On October 9, 2020, there were media reports that the French Data Protection Authority (CNIL) had expressed concerns regarding the hosting by Microsoft (EU) of the French centralized public health database (the Health Data Hub). In a legal brief, the CNIL recommended the Health Data Hub and the French government put an end to any data transfers to the US in the context of this database, and recommended a change of the health data hosting provider. The CNIL’s position, which is not binding on data controllers, does not create a general prohibition on transfers of health data to the US or on use of US-based cloud service providers, but instead encouraged data controllers to conduct the risk assessment requirement by the Schrems II decision as soon as possible, and to implement strong safeguards to ensure the protection of health personal data from access by US authorities. The French Administrative Supreme Court (Conseil d’Etat) has just issued a ruling showing that it does not completely share the CNIL’s position.
This CNIL position is part of a series of proceedings before the Conseil d’Etat regarding Microsoft’s hosting in the EU of the French centralized public health database (the “Health Data Hub”). In the course of these proceedings, the CNIL has produced a brief addressing:
The lawfulness of the potential data transfers to the US: The impact of the Schrems II decision on the lawfulness of the health data transfers to the US based on standard contractual clauses (SCCs). At the beginning of the proceedings, the hosting service provided by Microsoft involved remote access by Microsoft IT services, for maintenance and support purposes. Remote access was said to be limited to logs and not to involve any access to health data.
The applicability of US surveillance laws (CLOUD Act, section 702 of the FISA, EO 12333) to the hosting service provider, and the risks associated with potential requests from US courts/authorities to access data hosted within the EU by an affiliate of a US entity.
A strict interpretation by the CNIL of the Schrems II decision
The CNIL’s brief sets forth its interpretation of the Schrems II decision, which conditioned the use of SCCs to the adoption of additional safeguards. The CNIL considers that such additional safeguards are “quite difficult” to implement for transfers to providers directly subject to section 702 of the FISA and the EO 12333, such as electronic communication service providers. When the recipient is not directly subject to such provisions, the risks are linked to the transit of data through infrastructures, such as undersea communications cables, subject to such surveillance programs and can be appropriately mitigated using data encryption.
Because of its concerns about the feasibility of implementing sufficient safeguards, in the context of the Health Data Hub, the CNIL recommended that all data transfers to the US be stopped, and on October 10th, the Ministry of Health expressly confirmed that data processed by the Health Data Hub may not be transferred to countries located outside of the EU.
It thus appears clear that the CNIL has decided to adopt a strict, even expansive, construction of the Schrems II decision and that it considers the factors that led to the invalidation of the Privacy Shield may also mean that the standard contractual clauses, even with additional safeguards, may not provide for a sufficient level of protection for transfers of health data to the US.
A difference of opinion between the CNIL and the Conseil d’Etat on the level of risk associated with pseudonymized health data.
Even if the Health Data Hub was hosted within the EU territory, the CNIL expressed concern that potential requests from US authorities or courts, in the context of surveillance programs under the provisions of section 702 of FISA and EO 12333, create a risk of access by US authorities to health data. However, on June 19, 2020 and again on October 14, 2020, the Conseil d’Etat ruled, in decisions addressing respectively provisions of the CLOUD Act and of section 702 of FISA as well as of EO 12333, that the actual risk of a US court/authority requesting an access to the Health Data Hub database appeared low, because health data are not likely to be useful for criminal/anti-terrorism purposes, and even less likely in the Health Data Hub database, where data are pseudonymized, without the identity of the individuals.
In its brief, contrary to the position of the Conseil d’Etat, the CNIL argued that there is an actual risk that a US court/authority could request an access to the Health Data Hub database, that health data are sensitive and that pseudonymisation measures do not actually lessen the risks of reidentification considering the level of details of the medical records hosted in the Health Data Hub, but did not explicitly address the Conseil d’Etat’s position regarding the lack of usefulness of health data for criminal or anti-terrorism proceedings.
As the CNIL itself points out, the position it expresses in its brief is not binding on operators or even a general public guidance. First, the CNIL distinguishes the Health Data Hub context from the subject matter of the Schrems II decision, since data in the Health Data Hub should not be transferred to the US but could be subject to a request to access data stored within the E.U. In addition, the CNIL expressly states that its opinion only covers the specific case of health data, and reserves judgment on transfers for other sectors or involving less sensitive personal data.
Finally, this position has not been confirmed by the Conseil d’Etat (which reviews the CNIL’s decision at first and last instance). In its June 19 decision addressing only the CLOUD Act provisions, the Conseil d’Etat had showed that it did not consider such provisions as creating a major and urgent risk for health data protection. Regarding the risk associated with section 702 of FISA and the EO 12 333, the Conseil d’Etat ruled on October 13 that given the important public interest of maintaining a COVID-19 health database, the risks of access by US authorities, although possible, are not serious enough to justify the suspension of the service and the immediate change of provider.
Implications of the CNIL’s and Conseil d’Etat’s positions for health data processing
Organizations processing health data, and particularly those transferring such data to any affiliate of a US based hosting provider, now must decide whether to adopt the CNIL’s interpretation and seek alternative hosting options. The Conseil d’Etat has only ruled on the particular emergency of the issue but it has not questioned the existence of risks of access by US authorities. Therefore, the CNIL’s position, even if it not completely confirmed by the Conseil d’Etat in terms of risk level, must still be taken into account to some extent.
First, stakeholders should follow closely the developments of these proceedings and the potential public position that the CNIL might take following this last decision by the Conseil d’Etat. In addition, the recommendations of the EDPB task force on appropriate supplementary measures to ensure adequate protection when transferring data to third countries are also expected soon.
Second, before making any decision, organizations should check whether any change of provider is compliant with other fields of applicable law. For example, in the EU, public entities are not allowed, as a general rule of public procurements, to discriminate on the grounds of the nationality of the provider (principles of equal access to public procurement and non-discrimination).
Third, it’s important to note that branches or subsidiaries of US cloud service providers are not the only entities that may be covered by US surveillance laws. Therefore, to some extent, a French parent company, storing data in France, might be subject to US authorities’ access requests if one of its affiliates is established within the EU and has some form of control over the data. A thorough analysis of the applicability of foreign surveillance laws on any provider should thus be conducted before any change of provider.
Organizations making or contemplating transfers of health data should consider the impact of the Schrems II decision and this new opinion guidance from the CNIL on their operations as soon as possible, by conducting a data transfer risk assessment and implementing additional safeguards for the transfers, such as using a third party encryption provider, based in the EU and not subject to US jurisdiction, in order to avoid any access to the health personal data.