Health Data Made in France- Is France Moving Towards a Sovereign Cloud Requirement for Health Data?
A Council of State decision and the CNIL suggest this outcome.
Republished in NYU Law’s Compliance & Enforcement blog
A Council of State decision and the CNIL suggest this outcome.
Republished in NYU Law’s Compliance & Enforcement blog
Since the decision of the European Court of Justice (“ECJ”) in the Schrems II case, transfers of personal data from the EU to the United States have been under scrutiny. The ECJ reviewed the situation where personal data are sent from an EU affiliate to its U.S. headquarters as part of how the company structured its business-as-usual practices. But what the ECJ did not consider is whether the mere fact that an EU company is affiliated with a U.S.-headquartered company is problematic, even if no transfer of personal data to the United States takes place.
Whether merely being affiliated with a U.S.-headquartered company is a problem from a data transfer perspective is precisely what a number of associations (“claimants”) and the French data protection authority (“CNIL”) argued in a recent appeal before the French Council of State. This question arose in the context of a case involving Microsoft Ireland in respect of its hosting of French public health data. The claimants and the CNIL argued that any affiliation of an EU hosting provider, in this case Microsoft Ireland, with a U.S. parent company, in this case Microsoft U.S., is in and of itself problematic. The claimants and the CNIL contended that because of such affiliation, U.S. authorities could have jurisdiction over data held by Microsoft Ireland in the EU. As a result, the claimants called for the immediate suspension of the use of Microsoft Ireland, even though Microsoft Ireland had already committed to storing the data in a pseudonymized form in the EU. The French Council of State, however, denied the immediate suspension of the use of Microsoft. While this seems like a good outcome for transatlantic commerce, the Council’s decision suggests that in the future, organizations will be required to use a French-based cloud solution. We provide further details below.
The HDH. The case at hand relates to the Health Data Hub, France’s new health data repository, which is used to foster scientific research and which is managed by a body under the same name (“HDH”). The HDH was officially created in November 2019 and was being implemented over time. However, its implementation was fast-tracked to amass COVID‑19 data and fight the pandemic when it hit the EU in early 2020. The French government had outsourced the hosting of the HDH to Microsoft Ireland.
Legal process. From the beginning, the HDH raised concerns from various stakeholders (e.g., hospitals, journalists, and software developers). In May 2020, right after the HDH’s initial launch in the fight against COVID‑19, various claimants requested the French Council of State, France’s highest administrative court, to suspend the HDH due to privacy concerns based on the General Data Protection Regulation 2016/679 (“GDPR”). The Council did not order the suspension at the time but did request further assurances to protect privacy, such as what pseudonymization safeguards would be implemented for the data held in the HDH.
Shortly thereafter, in July 2020, the ECJ, the EU’s High Court, issued its Schrems II decision (C-311/18). The ECJ’s decision pertained to the EU’s legal mechanisms to address cross-border transfers, in particular to the United States. The ECJ raised a particular concern around the possibility that U.S. Intelligence may gain access to personal data once they are transferred to the United States. Seizing this development, claimants in France appealed again (in summary proceedings) to the Council of State in September 2020. Even though Microsoft Ireland had already committed to the French government that the data would remain hosted in pseudonymized form in the EU, claimants reasoned that a risk remained that U.S. authorities could have potential access to the data by virtue of Microsoft Ireland being affiliated with a parent company in the United States, which in turn is subject to U.S. disclosure requirements. The claimants found themselves supported by the CNIL, France’s data protection authority, who commented to the Council of State that in its view, the current legal landscape and U.S. disclosure requirements make it illegal to rely on companies that are subject to U.S. law to host French health data.
The Council of State, however, still found that the risk of U.S. disclosures was hypothetical, as the claim assumed that Microsoft Ireland would not be able to object to such disclosure requests. The Council also took into account that the data were pseudonymized prior to upload and that the HDH supports an important public interest, namely the fight against COVID-19. The Council of State concluded that the immediate suspension of the HDH was not justified, at least not in summary proceedings. So far, the Council’s decision seems like a win for Microsoft and for transatlantic commerce generally.
However, the Council did go on to order Microsoft Ireland to strengthen certain contractual commitments not to transfer the data outside the EU, specifically also in respect of potential disclosure requests from U.S. authorities. In addition, the Council called for a long-term solution that would “fully eliminate” risks of access by U.S. authorities. Suggestions offered by the Council of State to that effect include moving all of the data to an EU/French-based hosting provider or setting up a license model where a U.S. provider licenses its expertise to an EU-based provider, which then processes the data in the EU.
And so the win may seem more like a loss in disguise. While the current suspension is off the table, the Council’s suggestions all point towards an EU (or even French) model for hosting the HDH, which is essentially what the claimants (and the CNIL) advocated from the beginning.
Strengthened by the Council’s long-term view, as well as by the fact that the decision from the Council was delivered only in summary proceedings (meaning that the central issue was whether an immediate suspension was warranted and not about the merits of the case), the claimants have already indicated that they will pursue further action on the merits and before the CNIL.
It will also have to be seen whether the discussion will remain limited to just the hosting of French health data in connection with the HDH. The CNIL has made it clear that it feels that there are concerns with the hosting of French health data, or even personal data, in general by a U.S.-owned provider. The CNIL could very well expand its position for personal data more generally going forward.
Practices