The Health Data Hub is a subject that is still subject to great questioning. I already had the opportunity to talk about it in several articles. Why is it still a hot topic? We are in May 2021, the controversy had grown in April 2020, because of the acceleration of the project imposed by the pandemic. And on that occasion, we were able to highlight some critical shortcomings in the management of a strategic public project of this magnitude:
- Questioning the supplier’s tender or rather its absence
- Questioning the choice of a non-sovereign actor, subject to American laws
These are two emblematic examples that have created an unprecedented stir in the French digital community, a stir that has led to the formation of the PlayFrance.Digital collective. This mobilization has helped raise awareness on the issue of digital sovereignty and has also made the government face its responsibilities.
Health Data Hub, where are we?
After the mobilization and astonishment caused by the decision to host the health data of all French citizens on Microsoft’s Azure cloud without a call for tender, the government promised to launch a new call for tender for a replacement within two years.
We are one year after this announcement, and it does not seem to me that the situation has changed much. The centralization of all French health data continues on the Microsoft Cloud. Apart from the hosting aspect, which is critical, some people also denounce the fact that the simple fact of centralizing all the data presents a security risk (Le monde).
However, another event should accelerate the decision to migrate to a European or French sovereign platform (of course I prefer national sovereignty), it is the cancellation of the Privacy Shield last summer (assurland.com). At the end of 2020, French digital actors were still waiting for the implementation of this call for tender …
There is another factor of concern, an important one in my opinion, which is not directly related to the Health Data Hub. When you put all these “weak signals” together, it is the concentration of French personal and health data on a non-sovereign cloud provider. In fact, Axa has formed a strategic partnership with Microsoft to set up an e-health services platform (Le Figaro économie). It’s disturbing that one of the largest insurers is putting its customers’ data on the Microsoft cloud just as the government is doing with the Health Data Hub.
For the record, data, and in particular health data, are considered as the black gold of tomorrow’s economy. Isn’t it worrying to see them hosted on technical platforms depending on the American law, much less protective than the French and European law…
What are the next steps ?
In fact, we must remain mobilized, continue to push the government to really issue this new call for tenders, and to do so in full transparency. It is essential that the choice is made for a sovereign and French solution. In the call for tenders, the mention “Independent of foreign legislation” must be one of the criteria, disqualifying American or Chinese solutions.
As an individual, our only way to weigh in is to proceed as described in a previous article, by refusing the transfer of our data to the Health Data Hub
Indeed, without data, the Health Data Hub loses all interest, and it is therefore a way to influence a change of cloud operator.
Furthermore, it is important to remember that, contrary to the claims of the project team, Microsoft was not the only HDS-certified solution. More exactly, they were the first to obtain certification when we moved from an approval to a certification, but OVH, for example, had been HDS certified for many years, even before Microsoft…
In the recent announcements of the government, there is the confirmation of the will to leave Microsoft Azure, but this step would be linked to the renewal/creation of a label called “Trusted Cloud” … You can note already, that we no longer speak of Sovereign Cloud, what is the meaning behind this name of the most vague (Numérama) ?
The question is legitimate when you listen to Bruno Lemaire’s speech on the subject (between 30 and 35 minutes after the beginning of this video) Indeed, the envisaged provisions would allow US or Chinese actors to create French or European entities with servers located in Europe, which would offer legal protection against extraterritorial laws, especially American ones…
However, the question arises as to why not clearly favor real European actors? A roundabout way to allow American groups to continue to control our data?
The fight for our digital sovereignty in general remains a long-term battle! All is not lost, indeed, there is an awareness of the stakes that represent the sovereignty in a more global theme, concerning the protection of our jobs, our economy and the protection of the interests of our national population.
In other sectors than health, mobilization is taking place, and important economic actors seem to be waking up to this key geostrategic issue, like the Medef by choosing #Olvid as an instant messenger instead of American actors like #WhatsApp…
We must therefore stand firm and defend our health data tooth and nail, which must be protected from attempts at commodification! It is important for all citizens that we are, to take the time to get informed and to mobilize to impose to our public authorities the choices that protect our long-term interests!