France’s data regulator CNIL has issued some recommendations for French services that handle health data, as Mediapart first reported. Those services should avoid using American cloud hosting companies altogether, such as Microsoft Azure, Amazon Web Services and Google Cloud.
Those recommendations follow a landmark ruling by Europe’s top court in July. The ruling, dubbed Schrems II, struck down the EU-U.S. Data Privacy Shield. Under the Privacy Shield, companies could outsource data processing from the EU to the U.S. in bulk. Due to concerns over U.S. surveillance laws, that mechanism is no longer allowed.
The CNIL is going one step further by saying that services and companies that handle health data should also avoid doing business with American companies — it’s not just about processing European data in Europe. Once again, this is all about avoiding falling under U.S. regulation and rulings.
The regulator sent those recommendations to one of France’s top courts (Conseil d’État). SantéNathon, a group of organizations and unions, originally notified the CNIL over concerns about France’s Health Data Hub.
France is currently building a platform to store health data at the national level. The idea is to build a hub that makes it easier to study rare diseases and use artificial intelligence to improve diagnoses. It is supposed to aggregate data from different sources and make it possible to share some data with public and private institutions for those specific cases.
The technical choices have been controversial as the French government originally chose to partner with Microsoft and its cloud platform Microsoft Azure.
Microsoft, like many other companies, relies on Standard Contractual Clauses for EU-U.S. data transfers. But the Court of Justice of the EU has made it clear that EU regulators have to intervene if data is being transferred to an unsafe country when it comes to privacy and surveillance.
The CNIL believes that an American company could process data in Europe but it would still fall under FISA702 and other surveillance laws. Data would still end up in the hands of American authorities. In other words, it is being extra careful with health data for now, while Schrems II is still unfolding.
“We’re working with health minister Olivier Véran on transferring the Health Data Hub to French or European platforms following the Privacy Shield bombshell,” France’s digital minister Cédric O told Public Sénat.
The French government is now looking at other solutions for the Health Data Hub. In the near future, if France’s top court confirms the CNIL’s recommendations, it could also have some effects for French companies that handle health data, such as Doctolib and Alan.