In wake of the Schrems II, CNIL challenges use of Microsoft cloud storage to host public health data lakes (the Health Data Hub case – Part 1)

The Health Data Hub is a “new” platform aiming at improving the agglomeration of the available public health databases to facilitate their use for research projects, by private and public entities, to create new opportunities such as with regards to artificial intelligence. These databases are, for instance, the French national health insurance system (SNIIRAM), some hospitals and health care organisations data bases (PMSI) and the statistical database on causes of death (BMCD).

Because one of the requesters’ pivotal arguments against the Health Data Hub is that Microsoft Azure was chosen to host the data, the CNIL was asked to provide its opinion on implications of the recent Privacy Shield invalidation, with regards to international data transfers incurred by the services and to potential access requests to personal data by US surveillance authorities. The CNIL reviewed the contract between Microsoft and the French administration to conclude that the safeguards to protect the data against US surveillance law were not sufficient and, consequently, that the hosting by Microsoft was unlawful in this case.

The CNIL’s brief:

• Reminder of the Schrems II ruling’s impact. Following the Schrems II ruling, the CNIL observed that Microsoft’s reliance on the Standard Contractual Clauses for EU-US data transfers would be particularly difficult as Microsoft is subject to the US Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333. Even though the Schrems II ruling only dealt with transfers executed on the controller’s initiative, it requires examining situations where a company may be compelled to transfer data to the US pursuant to a court order or an US intelligence services request.
• Minimal EU-US data transfers. According to the CNIL’s findings, data transfers to the US on Microsoft’s initiative are residual, and mainly for incident management reasons. However, if such transfers should continue, they would be unlawful in light of the Schrems II ruling.
• Impact of US intelligence agencies disclosure requests. Pursuant to US surveillance laws, Microsoft can be subject to US Government data access requests that would  compel it to transfer EU personal data to the US. These requests should then be considered as unauthorized disclosures under Article 48 of the General Data Protection Regulation (GDPR) because the requests are not made pursuant to an international treaty (e.g., mutual legal assistance treaty) and cannot be justified by any other lawful grounds.
• Other solutions to be found: The CNIL recommended using hosting service providers that are exclusively under EU jurisdiction for the type of health data at issue in the case, reminding that any transfers outside the EU would be illegal as a result of the Schrems II decision. In conclusion, the CNIL urged French authorities to find alternative service providers to host the Health Data Hub.

Analysis:

• Limited scope of the CNIL’s position. The CNIL’s position may be understood as addressing the very specific context of public health data and data lakes, and not intended for broader interpretation. A narrow interpretation is appropriate because the position only concerns (i) the Health Data Hub and (ii) specific health data warehouses for which the CNIL has granted a prior authorization (“entrepôt de données de santé” see explanation on this specific category here in French). Nevertheless, the CNIL’s overall reasoning is general and could be transposed to other sensitive processing operations.
• Necessary modification of the hosting conditions. Pursuant to the Schrems II ruling, the CNIL holds that health data and in particular the Health Data Hub’s data should be kept out of reach from US intelligence agencies. In practice, this entails modifying hosting conditions when performed by providers subject to US law.
• Transition period. According to the CNIL, the changes should take place as soon as possible. However, a transition period is necessary to prevent data or technology loss that could jeopardize public health data processing during the ongoing health crisis. This transition period could be justified by Article 49.1(d) GDPR, which authorizes derogations from the GDPR’s transfer restrictions when necessary for important reasons of public interest. In this case, the public interest is to ensure (i) continuity of the health data platform and (ii) a smooth transition towards an appropriate hosting solution.
• Post-Schrems II context. The CNIL’s position should be read in a post-Schrems II context in which the European Data Protection Board’s (EDPB) guidance on international data transfers and the European Commission’s new Standard Contractual Clauses are still forthcoming. The CNIL does has not provided criteria for determining whether a company falls under US surveillance laws. Such criteria should be presented in the coming weeks in the upcoming EDPB guidelines regarding the consequences of Schrems II CJEU ruling.
• Potential workarounds broached by the CNIL. The CNIL is providing pointers toward some potential workarounds enabling lawful hosting of public health personal. The most effective solution would be to have the data hosted by providers not subject to US surveillance laws (FISA and EO 12333). In this respect, it is not sufficient that the hosting provider have its head office outside the US if it performs an activity in the US. In this case, the hosting provider must demonstrate appropriate organisational measures to provide the appropriate protection level. The solutions raised by the CNIL are:
  • creating a subsidiary for activities performed in the US; and
  • setting-up of a contractual scheme whereby the American company concludes a licensing agreement with a European company which has the sole possibility to act on the decrypted data, without having the US entity being able assessing it.

Next steps

• The French Health Ministry published a short decree on October 10 amending the legal provisions creating the Health Data Hub to prohibit any transfers of data outside the EU.
• The Conseil d’Etat was not bound by CNIL’s position, and in its decision on October 14, 2020, the Conseil d’Etat ruled that (i) the Health Data Hub hosting by Microsoft should not yet be suspended and (ii) Microsoft has 15 days to demonstrate that its hosting and processing does not entail any transfer of personal data outside of the EU. The Conseil d’Etat also gave 15 days to Microsoft and the Health Data Hub to amend their agreement to clearly show that hosted is not transferred outside the EU and US surveillance laws will not reach the hosted data.

Authored by Patrice Navarro and François Zannotti.