Round tables > Synthesis n°3

Philippe Cinquin is a university professor and hospital practitioner at the TIMC laboratory (Translational Research and Innovation in Medicine and Complexity - UMR5525 Grenoble Alpes University / CNRS), scientific coordinator of the Clinical Investigation Center - Technological Innovation (INSERM / Grenoble Alpes University Hospital / Grenoble Alpes University) and scientific director of the Deep Care Chair of the MIAI Institute. He is specialized in "translational medicine", i.e. the transition from academic research to concrete medical applications. As such, he is a founding member of several start-ups, including SentinHealth.

He begins by highlighting the difficulty of defining what health data is, given that the concept of health itself has evolved. In the early 20th century, health was defined as the absence of disease. Since 1989, the WHO has defined health as a state of complete well-being, based on the ability to achieve one's goals and ambitions and to evolve with one's environment. Thus, while some information is obviously health data (the results of a medical examination, for example), there is also a large amount of potential health data: genetic, environmental (pollution), social (who was present in the room on such and such a date, knowing that one of the participants is subsequently diagnosed with Covid19), physical activity data recorded by a connected watch, or even Internet search history. A simple change in behavior can indicate a change in health status: for example, someone who stops renting a bike overnight, whereas he used to do so daily.

Thibault Parmentier is a doctor in artificial intelligence (INRIA) and CEO of SentinHealth, the start-up that develops the MyHeartSentinel implant. He takes the example of the connected watch and points out that the legislation is much less restrictive for this type of device without medical pretensions than for medical devices. Thus, many players in the digital world can do very interesting research in the health field, which is much more difficult for companies that develop certified medical devices. On the other hand, it seems easier for a company to set up first in the US, as interactions with regulatory agencies are more fluid, and the insurance system is unified.

Laurence Apitz is a lawyer at the Paris Bar. She was a heart failure patient for several years before receiving a heart transplant in 2020. She is part of the group of patients who accompanied the RealWorld4Clinic project. She testifies about her experience as a "paranoid" patient, very sensitive to the issue of data protection, but confronted because of her illness with an obligation to transmit her health data to have the best possible level of protection: it was in 2015, when she was implanted with a defibrillator, and had to accept that data be transmitted to the American manufacturer of the implant. At the time, she was very concerned about hiding her heart failure from her employer and insurance companies, as she sees it as a stigmatizing condition with stereotypes of inability, lack of competence, and lack of drive attached to it. On the contrary, today she has no problem talking about her heart transplant to raise awareness about the importance of organ donation.

Sophie Guicherd is a doctor in computer law and a lawyer. She is a member of the Ethics&IA Chair at the MIAI. She highlights the tension in the field of health between the respect of two fundamental rights: the right to privacy and the right to health. However, health is such a fundamental issue, that in the name of preserving health, there is a risk of encroaching on other rights: that of respect for physical integrity, freedom, intimacy and human dignity. She describes the law as a fortress built to protect the human person, but weakened by the rapid evolution of technology. It is difficult to predict how data collected at one moment will be used on a large scale later. She also regrets the limits of free and informed consent: today, in order to access many digital services, it is necessary to consent to reveal information about one's private life; this constitutes a source of inequality between those who accept and those who refuse to give in to this injunction.

The discussions then bounced off Laurence's testimony, and the legislative developments between France and the United States. France has had strict data protection regulations since 1978, guaranteed by the CNIL (Commission Nationale de l'Informatique et des Libertés). Since 2001, the USA Patriot Act authorizes the US security services to access the computer data of American companies, without informing the users. This is one of the reasons why the French Health Data Hub project may have posed a problem: this structure, which is supposed to promote research by centralizing health databases, uses Microsoft services and is therefore subject to the Patriot Act. Moreover, in the United States there is a commoditization of personal data, particularly in the field of health (Deborah Lupton). Although subject to strict legislation, European hospitals are not immune to computer attacks aimed at hacking their databases. The European GDPR (General Data Protection Regulation) implemented in 2018 has introduced new rules regarding individual rights, security and data hosting. This legislation is proving to be restrictive for companies: it thus seems easier today for a start-up to develop in the United States first, especially since each European country has its own health and insurance system. However, the RGPD also appears to be a model at the international level, and several states have been inspired by it to update their own legislation.