Processing health data in France: What to look out for after GDPR?
French law imposes stricter requirements than the General Data Protection Regulation (“GDPR”) regarding health data processing. These requirements, set forth by the amended French Data Protection Act[1] and the French Public Health Code, should be seriously considered by any company or public body, which intends to process health data for scientific research purposes in France, as failure to comply may invalidate study lawfulness.
The impact of the French Public Health Code: the rules on medical and pharmaceutical research
Health data processing may be carried out for various purposes, provided that it falls within the scope of one of the exceptions to the general principle of prohibition of sensitive data processing of Article 9 GDPR.
In addition, such processing needs to comply with French regulations specific to medical and pharmaceutical research, as amended by a 2016 Ordinance,[2] governing studies involving participation of human subjects, including clinical trials of pharmaceutical products and medical devices.
These studies are subject to strong requirements, in particular regarding participants’ consent and right to information, such participants having an absolute right to withdraw their consent and to leave the study at any time, which echoes Article 7 GDPR.
Besides, Articles L.1121-3 et seq. of the French Public Health Code provide that research involving human subjects must be conducted and supervised by health professionals, who act under the general instructions set by the research sponsor.[3]
Only these health professionals are authorized to keep the correlation table allowing re-identification of participants. Indeed, only pseudonymized or anonymized data may be shared with the sponsor or third party beneficiaries of the study, unless participants have expressly agreed to share their data.
Finally, the French Public Health Code and the French Data Protection Act underline that health data collected as part of these studies must be subject to appropriate, strong security and confidentiality measures.
Prior authorization procedures & the CNIL’s standard methodologies
Although the GDPR has removed most prior filing obligations, processing of health data based on public interest still requires prior authorization from the French Data Protection Authority (CNIL), delivered conditional on a positive opinion of the competent committee.
However, the CNIL has published several standard methodologies, which allow the sponsor of a research project not to go through the whole authorization process if it complies with the requirements set forth in the concerned standard methodology.
Certification of health data hosting service providers: a new procedure
Article L.1111-8 of the French Public Health Code, amended by a 2017 Ordinance,[4] provides for a mandatory certification of companies that, on behalf of a third party (the health data controller, for instance the research sponsor), host health data.
This certification will be granted by specialized bodies accredited by the French Accreditation Committee[5] after a two-part scrutiny, which consists first, in the assessment of the host’s documentation regarding its compliance with a certification framework, and second, in an on-site audit of the hosting company.
[1] Amended French Data Protection Act No 78-17 of January 6th, 1978
[2] Ordinance No. 2016-800 of June 16th 2016 on research involving human subjects
[3] Article L.1121-3 of the French Public Health Code
[4] Ordinance No. 2017-27 of January 12th 2017
[5] Comité français d’accréditation (“COFRAC”)
