On October 8, 2020, France’s data protection authority (CNIL) provided the French Administrative Supreme Court (Conseil d’Etat) with a brief presenting its arguments against the hosting of some French public health data by Microsoft in light of the European Court of Justice’s recent invalidation of the EU-US Privacy Shield in Schrems II. CNIL provided its brief in the context of an action brought before the Conseil d’Etat by the Conseil National du Logiciel Libre (CNLL), a union of open source software providers, and other syndicates and professional associations requesting that the Health Data Hub be suspended to put an end to unlawful interference with the right to privacy and to personal data protection.
The Health Data Hub is a “new” platform aiming at improving the agglomeration of the available public health databases to facilitate their use for research projects, by private and public entities, to create new opportunities such as with regards to artificial intelligence. These databases are, for instance, the French national health insurance system (SNIIRAM), some hospitals and health care organisations data bases (PMSI) and the statistical database on causes of death (BMCD).
Because one of the requesters’ pivotal arguments against the Health Data Hub is that Microsoft Azure was chosen to host the data, the CNIL was asked to provide its opinion on implications of the recent Privacy Shield invalidation, with regards to international data transfers incurred by the services and to potential access requests to personal data by US surveillance authorities. The CNIL reviewed the contract between Microsoft and the French administration to conclude that the safeguards to protect the data against US surveillance law were not sufficient and, consequently, that the hosting by Microsoft was unlawful in this case.
Authored by Patrice Navarro and François Zannotti.
Are you sure want to delete comment ?
Scan this QR Code to share this content