Greetings from Brussels!
Late last week, we saw a steady trickle of French media reports that the CNIL had taken a fairly strong position calling for a review by relevant French state actors on the hosting of public health data with Microsoft Azure cloud computing services. The French public body, known as the "Health Data Hub," is a centralized platform comprising French health data for medical research purposes. The HDH is the subject of some controversy in France. Post-"Schrems II," several stakeholders and associations petitioned the highest administrative court in France, the Conseil d’Etat, to curtail the state from processing health data, which by its very nature is sensitive data. To give you a sense of the breadth of data the HDH, it integrates public health data from the national French health systems (hospitals, as well as national health insurance data), pharmacy data, and other data, such as diagnostics data from mobile health applications, including (remote) monitoring, telemedicine tools and heath disaster data (think COVID-19 here).
In a memorandum sent to the Conseil d’Etat at their request, the CNIL outlined the position that it considered the choice of a host platform that is subject to U.S. laws — such as the U.S. Clarifying Lawful Overseas Use of Data Act — incompatible with the requirements of the "Schrems II" ruling in terms of privacy and data protection guarantees. Moreover, the CNIL invited the court to verify that Microsoft was abiding by its commitment not to transfer any of personal data held within the HDH outside the EU. The CNIL went further in its opinion stating that any cloud platform by a company incorporated under U.S. law that may be subject to domestic data requests even with the fullness of safeguard mechanisms, such as pseudonymization or encryption, were problematic. The CNIL was, therefore, very clear: French data — and by extension, EU citizen data — can no longer be "entrusted" to U.S. companies even if they have operational headquarters and servers in the EU. The CNIL concluded that using a French or European “trustee” should be a better mitigation of potential risks in this regard.
In the Conseil d’Etat statement this week, the court essentially rejected the petition by interested parties against the hosting of the HDH by Microsoft and did not adhere in whole to the CNIL opinion that cloud providers under U.S. jurisdiction should not be contracted as a matter of principle for hosting health data. The summary judge of the council noted that the HDH and Microsoft had undertaken, by contract, to prevent any transfer of health data outside the EU. In addition, a French ministerial decree issued 9 Oct. prohibits any transfer of personal data under this contract. It concluded that the processing of data by Microsoft in the territory of the EU is not in itself illegal or a violation of the law. That said, the court did concede that the risk of transfer of health data to U.S. intelligence services cannot be excluded. It recommended that the HDH and Microsoft work together to seek additional safeguards to protect the data its hosts.
There may be inevitable changes down the line for cloud solutions in the absence of robust privacy guarantees for the health sector. One can only assume this complex situation goes well beyond the framework of the HDH. There must be multiple health care providers and companies that deploy Microsoft or other U.S. cloud solutions, not only in France, but also throughout the EU.
French Secretary of State for Digital Cédric O announced last week ahead of the Conseil D’Etat statement the French government was looking to transfer the HDH to French or European platforms, adding discussion had also taken place with other EU member states on the topic. To be clear at the time of launching the Hub, Microsoft was the only cloud provider that matched the French prerequisites for the public body project. The question remains: Is there a European alternative that can take on a project of this magnitude with all the necessary privacy considerations and safeguards?