The Council of State asks the Health Data Hub for additional guarantees to limit the risk of transfer to the United States
In its order of 13 October 2020, the Council of State acknowledges the existence of a risk of data transfer from the Health Data Hub to the United States and requests additional safeguards. The CNIL will advise the public authorities on appropriate measures and will ensure, for research authorization related to the health crisis, that there is a real need to use the platform.
- Fearing that some data might be transferred to the United States, some claimants lodged an appeal with the Council of State requesting the suspension of the "Health Data Hub", the new platform designed to ultimately host all the health data of people who receive medical care in France.
- The Court considers that a risk cannot be excluded with regard to the transfer of health data hosted on the Health Data Hub platform to the US intelligence.
- Because of the usefulness of the Health Data Hub in managing the health crisis, it refuses to suspend the operation of the platform.
- However, it requires the Health Data Hub to strengthen its contract with Microsoft on a number of points and to seek additional safeguards to better protect the data it hosts.
- It is the responsibility of the CNIL to ensure, for authorization of research projects on the Health Data Hub in the context of the health crisis, that the use of the platform is technically necessary, and to advise public authorities on the appropriate safeguards.
- These measures will have to be taken while awaiting a lasting solution that will eliminate any risk of access to personal data by the American authorities, as announced by the French Secretary of State for the Digital Agenda.
The Health Data Hub is an information system designed to gather all health data of the entire population receiving care in France. This centralisation, as required by the legislator, should in particular encourage medical research. For the purposes of managing the health crisis, the Health Data Hub was commissioned in advance in April 2020 and on a limited scope.
As the hosting of the platform has been entrusted to Microsoft, various associations and professionals have brought an action before the Council of State requesting the suspension of the Health Data Hub, due to the recent ruling of the Court of Justice of the European Union (CJEU) of 16 July 2020, known as "Schrems II". In this ruling, the Court of Justice ruled that the surveillance carried out by the US intelligence services on the personal data of European citizens was excessive, insufficiently supervised and without any real possibility of redress. It concluded that transfers of personal data from the European Union to the United States are contrary to the General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union, unless additional safeguards are provided or in certain exceptional cases.
The Council of State invited the CNIL to produce observations to this appeal. In its brief, the CNIL took the view that the choice of a hosting provider subject to American law seemed incompatible with the CJEU's requirements regarding the protection of privacy. On one hand, it invited the judge to verify that the host's commitments to terminate the transfer of personal data outside the EU covered the entire Health Data Hub. On the other hand, it considered that the hosting of the platform by a company under US law, which could be required to respond to requests for data disclosure, even if pseudonymised, was in itself problematic and should lead to a change of operator or to additional safeguards being provided. It recommended that a transition period be set up to achieve this objective.
In its order, the Court considered that :
- The Schrems II ruling of the CJEU implies that Microsoft must refrain from transferring health data to the United States. On this point, the judge noted the important guarantees already provided by the Health Data Hub and asked for clarifications in the contract.
- The judge confirmed that a risk of transmission of health data on request from the US intelligence services cannot be excluded.
- Given the importance of the Health Data Hub, particularly in managing the health crisis, this risk does not justify the immediate termination of the platform. On the other hand, the judge requests that guarantees be provided to minimise this risk.
- In this respect, it takes note of the Government's expressed willingness to transfer the Health Data Hub to French or European platforms following the Schrems II ruling. In the meantime, the judge asks the Health Data Hub to work to minimise this risk, in particular by concluding a new amendment with Microsoft.
- The judge asked the CNIL to examine requests for authorisation for research projects using the Health Data Hub, verifying that the interest of the project, given the current health emergency, is sufficient to justify the risk incurred and that recourse to the platform is necessary.
The CNIL will carefully analyse the position of the Court when examining applications for research project authorisations when research projects use the Health Data Hub and will advise the public authorities on the implementation of appropriate long-term safeguards.
In this respect, the CNIL welcomes the statements made by the French Secretary of State for Digital Technology who, on 8 October last, indicated the Government's desire to transfer the Health Data Hub to French or European platforms.