Schrems II: France blocks US access to health data hub

Thanks to action by the French data protection authority, the CNIL, the French government has made an emergency change to its COVID-19 law to prevent health data being stored on a government system (Health Data Hub) operated by Microsoft (background here) being transferred to the US. Microsoft Corporation is a US-headquartered company subject to the US Foreign Intelligence Surveillance Act, the CLOUD Act, and other laws and Executive Orders (esp. 12333) potentially enabling US government access. Google’s translation of the text is below.

I am most interested to see if the US government or Microsoft will take political and/or legal action to clarify this very difficult to interpret interaction between US and EU law. Is a company subject to US law required to give the US government access under certain circumstances — or can a countervailing law in a jurisdiction such as the EU negate this?

If not, we are going to see a rapid spin-out of the GAFAMs’ European operations into separate European companies not subject to US law, as I explained here regarding Facebook.

Theo Christakis also has some interesting observations regarding the use of encryption. I would add there are very difficult techno-legal issues there too, given what we know from Snowden about the US government both compromising widely used encryption software libraries, and apparently having other capabilities to decrypt some material. And there is still the problem of metadata generated about storage and retrieval of even encrypted data from a US-accessible system.

Authenticated electronic official journal n° 0247 of 10/10/2020

Decree of October 9, 2020 amending the decree of July 10, 2020 prescribing the general measures necessary to deal with the epidemic of covid-19 in the territories removed from the state of health emergency and in those where it has been extended
NOR: SSAZ2027233A

The Minister of Solidarity and Health,
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
Having regard to Directive (EU) 2015/1535 of the European Parliament and of the Council of September 9, 2015 providing for an information procedure in the field of technical regulations and rules relating to information society services, in particular notification No. 2020/639/F;
Having regard to the public health code, in particular its articles L. 3131-1 and L. 3131-16;
Considering Law No. 2020-856 of July 9, 2020 organizing the exit from the state of health emergency;
In view of the amended order of 10 July 2020 prescribing the general measures necessary to deal with the epidemic of Covid-19 in the territories emerging from the state of health emergency and in those where it has been extended;
Having regard to judgment C-311/18 of July 16, 2020 of the Court of Justice of the European Union;
Considering that, to take into account the requirements of the “GDPR” of April 27, 2016, the health
data platform is contractually obliged to prevent any transfer of personal data to countries outside the European Union; that a regulatory provision imposing compliance with this obligation constitutes an additional guarantee of compliance with European law as well as domestic law on the protection of personal data and the preservation of the right to respect for private life,

1st Art. — After the second paragraph of III of Article 30 of the above-mentioned order of July 10, 2020, a paragraph worded as follows is inserted:
“No transfer of personal data can be made outside the European Union.”

Art. 2. — This decree will be published in the Official Journal of the French Republic.

Dated October 9, 2020.