This subject, which is at the origin of many mobilizations, such as the birth of the #playfrance collective, or #interhop (militates for the use of free software in health) and revolt like that of yours truly through #effisyn_sds, is still relevant today.
Indeed, it does not seem that the government and the actors of this issue have moved much in this matter. Despite an awareness in the words of our politicians on the importance of digital sovereignty on our subject, for the moment little or no movement has been made.
Where are we?
After a sneaky, chaotic start-up during the health crisis, what are the salient points that can be highlighted?
- Choosing #Microsoft’s Azure Cloud without a tender (which contravenes the rules of proper public procurement).
- The project leaders initially justify the choice by presenting Microsoft as the only one qualified for health hosting, which is false …
- Reaction of several groups such as #playfrance #interhop, who insist on the choice of #Microsoft without a call for tenders, but also on the transfer of our health data to the United States!
- Cédric O., our Secretary of State for Digital Technology, counterattacks by claiming that there is no sovereign technology, in an intervention before the Senate.
- Speak up of Octava Klaba, founder and general manager of OVH, notably on Twitter…
- Referral to the Council of State in April, which, despite the concerns raised, decided not to invalidate the controversial decree (Le Monde)
- Invalidation of the “Privacy Shield” in July 2020 by the CJEU (Court of Justice of the European Union), which in fact calls into question all data transfers to the United States (CNIL)
- New referral to the Council of State on September 16, based on the decision of the CJEU to pronounce the inequality of the transfer of data by Microsoft. (Le Monde)
We’re at this point, and yet we don’t really feel like things are going to move in the right direction. Unfortunately, this is not a subject that mobilizes the mass of our fellow citizens, who do not necessarily manage to see the stakes involved in this affair. The choice of the US as an economic player in digital sovereignty is a challenge for our French and European players, leading to a weakening of the ecosystem and the high value-added jobs it creates. The loss of control over our own data, data that is rightly or wrongly considered to be the oil of this century. Do we want to pay for the exploitation of our own data by third countries?
What could we do ?
I must say that it is a complex issue. If we can only support initiatives such as #playfrance, which is a collective of French digital players who have decided to give greater visibility to the French digital ecosystem, is it enough to
I would tend to say that this is absolutely necessary, in these times when the awareness of the need for a return to digital and technological sovereignty is emerging… Necessary to give visibility to solutions that, contrary to popular belief, are quite at the level of the American digital giants, but do not have the necessary audience and do not have the commercial and marketing power of the latter
But this is not enough, I think that collectives such as #Interhop, health and/or patient union representations have an important role to play in acculturation on these subjects which, although not visible, can already have an impact on our lives.
For my part, I propose in parallel an individual militant action. It is not simple and takes time, it can also be applied to other similar subjects. We must use the recourses available to us: seizure of the CNIL (Commission Nationale Informatique et Libertés), the DPOs (Data Privacy Officers) of your CPAM (Caisse Primaire d’Assurance Maladie) and the DPO of the Data Hub Santé.
The angle of attack that I propose is to refuse the transfer and exploitation of your data. Indeed, what is the point of building a Healthcare Data Hub if we all forbid the transfer and use of our data? This is of course as long as the choice of solution is an American one and cannot guarantee the necessary level of protection for our data…
The first step I suggest is to contact the IT and Freedom Manager (DPO) of your Health Insurance Fund. This action can be done by regular mail, but I recommend that you go through your site ameli.fr, in the section write a message, choose, exercise your computer rights and freedom
Here is a template for your mail/email: Courrier Type – DPO CNAM
It is likely that you will receive a message, for my part this happened after several reminders, from your DPO who will take note of your request.
They took into account my opposition to the National Health Data System (SDNS) tool, on which the Health Data Hub is based. However, for this particular aspect, they referred me to the Data Hub Santé website to exercise my right of opposition…
A step that I hastened to carry out, here is the open letter that I sent them by email:
De : Emmanuel Mawet
Objet : Opposition à l’utilisation de mes données – Lettre ouverte
Par la présente je vous fait part de mon opposition à l’utilisation de mes données, mais surtout de leur stockage sur du cloud Microsoft Azure qui ne garantit pas la bonne sécurité de mes données et leur possible transfert aux US.
Je rappelle que l’invalidation du Privacy Shield par la CJUE devrait vous alerter et vous obliger à changer de fournisseur de cloud, en passant cette fois-ci par un appel d’offre.
Cette démarche vient en complément de la notification à la CPAM de mon opposition au transfert de mes données vers le Data Hub Santé. Le DPO de la CPAM m’a renvoyé vers vous et en parallèle a pris en compte mon opposition au SNDS.
Il est à noter, qu’une procédure a été ouverte en parallèle auprès de la CNIL.
Cette action est menée de façon publique, pour encourager mes concitoyens préoccupés par la gestion de leurs données de santé de s’opposer à l’initiative Data Hub Santé tant que les garanties de souveraineté de nos données ne seront pas effectives.
Pour se faire :
- Retirer Microsoft Azure comme cloud
- Proposer un nouvel appel d’offre
- Interdire cet appel d’offre à toute entreprise du Cloud qui serait soumise aux Lois extraterritoriales américaines (Patriot Act et Cloud Act)
Dans l’attente de la bonne prise en compte de ma demande, je vous prie de croire à l’assurance de mes cordiales salutations.
Before this step, I also opened a complaint on this same subject at the level of the CNIL.
I am aware that for many of you this may seem a bit excessive and that I may pass for an original. However, if we want to be heard and regain true control of our data, we need to act, not just wait for our policies to change.
If ever there were enough of us to carry out such a series of actions, it would end up weighing on our minds. Indeed, what value can we derive from a Healthcare Data Hub without data? Our power to act is at this level.
What is true for our health data is also true for our bank and credit card data, but that’s another subject… (article)
I hope that many of you will relay this message and, who knows, carry out these actions, which do not take that much time!
Let’s take back the use of our data!