French Data Protection Authority Rules on Transfers of Health Data

The French Conseil d’Etat handed down an important decision October, 13th regarding privacy and personal data protection. This decision comes in the wake of the “Schrems II” ruling of the Court of Justice of the European Union (CJEU), which ruled that the protection of data transferred to the United States by the “Privacy Shield” was insufficient under European law.

A platform managing health data (named “Health Data Hub”) was created in 2019 to facilitate the share of these data in order to promote research. The Health Data Hub is very used in the context of the Covid-19 crisis. This platform has entered into a contract with an Irish subsidiary of the American company Microsoft to host the data and use the software required to process it.

Before the French Conseil d’Etat, several NGOs, unions and individuals claim to suspend the processing of data related to the covid-19 epidemic on the Health Data Platform because of the risks that this situation entails with regard to the right to privacy, given possible data transfers to the United States.

Even though a contract prohibits cross-border data flow outside EU, the Conseil d’Etat estimates that it cannot be completely excluded that the U.S intelligence authorities may request Microsoft and its Irish subsidiary to access certain data.

In spite of the risk, the Conseil d’Etat considers that the data processing by Microsoft on the territory of the EU does not, per se, constitute a serious and manifest breach of privacy according to the following motives:

  • The CJEU does not prohibit by principle data processing by American companies on EU territory;
  • The violation of GDPR remains “hypothetical,” as it would imply that Microsoft would not be able to oppose a possible request from U.S. authorities;
  • Health data are pseudonymized before hosting and processing by the Health Data Hub;
  • A significant public interest related to Covid-19 crisis managing justifies the use of the Health Data Hub.

The Conseil d’Etat consequently rejects the claim of immediate suspension of data processing by this platform.

However, given that the existence of a risk on privacy, the Conseil d’Etat requests the Health Data Hub to continue, under the supervision of the French data protection authority (named CNIL), to work with Microsoft to strengthen the protection of personal data. This temporary measures shall be taken while pending a definitive solution that will eliminate any risk of breach of privacy by U.S. authorities (choice on a new subcontractor, use of a license agreement).

Leave a Reply

Your email address will not be published. Required fields are marked *