Sending a letter to the Commission Nationale de l’Informatique et des Libertés CNIL following the cancellation of the agreement on the transfer of personal data between Europe and the United States or “Privacy Shield “.
Request for an explanation of the implications for the “Health Data Platform” of the cancellation of the “Data Protection Shield” or “Privacy Shield”.
Content of the letter
The deployment of a “Health Data Platform” through the creation of a Public Interest Grouping, was proclaimed by law n° 2019-774 of July 24, 2019 relating to the organization and transformation of the health system1. Currently these data are stored at Microsoft Azure2, the public cloud of the American giant Microsoft.
Opinion No 2020-044 of 20 April 2020 of your Commission3 refers to the risks of data transfers to third countries and disclosures not authorised by [European Union] law in the context of the subcontracting of the technical solution of the “platform” to Microsoft Azure. Following this opinion, on 19 June 2020, the Council of State enjoined the “Platform for Health Data” to inform citizens of the “possible transfer of data outside the European Union, taking into account the contract with its subcontractor” 4. Attention is drawn to the distinction between “rest” and “transit” data **. During the hearing at the Council of State on 11 June, it was mentioned that even if **Microsoft could guarantee the location of rest data (i.e. storage), this was not the case for transit data (i.e. analysis), which once copied to processors circulate worldwide. We are not talking here about maintenance data which are not health data.
On 16 July, the Court of Justice of the European Union thus declared that “the limitations on the protection of personal data which result from the internal regulations of the United States concerning access and use by the American public authorities of such data transferred from the [European] Union to that third country are not framed in such a way as to meet requirements equivalent to those required, under [European] Union law, by the principle of proportionality, in that the monitoring programmes based on those regulations are not limited to what is strictly necessary”5.
Following this judgment, the German Regulator stresses that “data should not be transferred to the United States until this legal framework has been reformed” 6.
We request your expertise to find out the consequences of the health data set of more than 67 million people at Microsoft Azure within the “Health Data Platform”. More particularly, we would like to know the consequences of the suppression of the “Privacy Shield” on the functioning of the “Health Data Platform “, especially since at the time of the referral to the Council of State, and until its Ordinance, the above-mentioned text was still in force.
We have decided to make this letter public. This publicity contributes to the objective of transparency defended by your Commission 7.
With this in mind, we ask you to accept, Madam President, the expression of our highest consideration.
LAW No. 2019-774 of 24 July 2019 on the organisation and transformation of the health system ↩
Measures of organization and functioning of the health system necessary to deal with the covid-19 epidemic in the context of the state of health emergency ↩
The Court invalidates Decision 2016/1250 on the adequacy of protection provided by the EU-US data protection shield ↩
Berlin: Berlin Commissioner issues statement on Schrems II case, asks controllers to stop data transfers to the US ↩
StopCovid application: the CNIL draws the consequences of its controls ↩