Hogan Lovells 2024 Election Impact and Congressional Outlook Report
While the French Data Protection Authority (the "CNIL") has consistently emphasized the importance of protecting health data, there will be even more focus for 2023 with more investigations and sanctions in this sector. The CNIL declared patient data as one of its four priority topics for investigations in 2023, and initiated its program with two official warnings issued to organizations conducting medical research (Sponsors) about their GDPR breaches. The CNIL is now more than ever underscoring the significance of compliance with data protection regulations within the realm of medical studies.
CNIL has always been very attentive to the processing of health data and to their security and confidentiality. It regularly publishes content on its website (practical information sheets, guidelines and binding recommendations), and has also made health data security one of its priority topics for its investigations back in 2020 and 2021. It also regularly supports needs of health data localization within the European Union, for example in guidelines regarding early-access programs and health data warehouses. The CNIL also issues and regularly updates its standards for clinical studies, known as Méthodologies de reference (MR) like MR-001 or MR-003 for research involving human beings or MR-004 for research not involving human beings (e.g., for reuse of health data). The CNIL is now taking its efforts even further, kicking off 2023 with an intensified focus on medical research and patient data protection.
CNIL made public in early March 2023 that it performed investigations during the first half of 2022 relating to processing of patients personal data by two organizations conducting medical research (which are understood as being Sponsors of past clinical trials).
The CNIL identified two major breaches for these organizations:
The CNIL also indicated that one of organizations provided incorrect information in the ICF when mentioning that patients data was anonymized, whereas it was only pseudonymized, as patients data is only key-coded and patients can always be re-identified.
The CNIL issued warnings and specified that the reason why it did not issue any sanctions (e.g. fines) is because the data processing operations concerned ceased. These two organizations were fortunate to be the first two targeted, and that the problematic trials were relatively old. However, this serves as a strong message to other sponsors and stakeholders in medical studies. The CNIL has initiated with warnings but will assume that the actors of the sector are now aware and understand that they could face heavy sanctions in the future.
The CNIL also revealed in March 2023 its top priorities for investigations for the upcoming year.
One of these priorities is patients data, including the access to the patients' electronic medical records (EMR) within health institutions (known in French as “Dossier patient informatisé” or “DPI").
This choice is motivated by the multiple complaints the CNIL received about unauthorized third-party access to the patients data and the EMR.
CNIL also indicated that investigations carried out will focus on technical and organisational measures implemented to ensure security of such data. After years of being the only authority in Europe to provide the higher number of guidelines and frameworks for health data subjects, the CNIL is now turning more to enforcement.
Health care stakeholders must be prepared for the CNIL investigations in 2023, whether they are off-site or on-site and whether they are acting as controller or processor.
This means in particular paying attention to:
Authored by Julie Schwartz, Patrice Navarro, and Clément Taieb.