undefined | Better HN

0 pointssebastiennight3y ago0 comments

I read the French legal documents and your notices regarding GDPR.

What I don't understand from those, and statements made by your team in this thread, is how some claims can be compatible.

- That the product is GDPR compliant.

- That you don't store the PII or health data.

- Yet all data is stored at Google servers.

- Also, you reserve the right to re-use said data. (Which, since this is for R&D purposes, should probably qualify you for the need to ask the CNIL for an authorization as "health data repository"? [0])

- That none of the data is sent outside the EU or to additional 3rd parties.

- Yet it uses a fine-tuned "GPT-3" (a term that to the best of my knowledge exclusively refers to Microsoft/OpenAI's US-based API service, not to on-prem GPT-like LLMs like GPT-J or GPT-NeoX).

All in all, I can feel the enthusiasm but it does feel like this thread would have been so much more reassuring with some proactive comments about the privacy/health data issues, rather than have everyone voice the obvious concern with no prepared answers.

[0] https://www.cnil.fr/fr/la-cnil-adopte-un-referentiel-sur-les...

0 comments

l5t3y ago

You're absolutely right, we should have been much more upfront with the privacy/security aspect of the product and add this link to the post: https://www.nabla.com/blog/privacy-security/

I hope this link will clarify our position.

Here are additional answers related to your points. - We do use Google Cloud to host our backend in EU or in the US but also the data for the Care Platform product. For the Copilot product, we don't host any data. They are hosted locally on the practitioner browser. - Our T&C reserves the right to re-use data in the event we will store the data in future versions of Nabla Copilot. In any case, the reuse of data, even health data, is allowed by GDPR for the improvement of the service provided if the data controller (practitioner) authorizes us and if they have informed the patient. - We did not say that "none of the data is sent outside the EU". Actually we say the opposite in the Copilot APD Annexe 1. We specifically mention Google and OpenAI and we comply with GDPR with a data protection agreement with both these companies.

j / k navigate · click thread line to collapse