The French HDH was born out of the French government’s desire to build a hub that facilitates the study of rare diseases and the use of artificial intelligence to improve diagnoses. For this, HDH is supposed to consolidate all the health data of people receiving medical care in France in order to facilitate data sharing and promote medical research. The HDH was commissioned in early April 2020 to manage the COVID-19 health crisis and improve knowledge. The French government initially chose to partner with Microsoft and its Azure cloud platform; On April 15, 2020, HDH signed a contract with Microsoft’s Irish subsidiary to host health data in data centers across the EU.
On September 28, 2020, several associations, unions and individuals appealed to the summary proceedings judge Board of state, requesting the suspension of the processing of health data related to the COVID-19 pandemic in HDH. In essence, the petitioners argued that the hosting of the data by a company subject to US laws carries privacy risks due to possible transfers of data to US intelligence services, as the Court of Justice pointed out. Justice of the European Union (“CJEU”). in the Schrems II Case. In this case, the CJEU found that US surveillance programs based on Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”) were not limited to what is strictly necessary and that the EU – The United States Privacy Shield Framework did not grant EU citizens rights that could be brought before a body offering guarantees substantially equivalent to those required by EU law. For these reasons, the CJEU has declared the EU-US Privacy Shield invalid.
On October 8, 2020, the CNIL filed observations on the summary procedure before the Board of state. On the same day, the French Secretary of State for Digital announced that the French government was considering transferring HDH to a French or European platform. On October 9, 2020, a French ministerial decree was adopted prohibiting any transfer of data outside the EU from the HDH.
While the CNIL has specified that its comments relate only to the specific case of health data, the comments provide an overview of the CNIL’s position on the consequences of Schrems II cases and types of additional safeguards that organizations could implement in addition to a contractual data transfer mechanism (in practice, standard contractual clauses) in order to validly transfer personal data to the United States
According to the CNIL, in the case of data transfers to the United States, the following two situations should be distinguished:
- When the recipient of the personal data (not encrypted or decryptable by this recipient) is directly subject to the surveillance and requests of the American intelligence services based on FISA and EO 12333: in this case, the implementation of additional guarantees is particularly delicate . This is the situation of Microsoft in the United States
- When the recipient of the data is not directly subject to the surveillance established by FISA and OE 12333: in this case, the personal data are generally still subject to the surveillance program in question when in transit to the recipient of the data. According to the CNIL, when the data is in transit, it uses communication channels subject to surveillance programs examined by the CJEU in the Schrems II. However, in this situation, additional encryption measures are likely to ensure, under certain conditions, a level of data protection essentially equivalent to that provided for in the EU.
The CNIL acknowledged that the CJEU only examined the situation where an operator transfers, on its own initiative, personal data to the U.S. However, according to the CNIL, the reasons for the CJEU decision also require to examine the legality of a situation in which an operator processes personal data in the EU but risks having to transfer it following an administrative or judicial decision or a request by the American intelligence services. In this case, the CNIL considered that American laws (FISA and EO 12333) also apply to personal data stored outside the United States.
The CNIL also considered that, despite all the technical measures implemented by Microsoft (including data encryption), Microsoft could still be able to access the data it processes on behalf of the HDH and could do so. object, in theory, of requests of the American intelligence services. services under FISA (or even EO 12333) that would require Microsoft to transfer personal data stored and processed in the EU. According to the CNIL, such requests are not based on an international agreement and are therefore illegal within the meaning of Article 48 of the EU General Data Protection Regulation (“GDPR”). The CNIL concluded that health data should be hosted by companies not subject to US law. For the CNIL, this would be the most effective solution to avoid any risk of transfer. However, the CNIL recognized that it would also be possible to set up a contractual mechanism by which the American service provider would enter into a licensing agreement with the European company. Under this agreement, the EU company would be the only one able to carry out transactions on personal data and would benefit from the services and expertise of the US company without the latter having the possibility of access this data.
Finally, the CNIL considered that a transition period is necessary to switch to another host. During this transition period, possible data transfers could be based on an exemption from the general ban on data transfers outside the EU, in accordance with Article 49 of the GDPR. In particular, transfers could be based on Article 49 (1) (d) GDPR, which allows the transfer of personal data for important reasons of public interest under EU law or Member States. According to the CNIL, while transfers to the American authorities are not in the public interest, there is a clear public interest in maintaining the continuity of data hosting and use of this data. Such a derogation should however result from a specific and temporary regulatory provision.
Board of state’s Decision
In his decision, the Board of state agrees with the CNIL that it cannot be completely ruled out that the American public authorities may ask Microsoft and its Irish subsidiary to access some of the data held in the HDH. However, unlike the CNIL, the summary judgment judge Board of state did not take into account the CJEU ruling in the Schrems II case to also require the examination of the conditions under which personal data may be processed in the EU by US companies or their subsidiaries as processors (or even data controllers). According to Board of state, EU data protection law does not prohibit organizations from outsourcing data processing activities in EU territory to a US company. In addition, the summary judge considered that the violation of the GDPR in this case was purely hypothetical because it presupposes that the American authorities are interested in accessing the health data held in the HDH and that Microsoft is not in a position to reject possible access requests. . In this regard, the summary judge noted that health data is pseudonymized before being shared within the HDH and then encrypted by Microsoft. Finally, the judge stressed that in light of the COVID-19 pandemic, there is an important public interest in allowing the continuous processing of health data as allowed by the HDH. The summary judge concluded that there was no adequate justification for suspending the data processing activities carried out by the HDH, but ordered the HDH to work with Microsoft to further strengthen the right to privacy (in modifying its data processing agreement), until a solution eliminates all the risk of access by the American authorities to personal data is implemented (such as the use of a new host as announced by the secretary of French State to digital, or the conclusion of a license contract as suggested by the CNIL).
Following the Board of stateOn the decision of the CNIL, the CNIL has announced that it will guide the French public authorities on the implementation of the appropriate guarantees, and will ensure that recourse to HDH is necessary when examining applications for authorization. of research projects using this platform.
Read the press release and the full summary judgment of the Board of state, and the press release and comments from the CNIL (all available in French only).