Artificial intelligence (“AI”) and megadata in the medical research and practice area: the key points to take away from the conference dated February 10th, 2023 organized by the French Supreme Administrative Court (“Conseil d’Etat”) and the French data protection authority (“CNIL”)

Article IT and Data Protection | 16/02/23 | 9 min. | Roxane Blanc-Dubois

Tech & Digital

Health is undeniably one of the fields where AI has already demonstrated the real interest of its use for human support. AI can, for example, help diagnose diseases by detecting them on medical imaging thanks to an analysis that is more precise than the human eye. Connected watches based on AI can report heart failure, whereas, until now, this type of pathology required an expensive echocardiogram, or MRI to be detected. AI, which is a fairly recent discipline, still offers many promises of future revolutions, whether in terms of quality and accessibility of care or the development of treatments.

The Conseil d'Etat, the CNIL and the Alliance IHU France organized a conference entitled “AI and megadata, how will they revolutionize tomorrow's medical research and practice?”

This conference gathered academics and researchers as well as regulators, politicians, and industrials, who exchanged their views during round tables.

One of the purposes of this conference was to confront the expectations of some of the participants (particularly in terms of access and use or reuse of health data) with the requirements of the other participants in terms of personal data protection and to see if a balance and solutions satisfying all the interests involved could be found or envisaged.

The following are some of the topics discussed during the conference, which was also an opportunity for the CNIL to put forward certain ideas:

  • Transparency towards AI as a guarantee of trust

AI raises fears and even hostility among patients and citizens, which often stem from a lack of understanding of what AI is and what it is used for.

For Valérie Peugeot, commissioner in charge of health data at the CNIL, these fears can be overcome thanks to the GDPR, by simply complying with the obligation to inform people about the processing of their personal data (via AI). This should contribute, according to her, to give confidence in AI, since it will be better understood by the data subjects. Indeed, Valérie Peugeot notes that to date, in general, the right to information is not properly respected in the medical field (no welcome booklet provided by the health institutions, absence of informative notices in the waiting rooms of doctors, lack of clarity, etc.).

  • Willingness of the CNIL to show some flexibility to adapt rules and analysis frameworks to AI if necessary...

In France, there is a specific regime for health data that requires prior authorization from the CNIL for a certain number of processing operations involving health personal data before they can be implemented. However, the CNIL has developed some “référentiels” and “méthodologies de référence” for certain data processing which, when their content is respected, allow data controllers to make a simple declaration of compliance with the said “référentiel” and/or methodologies of reference (for example: the "MR001" to "MR006" relating to the processing of personal data implemented for the purposes of research or studies in the health area; the “référentiel” relating to health data warehouses designed to enable AI, or the “référentiel” dealing with the data processing implemented for the purposes of managing health vigilance). If all the principles and conditions contained in these “référentiels” or methodologies of reference are not complied with, an authorization to implement the data processing in question must be requested from the CNIL.

The CNIL indicated during the conference that it pays attention to the stakeholders and that if there was a need to adapt certain rules and analysis frameworks to AI in order to meet the needs of the professionals and/or to go further in the simplification of formalities in the health sector in order to take into account AI systems and new use cases, then the CNIL could:

  • re-evaluate and revise the existing rules (i.e.: the “référentiels” and methodologies of reference); and/or
  • continue the work of simplifying prior formalities by creating new “référentiels” and methodologies of reference in the health sector (thus avoiding having to request an authorization as long as the content of the “référentiel” or methodology is respected).

Moreover, the CNIL indicated that it had authorized 10 research projects using AI in 2022, with an average assessment period of 66 days, which is a relatively reasonable. Thus, when a stakeholder cannot benefit from a methodology of reference for its use case, this does not mean, de facto, that its personal data processing may not be implemented.

The purpose of the CNIL was undeniably to reassure on the fact that the regulation and French regulator are not an obstacle to research and innovation. This desire to reassure comes from the fact that the AI sector is extremely competitive and that any delay in this area by France (and the European Union – “EU”) will be very detrimental. The CNIL obviously does not want to be designated as responsible, even partially, for such a delay. In this regard, Renaud Vedel, Chief-of-Staff of the French Minister for Digital Affairs and Telecommunications, closed the conference by stating in his speech that "the world will not wait for us" and that the American Food and Drug Administration (the “FDA”) in charge of authorizing the marketing of drugs and medical devices in the United States had already authorized 520 medical devices incorporating AI. The European texts currently under discussion are intended to allow the EU to remain competitive by moving towards the circulation of data, including for research and innovation purposes, and stem from a European strategy for data.

  • … but also a certain severity towards editors of solutions and cloud providers

The CNIL, through the voice of Valérie Peugeot, has enjoined healthcare institutions to put pressure on editors and suppliers to provide tools and cloud solutions that comply with the GDPR and the security “référentiel” and offer data hosting on the European territory, by using the leverage of ordering and purchasing.

  • The term "megadata" does not conflict with the GDPR concept of data minimization

The use of large amounts of data is at the core of the development and use of AI systems. The CNIL pointed out that the data minimization principle of the GDPR (consisting in processing only the data that are relevant, adequate, and limited to what is necessary for the purpose of the processing) does not conflict with the concept of megadata. "Minimization" should be understood as the simple requirement to process only useful/adequate data (and not as few data as possible). This can be "minimized [within the meaning of the GDPR] when paradoxically there is a lot of data being processed."

  • The tricky issue of the localization of the electronic health data in the draft European regulation on the European Health Data Space

This conference was an opportunity for Antonios Bouchagiar, a member of the European Commission's legal department, to present the main points of the draft European regulation on the European Health Data Space, released by the European Commission on May 3rd, 2022. One of the purposes of this regulation is to enable the sharing of health data for re-use for research and innovation purposes.

Valérie Peugeot, in the name of the CNIL, the EDPB and the EDPS, took the opportunity to draw Antonios Bouchagiar's attention on the fact that the draft regulation did not include any requirement "to have health data only in solutions located in Europe" whereas it is essential from their point of view to include this in the draft European regulation[1].

Antonios Bouchagiar responded to this point by indicating that there are currently very interesting discussions regarding the localization of health data in the context of this draft regulation (whether storage should only take place in the EU or not). He also indicated that "these discussions were complicated because of the EU's obligations with respect to the World Trade Organization" (without, however, giving further details in this regard). He added that for personal data, "there are quite valid reasons to justify this kind of localization, which might not exist for non-personal data, but this is a broader debate".

It will be interesting to follow the evolution of the text on this point.

  • Anonymization”, a concept whose outlines still have to be clarified

Several speakers pointed out the difficulty of understanding the concept of anonymization (the boundary with pseudonymization is not straightforward), knowing that this may have many implications as the personal data protection regulation does not apply to anonymized data.

The CNIL itself acknowledged that there were often in-house debates on the qualification of the data (is such data anonymized or pseudonymized?) and indicated that "there was still room for improvement" in this area for greater legal security.


[1] The EDPB and EDPS issued a joint opinion on 12 July 2022 on this draft European regulation that mentioned this point, sections 100 to 111 (EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space)
Explore our collection of PDF documents and enrich your knowledge now!
[[ typeof === 'string' ? :[0] ]]
[[ typeof === 'string' ? :[0] ]]
The email has been added correctly