The Council of State asks the Health Data Hub for additional guarantees to limit the risk of transfer to the United States

The Health Data Hub is an information system designed to gather all health data of the entire population receiving care in France. This centralisation, as required by the legislator, should in particular encourage medical research. For the purposes of managing the health crisis, the Health Data Hub was commissioned in advance in April 2020 and on a limited scope.

As the hosting of the platform has been entrusted to Microsoft, various associations and professionals have brought an action before the Council of State requesting the suspension of the Health Data Hub, due to the recent ruling of the Court of Justice of the European Union (CJEU) of 16 July 2020, known as "Schrems II". In this ruling, the Court of Justice ruled that the surveillance carried out by the US intelligence services on the personal data of European citizens was excessive, insufficiently supervised and without any real possibility of redress. It concluded that transfers of personal data from the European Union to the United States are contrary to the General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union, unless additional safeguards are provided or in certain exceptional cases.

The Council of State invited the CNIL to produce observations to this appeal. In its brief, the CNIL took the view that the choice of a hosting provider subject to American law seemed incompatible with the CJEU's requirements regarding the protection of privacy. On one hand, it invited the judge to verify that the host's commitments to terminate the transfer of personal data outside the EU covered the entire Health Data Hub. On the other hand, it considered that the hosting of the platform by a company under US law, which could be required to respond to requests for data disclosure, even if pseudonymised, was in itself problematic and should lead to a change of operator or to additional safeguards being provided. It recommended that a transition period be set up to achieve this objective.

In its order, the Court considered that :

• The Schrems II ruling of the CJEU implies that Microsoft must refrain from transferring health data to the United States. On this point, the judge noted the important guarantees already provided by the Health Data Hub and asked for clarifications in the contract.
• The judge confirmed that a risk of transmission of health data on request from the US intelligence services cannot be excluded.  
• Given the importance of the Health Data Hub, particularly in managing the health crisis, this risk does not justify the immediate termination of the platform. On the other hand, the judge requests that guarantees be provided to minimise this risk.
• In this respect, it takes note of the Government's expressed willingness to transfer the Health Data Hub to French or European platforms following the Schrems II ruling.  In the meantime, the judge asks the Health Data Hub to work to minimise this risk, in particular by concluding a new amendment with Microsoft.
• The judge asked the CNIL to examine requests for authorisation for research projects using the Health Data Hub, verifying that the interest of the project, given the current health emergency, is sufficient to justify the risk incurred and that recourse to the platform is necessary.

The CNIL will carefully analyse the position of the Court when examining applications for research project authorisations when research projects use the Health Data Hub and will advise the public authorities on the implementation of appropriate long-term safeguards.

In this respect, the CNIL welcomes the statements made by the French Secretary of State for Digital Technology who, on 8 October last, indicated the Government's desire to transfer the Health Data Hub to French or European platforms.