Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The revised French Health Data Hosting (HDS) certification framework, published on May 16, 2024, in the Official Journal, addresses data localization and transfers amidst concerns about digital sovereignty. The new provisions come into effect in 6 months and apply to new and renewal certification applications submitted from that date.
The revised version of the French Health Data Hosting (HDS) certification framework has finally been published in the Official Journal on May 16, 2024, marking a significant milestone eagerly awaited by sector stakeholders. Initially released discreetly through the TRIS procedure, this framework has sparked extensive discussions, particularly concerning the data localization and transfers requirements amidst the ongoing concerns of French authorities regarding digital sovereignty.
Reminder: The HDS certification aims to ensure the security of health data hosting, forming a crucial pillar of digital health regulation in France. Currently, 302 entities are certified, with nine organizations accredited to conduct these certifications.
Timeline of Applicability: The decree of April 26, 2024, approving the HDS certification framework, was published in the Official Journal on May 16, 2024. The new provisions come into effect six months after their publication, on 17 November, 2024. They apply to applications for certificates of compliance and applications for the renewal of such certificates submitted to a certification body from that date onwards. After this six-month period, certifying bodies will only be able to issue certificates in accordance with the new framework.
2024 Revision: The revision process, initiated in early 2022, incorporated feedback from sector stakeholders, the French Data Protection Authority (CNIL) and industry federations, thanks to a public consultation performed at the end of 2022. Over 250 contributions were analyzed, and the CNIL issued a favorable opinion on July 13, 2023. The draft decree was notified to the European Commission on December 7, 2023, with no comments received during the three-month period.
Key Changes: This revision, responding to the debates surrounding the bill aimed at securing and regulating the digital space (SREN), adopted on April 10, 2024, strengthens the framework's orientations with legislative backing. The new requirements notably aim to:
Focus on the New (unfortunate) Data Sovereignty Requirements: The revised HDS certification framework introduces four new data sovereignty requirements (requirements 28 to 31):
In conclusion, this revision of the HDS certification framework aims to strengthen health data security and clarify requirements for sector stakeholders, but still contains some heavy requirements. The stringent data localization obligations and attachment to SecNumCloud envisaged in previous versions of the revision of the HDS certification framework have for now been avoided. Vigilance, however, remains necessary in view of the forthcoming SREN law, which may introduce new constraints in terms of health data security. Excessively stringent data localization requirements, however, run the risk of being impractical and failing to achieve their goal. For any questions or assistance with this specific French requirement, we are here to help.