Article IT and Data Protection | 16/02/23 | 9 min. | Roxane Blanc-Dubois
Health is undeniably one of the fields where AI has already demonstrated the real interest of its use for human support. AI can, for example, help diagnose diseases by detecting them on medical imaging thanks to an analysis that is more precise than the human eye. Connected watches based on AI can report heart failure, whereas, until now, this type of pathology required an expensive echocardiogram, or MRI to be detected. AI, which is a fairly recent discipline, still offers many promises of future revolutions, whether in terms of quality and accessibility of care or the development of treatments.
The Conseil d'Etat, the CNIL and the Alliance IHU France organized a conference entitled “AI and megadata, how will they revolutionize tomorrow's medical research and practice?”
This conference gathered academics and researchers as well as regulators, politicians, and industrials, who exchanged their views during round tables.
One of the purposes of this conference was to confront the expectations of some of the participants (particularly in terms of access and use or reuse of health data) with the requirements of the other participants in terms of personal data protection and to see if a balance and solutions satisfying all the interests involved could be found or envisaged.
The following are some of the topics discussed during the conference, which was also an opportunity for the CNIL to put forward certain ideas:
AI raises fears and even hostility among patients and citizens, which often stem from a lack of understanding of what AI is and what it is used for.
For Valérie Peugeot, commissioner in charge of health data at the CNIL, these fears can be overcome thanks to the GDPR, by simply complying with the obligation to inform people about the processing of their personal data (via AI). This should contribute, according to her, to give confidence in AI, since it will be better understood by the data subjects. Indeed, Valérie Peugeot notes that to date, in general, the right to information is not properly respected in the medical field (no welcome booklet provided by the health institutions, absence of informative notices in the waiting rooms of doctors, lack of clarity, etc.).
In France, there is a specific regime for health data that requires prior authorization from the CNIL for a certain number of processing operations involving health personal data before they can be implemented. However, the CNIL has developed some “référentiels” and “méthodologies de référence” for certain data processing which, when their content is respected, allow data controllers to make a simple declaration of compliance with the said “référentiel” and/or methodologies of reference (for example: the "MR001" to "MR006" relating to the processing of personal data implemented for the purposes of research or studies in the health area; the “référentiel” relating to health data warehouses designed to enable AI, or the “référentiel” dealing with the data processing implemented for the purposes of managing health vigilance). If all the principles and conditions contained in these “référentiels” or methodologies of reference are not complied with, an authorization to implement the data processing in question must be requested from the CNIL.
The CNIL indicated during the conference that it pays attention to the stakeholders and that if there was a need to adapt certain rules and analysis frameworks to AI in order to meet the needs of the professionals and/or to go further in the simplification of formalities in the health sector in order to take into account AI systems and new use cases, then the CNIL could:
Moreover, the CNIL indicated that it had authorized 10 research projects using AI in 2022, with an average assessment period of 66 days, which is a relatively reasonable. Thus, when a stakeholder cannot benefit from a methodology of reference for its use case, this does not mean, de facto, that its personal data processing may not be implemented.
The purpose of the CNIL was undeniably to reassure on the fact that the regulation and French regulator are not an obstacle to research and innovation. This desire to reassure comes from the fact that the AI sector is extremely competitive and that any delay in this area by France (and the European Union – “EU”) will be very detrimental. The CNIL obviously does not want to be designated as responsible, even partially, for such a delay. In this regard, Renaud Vedel, Chief-of-Staff of the French Minister for Digital Affairs and Telecommunications, closed the conference by stating in his speech that "the world will not wait for us" and that the American Food and Drug Administration (the “FDA”) in charge of authorizing the marketing of drugs and medical devices in the United States had already authorized 520 medical devices incorporating AI. The European texts currently under discussion are intended to allow the EU to remain competitive by moving towards the circulation of data, including for research and innovation purposes, and stem from a European strategy for data.
The CNIL, through the voice of Valérie Peugeot, has enjoined healthcare institutions to put pressure on editors and suppliers to provide tools and cloud solutions that comply with the GDPR and the security “référentiel” and offer data hosting on the European territory, by using the leverage of ordering and purchasing.
The use of large amounts of data is at the core of the development and use of AI systems. The CNIL pointed out that the data minimization principle of the GDPR (consisting in processing only the data that are relevant, adequate, and limited to what is necessary for the purpose of the processing) does not conflict with the concept of megadata. "Minimization" should be understood as the simple requirement to process only useful/adequate data (and not as few data as possible). This can be "minimized [within the meaning of the GDPR] when paradoxically there is a lot of data being processed."
This conference was an opportunity for Antonios Bouchagiar, a member of the European Commission's legal department, to present the main points of the draft European regulation on the European Health Data Space, released by the European Commission on May 3rd, 2022. One of the purposes of this regulation is to enable the sharing of health data for re-use for research and innovation purposes.
Valérie Peugeot, in the name of the CNIL, the EDPB and the EDPS, took the opportunity to draw Antonios Bouchagiar's attention on the fact that the draft regulation did not include any requirement "to have health data only in solutions located in Europe" whereas it is essential from their point of view to include this in the draft European regulation.
Antonios Bouchagiar responded to this point by indicating that there are currently very interesting discussions regarding the localization of health data in the context of this draft regulation (whether storage should only take place in the EU or not). He also indicated that "these discussions were complicated because of the EU's obligations with respect to the World Trade Organization" (without, however, giving further details in this regard). He added that for personal data, "there are quite valid reasons to justify this kind of localization, which might not exist for non-personal data, but this is a broader debate".
It will be interesting to follow the evolution of the text on this point.
Several speakers pointed out the difficulty of understanding the concept of anonymization (the boundary with pseudonymization is not straightforward), knowing that this may have many implications as the personal data protection regulation does not apply to anonymized data.
The CNIL itself acknowledged that there were often in-house debates on the qualification of the data (is such data anonymized or pseudonymized?) and indicated that "there was still room for improvement" in this area for greater legal security.