Health Data Hub is a platform for pooling French healthcare data to promote medical research, hosted by Microsoft.
A number of associations and professionals concerned about the potential transfer of health data by Microsoft to the United States following the Schrems II ruling have lodged an appeal with the Conseil d'Etat, calling for the platform to be suspended.
As a reminder, in its Schrems II judgment of 16 July 2020, the Court of Justice of the European Union invalidated the "Privacy Shield" agreement between the European Commission and the US Chamber of Commerce to legalise transfers of personal data to the United States on the grounds that US legislation does not guarantee protection of personal data equivalent to that of the RGPD.
Asked to comment, the CNIL regretted that the chosen host was subject to US law and could therefore be required to communicate data to US government intelligence agencies, and therefore called for Microsoft to be replaced by another service provider.
In its order of 13 October 2020, the Conseil d'État acknowledged the existence of a risk of transferring data from Health Data Hub to the United States despite the significant guarantees already provided. Given the usefulness of Health Data Hub in managing the health crisis and the Government's stated intention to transfer it to French or European platforms, it did not order the immediate suspension of the platform.
However, pending this change of service provider, the Conseil d'Etat :
- Calls for the clauses of the contract with Microsoft to be strengthened and for additional security measures to be put in place to reinforce the protection of data hosted on the Health Data Hub;
- designates the CNIL to
- examining requests for authorisation of research projects on the Health Data Hub as part of the health crisis and ensuring that use of the platform is technically necessary,
- advise public authorities on appropriate safeguards.
More information here.