Data localisation rules – HDS certification framework

A new French Health Data Host (“HDS”) certification framework, for hosting personal health data requirements, has been published by the Health digital agency of the French Health Ministry (“ANS”), and adopted by Order of 26th April 2024 amending the order of 11th June 2018, which approved the accreditation framework for certification bodies and the certification framework for hosting personal health data. The list of certified HDS is published on the ANS’s website.

It sets out new requirements for the certification of personal health data hosting service providers (“Host”) to be certified HDS.

New candidates for the certification will be assessed by accredited certification bodies from 16 November 2024. The said requirements applies to any natural or legal person referred to in the French Law, governing the hosting of health personal data, that is, to (i) digital Host, (ii) of personal health data, (iii) collected in the course of prevention, diagnosis, care or social and medico-social monitoring activities, (iv) on behalf of the controller producing or collecting the data, or on behalf of the patient.

In summary, while the main purpose of the previous framework (V1.0), issued by decree of 11 June 2018, was to improve the information system security requirements of health data Hosts, its amendment resulting in the  new framework (V2.0) for HDS certification was aimed at ensuring that the personal health data of French citizens is located in the European Economic Area ("EEA"), in order to counter the application of US extraterritorial laws.

Indeed, it introduces rules directly related to data sovereignty:

• Localisation requirements: whichever personal health data hosting activity is offered by the Host or one of its processors, providing that it involves storage of such data, the Host or its processors must store these data exclusively within the European Economic Area (“EEA”).  When the service offered by the Host or its processors involves remote access from a country not part of the EEA, such access must be based on an adequacy decision by the Commission, or on another appropriate safeguard, and the Host must take any other measures to ensure a level of data protection equivalent to that guaranteed by the European Union law.
• Contract requirements: The Host shall document and communicate on the location of this storage to its clients ; and when the Host, or one of its processors involved in the hosting services, is subject to the legislation of a third country which does not provide an adequate level of protection, the Host must indicate in the contract, which binds it to its client and inform the certification body of (i) the list of non-European regulations under which the Host, or one of its processors involved in the hosting service, may be required to allow unauthorised access by Union law to the personal health data, (ii) the measures implemented by the Host to mitigate the risks of unauthorised access to personal health data induced by these non-European regulations, (iii) a description of the residual risks of unauthorised access to personal health data through non-European regulations that would remain despite these measures.
• Transparency requirement:  the Host shall make public and update the mapping of transfers of personal health data to a country outside the EEA, including any remote access as well as the description of risks of unauthorised access. The Host must make this information available to the public in a legible manner on a dedicated page of its website and provide the certification body with the URL of the page, which will then be published on the website of the ANS.

The new French Health Data Host (“HDS”) certification framework appears balanced in that it does not prohibit the use of American service providers, as long as they host the data within the EEA and as long as customers are clearly informed about any involved access from a non-EEA country.