The French DPA, the CNIL, looked at the issue of anonymisation and pseudonymisation of health data and the role of controllers and processors among other issues when it fined health data software management supplier Cegedim Santé EUR 800,000 in September 2024.
Was Cegedim Santé acting as a controller or processor?
Cegedim Santé publishes and distributes management software for doctors and health centres. This software enables doctors to manage their diaries, patient files and prescriptions.
As part of its business, Cegedim Santé offers a panel of doctors who use one of these solutions the opportunity to join an 'observatory' to collect data from patient records. When they join the observatory, the data contained in the doctors' solution is extracted by Cegedim Santé for use in studies and statistics in the healthcare sector carried out by Cegedim Santé's clients.
Cegedim Santé argued that it was merely a processor because it simply acted as a technical intermediary for the transmission of data. Cegedim Santé also referred to a 2014 letter from the CNIL that allegedly recognised the status of a previous company whose entire activity was taken over by Cegedim Santé as that of a sub-contractor.
In its judgement the CNIL found that Cegedim Santé was in fact acting as a controller because it was organising the processing of the personal data for its own means and did not receive any instructions in relation to the data. The CNIL found that the 2014 assessment was no longer relevant given the significant changes to data protection law since then, in particular the introduction of the GDPR, and that it was therefore not bound by its previous position. This had a knock on effect on Cegedim Santé's obligations and the extent of its liability.
Was the data pseudonymised rather than anonymised?
Cegedim Santé argued that the data being processed was anonymised. The investigations carried out by the CNIL established that the data collected by the doctors who had joined the observatory which was extracted by Cegedim Santé was not anonymous, but only pseudonymous, as it was technically possible to re-identify the people concerned.
To assess whether or not the data processed is anonymous, the CNIL focused on determining whether the data subjects could be re-identified by reasonable means, relying on CJEU case law and the work carried out by EU data protection authorities (Opinion 05/2014 on anonymisation techniques of 10 April 2014).
In practice, the CNIL found that Cegedim Santé collected a large amount of personal data, such as year of birth, sex, socio-professional category, allergies, medical history, height, weight, diagnoses, medical prescriptions, medical leave and analysis results. This data was linked to a unique identifier for each patient of the same doctor, making it possible to link the data successively transmitted by the same doctor on the same patient and thus to reconstruct their care pathway. In view of these factors, the CNIL considered that it was possible to isolate an individual within Cegedim Santé's database and, given that Cegedim Santé held a large amount of particularly rich information about them, there was a risk of re-identification.
Under these conditions, given the existence of the unique identifier and the depth of the data collected by the company - and also taking into account the possibility of combining the data held by Cegedim Santé with data held by third parties - the CNIL considered that the risk a person's identity could be traced was too high for the data processed by Cegedim Santé to be considered anonymous.
What breaches of the French Data Protection Act and the GDPR resulted from the processing?
Failure to comply with the obligation to carry out prior formalities in the field of health
As it was processing personal data and not anonymised data, Cegedim Santé should have complied with the provisions of Article 66 of the French Data Protection Act (FDPA) regarding the processing of personal data in the health sector:
- If the processing of health data is based on one of the exceptions provided for in Article 65 FDPA (including the data subject’s consent), such processing is not subject to any prior formality.
- If none of the Article 65 exceptions apply, the processing of health data may only be carried out (i) with the authorisation of the CNIL or (ii) provided that it complies in all respects with one of the standards (“référentiels”) issued by the CNIL, taking into account the public interest involved, in which case the data controller must submit a declaration of compliance with the relevant standard to the CNIL (Article 66 FDPA).
In practice, the CNIL considered that Cegedim Santé processed pseudonymised health data in order to build up a health data warehouse, and that it was therefore required to comply with the requirements of GDPR and FDPA.
The only exception to Article 65 that might apply in this case was if the processing had been carried out with the data subject's consent for one or more specific purposes. However, given Cegedim Santé considered that it was not processing personal data:
- It had not implemented an appropriate consent mechanism for the processing
- It had not requested CNIL assessment and authorisation
- It had not sent the CNIL a declaration of compliance with one of its standards, even though in this case Cegedim Santé constituted a health data warehouse which is covered by one of the standards published by the CNIL.
Failure to comply with the obligation to process data lawfully
The CNIL considered that Cegedim Santé failed to comply with Article 5(1)(a) GDPR concerning its use of the teleservices set up by the French health insurance scheme, including the “HRi” teleservice, which gives access to the history of health reimbursements made by the health insurance scheme for a patient over the last twelve months, and the “ALDI” teleservice, which includes data relating to long-term conditions recognised by the health insurance scheme.
The CNIL noted that consultation of the data from these teleservices by a doctor that is part of the 'observatory' automatically resulted in such data being downloaded into the patient's computerised file, enabling Cegedim Santé to collect it at the same time, whereas French law only provides for the right to consult the data contained in these teleservices by authorised professionals, which does not include private organisations.
The CNIL therefore considered that by not providing for the possibility of the data to be consulted by doctors without automatic collection, Cegedim Santé had not processed the data lawfully.
What was the outcome?
The CNIL fined Cegedim Santé EUR 800,000 for these two breaches, having determined it was acting as a controller and taking into account the company's financial capacity, the seriousness of the breaches, the massive nature of the processing and the fact that the data concerned is health data, and therefore sensitive data. Its judgment highlights the importance of understanding the role of controller and processor, and of ensuring that personal data is properly anonymised rather than just pseudonymised if that is to be relied on to avoid data protection obligations.
