On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands.
In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining a COVID-19 related health database, the risks of access by U.S. authorities, although real, do not justify the suspension of the platform. The judgment provides useful insights in light of the recent Schrems II ruling for organizations transferring health data outside of the EU (for more information on the Schrems II ruling, see our blog post ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses).
In April 2020, the French government passed a Decree to accelerate the deployment of the Health Data Hub due to the COVID-19 crisis (the Decree). The Health Data Hub is an information system designed to centralize all health data of the entire population receiving medical care in France. A month later, a group of privacy and civil rights organizations and doctors’ associations sought the annulment of the Decree before the Court. They argued that entrusting French citizens’ health data to Microsoft is illegal under EU law, as this would render the data accessible to U.S. surveillance and intelligence services. The Court invited the CNIL to comment on the summary proceedings, and on October 8, 2020, the CNIL filed its comments. One day later, a new Decree was adopted prohibiting data transfers from the Health Data Hub to countries outside of the EU.
CNIL’s Insights on the Processing of Health Data After Schrems II
In its comments before the Court, the CNIL provides its interpretation of the Schrems II ruling, while making clear that its analysis is only applicable to this specific case. The CNIL indicates that:
- Organizations subject to section 702 of FISA and EO 12333 should implement strong data protection safeguards. The Court of Justice of the European Union (CJEU) ruled that data exporters and importers need to put supplemental measures in place when using the standard contractual clauses to ensure effective data protection. The CJEU did not specify what these “supplemental measures” should entail. The CNIL states that a particularly high standard should be used if the data importer is subject to FISA 702 surveillance requests or EO 12333 (the “Surveillance Programs”). Furthermore, the CNIL argued that the risk of access by U.S. authorities to health data is real in the current case, and that pseudonymization measures are insufficient if there is an effective risk on re-identification.
- The risk of access by U.S. authorities would still exist if the data were hosted within the EU. According to the CNIL, the hosting of the personal data in the EU does not eliminate all risk, because companies hosting data in the EU may remain subject to disclosure obligations in the context of the Surveillance Programs. Data in transit may be subject to similar risks but the CNIL finds that additional encryption measures may, under certain conditions, mitigate these risks enough to ensure a level of protection essentially equivalent to the one offered by EU law.
- The hosting of health data by a U.S. company, even pseudonymized, would in itself be problematic and should lead the implementation of specific safeguards. The CNIL concludes that ensuring that health data be hosted by companies outside the authority of U.S. Surveillance Programs is the best way to avoid any risks of access. It clarifies that, where possible, an EU company operating on behalf of a U.S. service provider could be used to host the data. In this case however, solely the EU company would be permitted to access the personal data.
The Court’s Assessment of the Risk of Access by U.S. Authorities
The Court acknowledged that U.S. public authorities could potentially request Microsoft to disclose data held in the Health Data Hub. However, it did not align with the CNIL’s position that the processing of data by Microsoft on the territory of the European Union constitutes in itself a “serious and manifest” illegality justifying the suspension of the platform. Four elements support this assessment:
- The CJEU never ruled that European data protection law prohibits entrusting the processing of health data to a U.S. company on EU territory.
- No breach of the General Data Protection Regulation (GDPR) on the part of Microsoft was demonstrated. In the Court’s view, a violation GDPR remains hypothetical as it would presuppose that the U.S. company would never oppose a possible request from the U.S. authorities.
- The data is pseudonymized prior to its upload on the Health Data Hub; and
- In the context of the COVID-19, there is an important public interest in having Microsoft continue hosting the data, in particular as, to date, no specific other service provider seems to offer the same hosting capabilities.
In light of the above, the Court authorized the Health Data Hub to continue using Microsoft as a hosting service provider. It also encouraged Microsoft to strengthen the protection of the rights of the persons concerned with regard to their personal data, under the CNIL’s supervision, at least until a solution is found ensuring that U.S. authorities cannot access the data.
The judgment and the corresponding CNIL’s opinion will be useful for organizations processing health data and using U.S. service providers. The analysis of both the CNIL and the Court may provide useful signals when conducting a data transfer risk assessment, and when defining what additional safeguard to implement.
 Decree of April 14, 2020 completing the decree of March 23, 2020 and prescribing the organizational and operational measures necessary for the healthcare system to deal with the COVID-19 epidemic in the context of the state of health emergency. Accessible here (in French only).
 Decree of October 9, 2020 amending the decree of July 10, 2020 prescribing the general measures necessary to deal with the COVID-19 epidemic in the territories that have emerged from the state of health emergency and in those where it has been extended. Accessible here (in French only).