The French Supreme Courtroom rejects the momentary suspension of the French well being information heart; Requires further ensures based on Schrems II
On October 13, 2020, the highest administrative court in France (the “Conseil d’État”) issued a summary judgment denying a request to suspend the French central health data hub, the Health Data Hub (“HDH”) currently hosted by Microsoft. However, the Conseil d’État recognized the risk of US intelligence agencies requesting the data and requested additional guarantees under the control of the French Data Protection Agency (“CNIL”).
France’s HDH is based on the willingness of the French government to build a hub that will make it easier to study rare diseases and use artificial intelligence to improve diagnoses. To this end, the HDH aims to consolidate all health data of people receiving medical care in France in order to facilitate the exchange of data and promote medical research. The HDH was put into operation in early April 2020 to cope with the COVID-19 health crisis and improve knowledge. The French government initially decided to partner with Microsoft and its cloud platform Azure. On April 15, 2020, HDH signed a contract with Microsoft’s Irish subsidiary for the provision of health data in data centers in the EU.
On September 28, 2020, several associations, unions and individual applicants appealed to the judge of the collective proceedings of the Conseil d’État and requested the suspension of the processing of health data in connection with the COVID-19 pandemic in the HDH. In essence, the petitioners argued that the hosting of the data by a company subject to US law creates privacy risks due to possible transfers of the data to US intelligence agencies, as highlighted by the Court of Justice of the European Union (“ECJ”). in the Schrems II case. In this case, the ECJ found that the US surveillance programs based on Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”) were not limited to that what is absolutely necessary and that the EU-US Privacy Shield Framework did not grant EU citizens any exploitable rights before an entity offered guarantees that essentially correspond to those required by EU law. For these reasons, the ECJ declared the EU-US Privacy Shield to be invalid.
On October 8, 2020, the CNIL submitted comments on the summary procedure before the Conseil d’État. On the same day, the French Foreign Minister for Digital announced that the French government intended to transfer the HDH to a French or European platform. On October 9, 2020, a French ministerial ordinance was passed that bans any data transmission outside the EU by the HDH.
Comments from the CNIL
Although the CNIL made it clear that their comments only relate to the specific case of health data, the comments provide some insight into the CNIL’s position on the consequences of the Schrems II case and the types of additional safeguards organizations are implementing on top of a contract could be a data transfer mechanism (in practice standard contractual clauses) for valid transfer of personal data to the USA
According to the CNIL, a distinction must be made between the following two situations when transmitting data to the USA:
- If the recipient of the personal data (unencrypted or decryptable by this recipient) is directly subject to the surveillance and requirements of the US intelligence services on the basis of FISA and EO 12333, it is particularly difficult in this case to take additional security precautions. This is the situation Microsoft is facing in the United States
- If the recipient of the data is not directly subject to the monitoring established by FISA and EO 12333: In this case, the personal data are generally still subject to the monitoring program in question when transmitted to the data recipient. According to the CNIL, communication channels that are subject to the surveillance programs examined by the ECJ in Schrems II are used for the transmission of data. In this situation, however, additional encryption measures should, under certain conditions, guarantee an essentially equivalent level of data protection, as provided in the EU.
The CNIL recognized that the ECJ only examined the situation in which an operator voluntarily transmits personal data to the USA. According to the CNIL, the reasons for the decision of the ECJ also require the examination of the legality of a situation in which an operator is processing personal data in the EU, but there is the possibility that the data is due to an official or judicial order or a Request from US intelligence agencies must be transmitted. In this case, the CNIL was of the opinion that US laws (FISA and EO 12333) also apply to personal data stored outside the US
The CNIL also believed that despite all of the technical measures implemented by Microsoft (including data encryption), Microsoft could still access the data it processes on behalf of the HDH and could theoretically be subject to requests from U.S. intelligence services under FISA (or even EO 12333), in which Microsoft would have to transfer personal data that is stored and processed in the EU. According to the CNIL, such requests are not based on an international agreement and are therefore illegal in accordance with Article 48 of the EU’s General Data Protection Regulation (“GDPR”). The CNIL concluded that health data should be hosted by companies that are not governed by US law. According to the CNIL, this would be the most effective solution to avoid transmission risks. However, the CNIL recognized that it may also be possible to introduce a contractual mechanism through which the US service provider would enter into a license agreement with the EU company. Under this agreement, the EU company would only be able to conduct operations with personal data and would benefit from the services and expertise of the US company without the company being able to access this data.
Finally, the CNIL was of the opinion that a transition period is needed to switch to another hosting provider. During this transition period, possible data transfers could be based on a deviation from the general ban on data transfer outside the EU under Article 49 of the GDPR. In particular, the transfers could be based on Article 49 Paragraph 1 Letter d of the GDPR, which enables the transfer of personal data for important reasons of public interest under EU or Member State law. According to the CNIL, there is an obvious public interest in maintaining the continuity of data hosting and use of such data when the transfers to US authorities are not in the public interest. However, such an exemption should result from a specific and temporary prudential provision.
Council of State ‘s decision
In its decision, the Conseil d’État of the CNIL agreed that it cannot be completely ruled out that the US authorities could ask Microsoft and its Irish subsidiary to access some of the data stored in the HDH. In contrast to the CNIL, however, the judge of the collective proceedings of the Conseil d’État did not take the view that the ECJ’s decision in the Schrems II case also requires an examination of the conditions under which personal data are processed in the EU by US companies or their companies Affiliated companies are allowed to act as data processors (or even data processors). According to the Conseil d’État, EU data protection law does not prohibit organizations from subcontracting data processing activities on EU territory to a US company. In addition, the judge of the summary proceedings found that the violation of the GDPR in this case was purely hypothetical, since it assumes that the US authorities are interested in accessing the health data stored in the HDH and that Microsoft is unable to to reject possible access requests. In this context, the judge of the summary proceedings found that the health data are pseudonymized before release within the HDH and then encrypted by Microsoft. Finally, the judge stressed that, given the COVID-19 pandemic, there is an important public interest in enabling the continuous processing of health data, as made possible by the HDH. The summary judgment judge concluded that there was no adequate justification for the suspension of data processing activities being carried out by HDH, but ordered HDH to work with Microsoft to further strengthen data protection rights (by amending their data processing agreement) until a Solution has been found that eliminates any risk of US authorities accessing personal data (e.g. using a new hosting provider as announced by the French Foreign Minister for Digital, or entering into a licensing agreement, as announced by the CNIL suggested).
Following the decision of the Conseil d’État, the CNIL announced that it would provide guidance to the French authorities on how to implement adequate guarantees and ensure that the use of the HDH is necessary when considering requests for approval of research projects on this platform.
Read the press release and the full summary judgment of the Conseil d’État, as well as the CNIL press release and comments (all available in French only).