is not enough, but that it is necessary to provide for a user support programme and
technical difficulties in protecting the confidentiality of personal data. Materially, « in order to
be able to use and query the databases in a relevant and effective way, users need a better
knowledge of the data, which mainly comes from reimbursements made by the Sickness
Insurance and which were not initially collected for study purposes » ; this implies raising
awareness and implementing a complete and specific educational offer « on the framework of
data use, providing documentation, support and computer and data processing tools adapted for
use outside the institution »
73
. Concerning the technical difficulties posed by the respect of data
confidentiality, tests are regularly carried out. For example, a Health Hackaton was organised
on 26 January 2015 in collaboration with the Etalab mission
74
, which highlighted the challenges
to be met in terms of the skills to be developed in analysing the risks of re-identification for
71
Law No. 2019-774 of 24 July 2019 relating to the organisation and transformation of the health system, JORF
No. 0172 of 26 July 2019.
72
Institut National des Données de Santé (INDS), « Impact de la loi relative à l’organisation et à la transformation
du système de santé sur les données de santé », Mise en place du Health Data Hub, Plateforme des données de
santé, https://www.indsante.fr/fr/impact-de-la-loi-relative-lorganisation-et-la-transformation-du-systeme-de-sante-sur-les-
donnees-de (accessed 9 avril 2020).
73
H. Caillol, « Ouverture des données de santé : l’expérience de l’Assurance maladie », Op. cit.
74
Etalab coordinates, within the General Secretariat for the Modernization of Public Action, the action of the State
services and its public institutions in terms of data opening.
anonymisation and in supporting users
75
. An open health database that would, therefore, be
based on two fundamental pillars, which are the guarantee of data confidentiality via
anonymisation techniques that do not allow the re-identification of individuals, and a two-tier
policy of making the actors in the system accountable. The first level would be to raise
awareness of the role of the persons concerned by health data, who, under cover of anonymity,
and following the same pattern as the regulations on organ donation
76
, become health data
donors to participate in the improvement of their own health care system. The second through
the empowerment of data users, which favours a system of support and then cooperation,
instead of a system of analysis and authorisation of processing, which is costly in terms of
institutional resources and time, thus advocating greater trust through a technique of training
and structural compliance of organisations with regard to the processing of medical data. An
orientation of the legal governance model of health data for open use, initially governed by the
protection of the individual rights of data subjects, which now tends towards greater openness
and user accountability; a choice of governance that is not without risks.
B. The risks of open medical data governance
Health data as a common property resource in an open movement to enable an effusion of
science and technology in the medical field for the improvement of patient care, why not.
However, and despite the security systems implemented around data protection, this open data
movement carries significant risks that must be taken into account.
1) Risks related to the security of open data
According to the Villani report of 2018, « the public authorities must [...] initiate new modes
of production, collaboration and governance of data, through the creation of data commons »
77
.
By providing France, and more generally the European Union, with a common health data
system, « the aim is nothing less than to counter the intensive deployment of American giants
in the field of artificial intelligence and to reopen a competitive space for small and medium-
sized players who will be able to access this data »
78
thus avoiding the loss of autonomy of
national public systems in the face of the continuous rise of these new global digital players.
75
See details of the experiment in H. Caillol, « Ouverture des données de santé : l’expérience de l’Assurance
maladie », Op. cit.
76
Law No. 76-1181 of 22 December 1976 on organ removal.
77
See « Donner un sens à l’intelligence artificielle, pour une stratégie française et européenne », by Cédric Villani,
on https://www.aiforhumanity.fr.
78
V. Peugeot, « Données de santé : contours d'une controverse », L'Économie politique, 2018/4(No.80), p.30-41.
Prospects for an open data system based on a truly central issue of data security in the context
of data processing, insofar as it constitutes both a compliance tool for the protection of
pseudonymised personal data, and a legal obligation to publish open databases in such a way
as to make it impossible to directly or indirectly identify the persons concerned
79
.
Anonymisation is thus both a condition for the use of open databases and an essential tool for
the confidentiality of health data that is supposed to guarantee the protection of the privacy of
the data subjects. However, there is no unanimous agreement on anonymisation, both in terms
of the techniques used and from the point of view of security with regard to the legal guarantees
to be provided. Indeed, despite the appearances and virtues attributed to it, anonymisation being
particularly complex and rarely « 100% effective »
80
, it carries many risks.
Criticisms firstly, in the sense that the anonymisation of data, whether medical or not, is
based on techniques that consist of making changes to databases. Various techniques,
sometimes disruptive by altering the truthfulness of the data in order to limit the link between
the data and an individual, become sufficiently uncertain to no longer be linked to a particular
individual by directly modifying the data (for example, the data will no longer be to the
centimetre or kilogram but to the nearest tenth); sometimes non-disruptive, notably via the k-
anonymization technique aimed at diluting the attributes of the persons concerned by modifying
their scale or order of magnitude (specified monthly rather than weekly, on the scale of a region
rather than a city, etc.). Techniques which are necessary for data confidentiality but which, on
the other hand, pose scientific difficulties for exploitation. Health data are indeed not harmless,
and biased data can only lead to results whose unreliability can greatly affect the expected
medical usefulness of the results. Thus, since the aim is to enable the development of medical
research and the improvement of the provision of care to patients, the said anonymisation
techniques applied to this particular context may, although this is not the initial objective, have
the aim of rendering health data unusable, or even lead to potentially dangerous results for
patients. In addition to the risks to health security linked to the exploitation of results from
biased medical data, the validity of these techniques is also criticised in an environment of
digital insecurity and the massification of data known as big data.
79
See article L. 1461-2 of the French Public Health Code.
80
C. Galichet, « Données personnelles : anonymisation ou pseudonymisation ? », Op. cit.
The first risk of such a system is the external security of the database. Indeed, the
accessibility to all within the framework of open data and the dispersion of databases, this « in
the hands of many companies more or less accustomed to manipulating sensitive data,
mechanically induce an increase in the risks of data leakage, either inadvertently - a technical
subcontractor not very demanding - or as a result of dirty tricks »
81
. In terms of cybercrime,
numerous security breaches and leaks via data theft, for example, are regularly revealed
82
, more
or less serious. However, all of them are unacceptable, particularly in view of the particular
sensitivity of medical data. Secondly, it is indisputable that « health data are generated on an
ever-increasing scale, collected and stored by a growing number of actors, used for purposes
that are constantly diversifying (; a) triple boom that is not without raising many problems »,
particularly with regard to the security of personal information
83
. A situation that will not be
helped by the intention to make data available in open access combined with the general
massification of digital information. Indeed, « health data can come from different sources, and
are of different nature and are stored on different media which usually have their own rules of
collection and access (;) medical data from patients are stored in medical records that include
biological, genetic, imaging data, etc (;) lifestyle data are most often collected through
questionnaires distributed within the health system or for research purposes »
84
, but also so-
called well-being data from the many applications or connected objects (watches, bathroom
scales and applications for monitoring weight, sleep or physical activity, etc.) that provide a
large amount of information on our habits and our general state of health. Thus « the greater
the number of databases, the more cross-referencing between databases is possible (or even
inevitable), the greater the risk of re-identifying data that is nevertheless anonymous »
85
; this
is a risk of interoperability between the different sources of databases available to organisations,
thus producing a map
86
retracing all traces of the digitised individual. A cross-referencing of
information, therefore, making it possible to trace back to the individuals concerned
87
and
rendering ineffective the anonymisation technique that is supposed to guarantee the
81
V. Peugeot, « Données de santé : contours d'une controverse », Op. cit.
82
See « Ransomware attack on Hancock Health drives providers to pen and paper », Healthcareitnews, 15 January
2018 ; See https://www.cyberveille-sante.gouv.fr .
83
V. Peugeot, « Données de santé : contours d'une controverse », Op. cit.
84
E. Rial-Sebbag, « Chapitre 4. La gouvernance des Big data utilisées en santé, un enjeu national et international
», Op. cit.
85
V. Peugeot, « Données de santé : contours d'une controverse », Op. cit.
86
S. Paricard, « Le corps numérique », Les affres de la qualification juridique, LGDJ, Conference Proceedings,
2015.
87
See the experience of the Australian government in 2016 with the re-identification of anonymised medical
expense reimbursement data of 2.9 million Australians, covering the period from 1984 to 2014 in "Research
reveals de-identified patient data can be re-identified", phys.org, 18 December 2017.
confidentiality of the data. Since avoiding the re-identification of individuals is a central issue
in the open health data implementation, the model is being questioned both technically and
legally to provide solutions. Among the tracks envisaged, it is a question of evaluating
anonymisation, no longer on the basis of a strict distinction between anonymous data and
personal data, based on the pure and simple impossibility of re-identifying the persons
concerned; nor in purely technical terms based on criteria of individualisation, correlation or
inference which, in the current context of big data, would compromise access to resources and
the social health utility expected from them too significantly. It would, therefore, be a matter
of no longer referring to a condition of strict impossibility of re-identification, but rather of
adopting an approach based on the risk of re-identification. A vision that defends the idea « of
a revision of data protection mechanisms that would go beyond the distinction between personal
data and anonymous data, to move towards a more quantitative evaluation of the probability of
re-identification »
88
the objective of which would be to make a calculation of proportionality
between the utility of the envisaged processing and the respect of the privacy of the data
subjects. This is an interesting approach insofar as the juxtaposition of big data and open data
jeopardises the guarantee of the security of health data. An approach based on risk does indeed
make it possible to adopt an approach by limiting serious attacks on the privacy of individuals.
That said, this risk-based approach is aptly named, and involves both minor and major risks to
data security. Moreover, since the consent requirement already meets many exemptions in this
area, particularly with regard to public services in the health system, which mainly provide
open databases, the individual is once again not consulted on the calculation of the risk. It is,
therefore, a question of careful evaluation of criteria determining when the invasion of privacy
is acceptable with regard to the usefulness of the treatment, but also of controlling this
subjective, even arbitrary decision in order to provide sufficient guarantees. An even more
problematic side item to other risks inherent in open data.
2) Risks related to the choice of an open data governance model
In view of the difficulties previously seen in ensuring the security of health data in an open
data model by technical means, the governance system must necessarily implement strong legal
means. Thus, if the security of data still deserves to be improved, « without opening the debate
on the ownership of data, which it is not useful to try to resolve to position oneself in relation
88
H. Tanghe, P-O Gibert, « L’enjeu de l’anonymisation à l’heure du big data », Revue française des affaires
sociales, p. 79-93.
to open data, it is fundamental to understand that the recognition of the right and interest to
access this data is more a question of responsibility than of security »
89
. And in this field, the
trend in recent years has been not so much that of traditional legal responsibility, which only
comes into play in a second phase, but rather that of social responsibility; a movement to which
the model of governance of data, whether health data or not, is no exception. While the concept
is significantly gaining ground in environmental matters, particularly through the development
of corporate social responsibility, in reality, no legal area is exempt, not even criminal matters.
Thus, governance through accountability must be understood in a field of application
combining different components relating respectively to accountability as an integration of
ethical morals, through cooperative governance taking into consideration the various
stakeholders and, where appropriate, in its judicial definition which is intended to engage the
responsibility of the actors concerned
90
. In this sense, « the principle of responsibility, which
consists in answering for one’s actions before the other, has undergone very diverse adaptations,
sometimes as a legal responsibility exercising a coercive normative constraint, sometimes as an
economic mechanism, sometimes as a moral imperative, sometimes as a mechanism of
governability »
91
. An interesting bias that revolves around governance by risk and the autonomy
of actors, to which neither the GDPR nor national data processing laws are exceptions, but
which is a vector of risk. It turns out that « traditionally, the most protective mechanism is based
on the technique of prior authorisation, which consists in allowing the use of a freedom only
after having obtained the approval of the administration, which has a real power of censorship
(while in contrast), the legislator may choose to allow the administration only to intervene a
posteriori, by sanctioning a misuse of the legal use of medical data (, but also choose an
intermediate regime) which consists of setting up a declaratory system requiring the citizen to
identify himself to facilitate any subsequent control »
92
. Thus, among the possible options, the
GDPR
93
and the French provisions modify the approach to the protection of personal data,
moving from a method based largely on the existence of prior formalities, to an accountability
logic, based on the concepts of compliance and responsibility. In concrete terms, this means
89
M. Léo, « Patient connecté et données de santé : les vrais risques », I2D Information, données & documents,
2016/3 (Vol. 53), p. 65-66.
90
C. Darnault, « SMEs against economic litigation », Humanities and Society, Aix-Marseille University (AMU),
2018. French.
91
O. Costa, N. Jakbo, C. Lequesne, P. Magnette, « La diffusion des mécanismes de contrôle dans l’Union
Européenne : vers une nouvelle forme de démocratie ? », Revue française de science politique, 2001, Vol. 51, No.
6, p.859.
92
E. Pechillon, « L’accès ouvert aux données de santé : la loi peut-elle garantir tous les risques de dérives dans
l’utilisation de l’information ? », L'information psychiatrique, 2015/8, Vol. 91, p. 645-649.
93
Regulation (EU) 2016/679, ibid (articles 24 et 74).
that it is no longer « just a question of actors applying for authorisation from the CNIL, they
must also ensure, when setting up a project involving the processing of personal data, and then
throughout the life of the project, in full responsibility, that data protection principles are
respected and, above all, they must be able to demonstrate this at any time in the event of a
CNIL audit »
94
.
A policy of accountability that certainly has benefits in terms of ease of access to data and
increasing potential treatments in the name of medical research. Nevertheless, relying on the
good faith, compliance and accountability of the actors is not without risk insofar as this
governance policy, although it has allowed innovative advances in other areas, has just as
widely demonstrated its limits. Such a policy of accountability through compliance in an open
data context, while the objective is always the protection of individual rights, requires the use
of colossal means in terms of control. Indeed, considering open data through a compliance
regime can be daunting in an environment where the readability and understanding of standards
is not always easy for everyone, especially for small organisations, or where data protection
regulations are applied in a purely mechanical way in the context of mass contracts in a digital
market dominated by international megastructures. These even go beyond the respective
national sovereignties in some respects, where their different data governance models compete
rather than align. Indeed, while the regulatory authority retains some control over the legality
of processing through prior authorisation requests, in the case of free access to data for all, the
issue is quite different. Relying on compliance in this way must be accompanied by a
considerable control system, with resources commensurate with the operation, to deter any lack
of compliance or abuse. On this point, it would appear that regulators rely on a sanctioning
regime that provides a deterrent to better prevent the risk of regulatory violations. Thus, « the
spectacular increase in the thresholds of fines that may be imposed by the CNIL for violations
of the protection granted to personal data, coupled with the strengthening of controls » suggests
that « compliance with legal provisions is becoming a major economic issue for data controllers
». Indeed, « although the CNIL takes into account the size of the structure, the seriousness of
the violation, and whether it is repeated or not, to determine the amount of the sanctions, its
recent fine of 50 million euros against Google shows that it intends to make full use of the
leeway granted to it and should serve as an example to the net giants to ensure real and serious
94
F. Lesaulnier, « Recherche en santé et protection des données personnelles à l’heure du RGPD », Op. cit.
compliance »
95
. However, although there is a famous saying that one can achieve much more
with a kind word and a gun than with a kind word alone
96
, will the risk to offenders be enough
to guarantee people's rights? Will the regulatory authority have enough guns to point them
efficiently at the organisations processing health data? With data accessible to all, will the CNIL
be able to guarantee the effectiveness of rights at all levels of organisational or geographic
circulation of medical data? So many questions remain unanswered in a governance model for
open data health that is gradually evolving, both technically and legally, to best reconcile the
social utility of medical data processing and respect for the privacy of the people concerned.
This is in order to best define the modalities of a governance system for responsible access to
health data, to be dissociated from an unconditional capture, already subject to technical
difficulties specific to artificial intelligence technologies in themselves. Indeed, although these
problems are not specific to health data processing but common to all technologies resulting
from statistical and algorithmic systems, they should not be avoided. Apart from the technical
and legal flaws in the opening up of health data, there is also the question of the intrinsic biases
of their processing. In addition to a policy of risk and compliance with the data protection
regime, the scientific community is highlighting the social biases involved in the data, by also
making those involved in data processing responsible for compliance with a precautionary
principle by encouraging them to be vigilant and increasingly involved in the transparency of
algorithmic systems. It turns out that « algorithms are becoming more and more involved in our
daily lives, like decision support algorithms (recommendation or scoring algorithms), or
autonomous algorithms embedded in intelligent machines (autonomous vehicles) » ; thus, while
they are widely « deployed in many sectors and industries for their efficiency, their results are
increasingly discussed and contested (to the extent that) they are accused of being black boxes
and of leading to discriminatory practices based on gender or ethnic origin »
97
. Materially, the
systems that learn on the basis of the data provided, which themselves come from our societies
with all that they may contain of inequality and discrimination, combined with the choices made
by their users, offer results that reflect the samples on which they are based. In other words,
pose difficulties with regard to fundamental rights. When we see that certain algorithms still
confuse African-American individuals with gorillas
98
, that the success rate of speech
95
I. Fréret Iris, « Une responsabilité accrue pour les acteurs du RGPD », I2D Information, données &
documents, p. 21-24.
96
E. Netter, « Regards sur le nouveau droit des données personnelles », Op. cit.
97
P. Bertail, D. Bounie, S. Clémençon, P. Waelbroeck, « Algorithmes: Biais, Discrimination et Équité », 2019.
98
O. Robillard, « L'intelligence artificielle distingue mal les femmes noires », L’ADN Innovation, 12 February
2018, https://www.ladn.eu/tech-a-suivre/ia-machine-learning-iot/sexisme-racisme-quand-lintelligence-artificielle-se-trompe/
(accessed 15 April 2020).
recognition systems operates in a discriminatory manner according to under-represented
languages or tones
99
, that predictive justice systems condemn certain categories of the
population to a greater extent
100
, it is necessary to understand the processing of health data, but
also the results obtained from the algorithms that learn from them, with particular caution. If
data protection regulations are mainly aimed at protecting privacy for obvious reasons, they do
not stop there. Indeed, already several decades ago, Council of Europe Convention 108 warned
about the difficulties raised by the exercise of complete freedom to process information which,
under certain conditions, may affect the enjoyment of fundamental rights other than privacy,
such as the rights to non-discrimination and to a fair trial
101
. A fundamental right to data
protection should therefore not be understood simply as data security, but should be considered
by the system of data governance, whether health or other data, in a comprehensive manner as
a fundamental right that should not infringe on the privacy of individuals, lead to or reproduce
discrimination, or give rise to limitations on freedom of expression.
99
Y. Demeure, « La reconnaissance vocale automatisée coupable de discrimination raciale ? », SciencePost.fr, 7
April 2020, https://sciencepost.fr/la-reconnaissance-vocale-automatisee-coupable-de-discrimination-raciale/
(accessed 15 April 2020).
100
J.M. SAUVE, Conference organised on the occasion of the bicentenary of the Bar Association at the Council
of State and the Court of Cassation, Court of Cassation, 2018; The United States Solicitor General also filed a
Brief to defend COMPAS. See Brief for the United States as Amicus Curiae, Loomis v. Wisconsin, 137 S. Ct.
2290 (2017) (No. 16-6387), 2017 WL 2333897.
101
J-M Deltorn, « La protection des données personnelles face aux algorithmes prédictifs », Op. cit.
In conclusion, if we analyse the system of legal governance of personal data from its
beginnings, more than forty years ago now, governmental designs have evolved, also taking
into account the explosion of the development of new technologies and artificial intelligence
systems. While the 1978 French Data Protection Act (Loi Informatique et Liberté) established
that information technology as a whole, and the processing of personal data should not infringe
on human identity or human rights, fundamental principles reiterated within the GDPR; the
ambition of an anonymised open data system and the difficulties linked to the development of
technologies (big data, digital identity, etc.) are undermining these legal foundations centred
on individual protection. In this context, and particularly in the specific case of the processing
of health data because of the general interest that their exploitation conveys, this information
can no longer simply be considered as private, specific to the people it concerns, but must, in
the name of the common good, be part of a collective public logic, where it is detached from
the individuals it identifies, as anonymous common property resources being available to all.
The prohibition in principle of the processing of health data, considered as particularly
sensitive, is in the end only a half-hearted protection. This insofar as the prohibition, which
appears to be a strict and radical protection of individuals, is, in fact, an exception to all the
exemptions from processing provided for by the regulation itself on the one hand, and by the
room for manoeuvre left to the Member States as regards the regulation of data processing in
the specific field of medical information on the other. A point that is in fact left to the full
discretion of the national systems more than a mere margin of manoeuvre for national
specificities. All the more so since the bias of open data is the exploitation of anonymised data
which, unlike other techniques such as pseudonymisation, do not fall within the scope of the
GDPR since they no longer theoretically allow the re-identification of individuals. Thus, in
practice, the change takes place from a system of governance built around the protection of
individuals and the respect of their fundamental right to privacy, to a governance by risk where
the objective is the possibility of processing health data, on behalf of social utility and health
democracy, which must be achieved, as far as possible, through a policy of the least risk of
infringement of individuals' rights. A system of legal governance that is no longer defined by
the protection of personal data in the context of processing authorised on an ad hoc basis under
very specific legal conditions, but rather according to a model centred around a fully liberalised
open data provision of anonymised data that must be exploited in a proportionate and
responsible manner to limit the risks of re-identification and infringement of the rights of the
data subjects. This is a very different position. And although the many arguments put forward
are in the name of the general interest, the data are considered to be a key issue for health
research, constituting the basic material for the development of medical research, representing
numerous individual opportunities for improving patient care and collective opportunities for
health democracy. Although the bias is interesting and hopeful, it is nonetheless debatable in
view of the risks it generates. It is necessary to rely on a conscientious application of the
principle of proportionality that is truly responsible in every sense of the word, both in terms of
assessing the risks to the rights of individuals with regard to the contribution of the treatment
to social usefulness, and in the judicial definition of the term through control measures and
sanctions that are attentive to potential treatments that would prove to be manifestly
disproportionate. The real challenge of this model of governance of the processing of
anonymised health data in open access thus lies in the improvement of technical tools and legal
principles defining anonymisation in concrete terms. But not only that, it is also necessary to
provide for the implementation of public policies that make the regulations legible, and
educational support for organisations and their data controller, who has become the key player
in data processing, so that they can better understand the compliance of their systems. It will
also be a question of providing the necessary means, both financial and human resources, for
the regulatory institutions in this area in order to set up a truly efficient control which, as soon
as data are made available in open access, constitutes the last safeguard against potential
violations of individuals' rights. However, and to finish on a more optimistic note, the
development of technological means and the improvement of deep learning algorithms is such
that we are not in a position to imagine what tools will be available to us in the future. The
scientific community is already at work on the technical difficulties linked to data processing,
in particular anonymisation, and the potential biases resulting from algorithmic systems, for the
development of medical technologies that are at the service of each citizen, at the service of the
common good while respecting fundamental rights.
ResearchGate has not been able to resolve any citations for this publication.
  • anonymisation des données personnelles selon le conseil d'État : arrêt JCDecaux du 8 février
    • C Galichet
    C. Galichet, « L'anonymisation des données personnelles selon le conseil d'État : arrêt JCDecaux du 8 février
  • Ouverture des données de santé : l'expérience de l'Assurance maladie
    H. Caillol, « Ouverture des données de santé : l'expérience de l'Assurance maladie », Informations sociales, vol. 191, no. 5, 2015, pp. 60-67.
  • « Les bases de données de l'assurance-maladie : un potentiel pour l'amélioration du système de santé et pour la recherche
    • C Gissot
    • D Polton
    C. Gissot, D. Polton, « Les bases de données de l'assurance-maladie : un potentiel pour l'amélioration du système de santé et pour la recherche », Statistique et Société, Vol. 2, No.2, May 2014, p. 19-24.
  • on the modernisation of our health system
    • Law No
    Law No. 2016-41 of 26 January 2016 on the modernisation of our health system, JORF No. 0022 of 27 January
    • S Paricard
    • Le
    S. Paricard, « Le corps numérique », Les affres de la qualification juridique, LGDJ, Conference Proceedings, 2015.
    • C Darnault
    C. Darnault, « SMEs against economic litigation », Humanities and Society, Aix-Marseille University (AMU), 2018. French.
  • intelligence artificielle distingue mal les femmes noires », L'ADN Innovation
    • O Robillard
    O. Robillard, « L'intelligence artificielle distingue mal les femmes noires », L'ADN Innovation, 12 February 2018, https://www.ladn.eu/tech-a-suivre/ia-machine-learning-iot/sexisme-racisme-quand-lintelligence-artificielle-se-trompe/ (accessed 15 April 2020).
  • Article
    Chapter 4. Governing Big Data for Health, national and international issues The use of health data is increasingly seen as a central issue for research and also for care. The generation of these data is an added value for the conduct of large-scale studies, it is even considered as an (r) evolution in the methodology of research or even for personalized medicine. Several factors have influenced the acceleration in the use of health data (advances in genetics, technology and diversification of sources) leading to a re-questioning of the legal principles for the protection of health data in both French law and European law. Indeed, first, the massive production of data (Big Data) in the field of health affects the quantity and the quality of the data which consequently reconfigure the tools of protection of private life and on the informational risk. Second, the use of these data is based on existing fundamental principles while raising new challenges for their governance.