CNIL observations on the US-accessible Health Data Hub
Thanks to Mediapart, my friend’s OCR software, and Google Translate (plus my tidying-up), here is an English version of the French data protection authority (CNIL)’s observations to the highest French administrative court, the Conseil d’etat, on an application for interim relief against the Microsoft-hosted Health Data Hub, which led the French government yesterday to make an emergency change to its Covid-19 decree.
Commission Nationale Informatique & Libertés
Your ref. : 444937 – NATIONAL COUNCIL OF FREE SOFTWARE vs. MINISTRY OF SOLIDARITIES AND HEALTH
Council of State
REFERENCE L. 521-2 CJA
Memorandum of observations
For: The National Commission for Informatics and Freedoms (CNIL) whose headquarters are 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, represented by its President.
The personal data necessary for the performance of the CNIL’s missions are processed in files intended for its exclusive use. Data subjects can exercise their data protection rights by contacting the data protection officer (DPO) of the CNIL via an online form or by post. For more information: vmw.cnil.fr/donnees-personnelles.
FACTS AND PROCEDURE
The Plateforme des donées de santé (PDS), also called “Health Data Hub”, was created by Law No. 2019-774 of July 24, 2019 relating to the organisation and transformation of the health system (OTSS), and by the decree of 29 November 2019 to facilitate the sharing of health data in order to promote research. In this context, the PDS aims to centralise all the data from the national health data system, grouping together health data of the entire population treated in France — which is the “data controller” within the meaning of the GDPR.
PDS has chosen to use the services of Microsoft, a company headquartered in the United States, as a “subcontractor” within the meaning of the GDPR, in order to host health data currently in its possession (AZURE services known as Cloud computing).
Microsoft had adhered to the Privacy Shield , an instrument governing the transfer of personal data to the United States that was the subject of the adequacy decision 2016/1250, by the European Commission. Transfers of personal data operated in this context are also governed by standard contractual clauses annexed to the contract.
On October 5, 2020, the National Commission for Informatics and Liberties made an address, for the production of observations, of the application for interim measures filed by the National Free Software Council (“CNLL”) and others on the basis of article L. 521-2 of the Code of administrative justice, registered at the registry of the Litigation Section of the Council of State under number 444937.
The application for interim relief mainly involves the incompatibility with the GDPR of potential transfers of the data in question to the United States, at the initiative of Microsoft or public authorities of the United States, in particular the intelligence services.
The CNLL and others request as well as the processing and centralisation of data in connection with the Covid-19 epidemic on the health data platform ( “Health Data Hub“) be suspended for the purpose of putting an end to a serious and manifestly unlawful interference with the right to privacy and the protection of personal data, that all measures necessary to ensure that there is no serious and manifestly unlawful interference with the right to privacy and the protection of personal data in connection with the processing and centralisation of health data on the Health Data Hub , on a subsidiary basis, that the CNIL be requested in particular to rule on the implications of the invalidation of the Privacy Shield on the processing and collection of data within the Health Data Platform.
 Article L. 1461-1 of the CSP: In particular, all the data related to hospitalisation resulting from the medicalisation of information systems or PMSI, data from compulsory health insurance or SNIIRAM, data relating to vital status and medical causes of death or CépiDC, data from the department of people with disabilities or MDPH, data from insurance organisations additional disease, any data collected or produced during prevention, diagnostics or care, that is to say in particular all the medical files made by an establishment, a professional liberal health care, etc., data relating to the loss of autonomy, data from surveys in the field of health, data collected during compulsory medical and screening visits in schools, data from maternal and child protection centres or PMI, data collected in the context of occupational medicine.
The case as it stands is called, on behalf of the CNIL and without it hearing position on each of the arguments raised by the request, the following observations.
1. The position of the CNIL before the intervention of the judgment of the CJEU of July 16, 2020 called Schrems II (CJTJE 16 July 2020, DPC v. Facebook Ireland Ltd and M. Schrems,aff. C-311/18)
The CNIL was seized last April of the question of the use of the PDS within the framework of the Covid-19 health crisis. On this occasion, if it had recognised the quality of the measurements security system protecting personal data, it was concerned that Microsoft’s choice for data hosting implied, despite the precautions taken by the PDS, that data transfers to the United States be carried out. At the time, the transfers in question remained covered by the adequacy decision 2016/1250 of the Privacy Shield.
Under the case law of the CJEU (CJEU, October 6, 2015, C-362/14, known as Schrems I), it was up to the CNIL and the French authorities to respect this decision until it not invalidated by the CJEU, a procedure then in progress. In addition, transfers were framed by standard contractual clauses. Despite this, the CNIL recalled in its opinion of April 20, 2020 that the European Data Protection Board (EDPB) had expressed on several occasions its concerns about the particularly wide access by the authorities of the United States to personal data transferred to the United States or processed on technical platforms operated by US companies.
The CNIL, without considering that the situation would be illegal and would have justified an unfavourable opinion, therefore called on the government to be extremely vigilant with regard to conservation conditions and modalities of access to data, and recommended that, in the longer term, the hosting and the management services of the PDS can be ” reserved for entities exclusively under the courts of the European Union”. The CNIL had also received assurances on the fact that the services of the State and the PDS were working on the reversibility of constitution of the HDH, intended to make possible a change of host after the the system being deployed.
 Deliberation n ° 2020-044 of April 20, 2020 giving an opinion on a draft order supplementing the order of March 23, 2020 prescribing the organisational and operating measures of the health system necessary to cope with the covid-19 epidemic in the context of the state of health emergency.
2. The consequences of the judgment of the CJEU of July 16, 2020 known as Schrems II (CJEU 16 July 2020, DPC v. Facebook Ireland Ltd and M. Schrems, aff. C-311/18)
The judgment of July 16, 2020 radically changed the situation regarding the use of solutions provided by American actors, in general and in particular for health data warehouses.The CJEU, in its judgment C-311/18 of July 16, 2020 known as Schrems II, considered:
- On the one hand, that the requirements of section 702 of the Foreign Intelligence Surveillance Act (FISA) and the Executive Order 12333 of US law, which establish programs allowing access by US public authorities for the purposes of national security to personal data transferred from the EU to the US, from particularly broad and without targeting, lead to limitations of the protection of personal data that is not circumscribed in such a way as to satisfy requirements essentially equivalent to those required by EU law;
- On the other hand, that this legislation does not grant data subjects rights of recourse before the courts against the US authorities (the CJEU emphasises that these programs do not foresee any limitation of the power conferred on the US authorities, nor the existence of safeguards for potentially targeted non-American persons).
In this sense, the Court held that US law, by virtue of section 702 of FISA and the Executive Order 12333, does not provide a level of protection essentially equivalent to European law relating to the protection of personal data.
Thus, due to the extent of the violation of the fundamental rights of people whose data are transferred to this third country, the CJEU has, first of all, declared invalid the adequacy decision 20.16 / 1250 of Privacy Shield. The Court also noted that thethe aforementioned legislation applies to any transfer to the United States by electronic means that falls withinof the scope of this legislation, regardless of the transfer tool used.
If the Court did not, in the second place, invalidate the standard contractual clauses drawn up by the European Commission, it nevertheless indicated that, in order to use them effectively, it is up to the controller to assess whether the third country in which the data of a personal character will be transferred ensures an essentially equivalent level of protection to that of the European Union. If this is not the case, it will have to put in place measures to ensure the required level of data protection, or to notify the authority responsible for data protection its intention to continue transferring data without these guarantees.
 CJEU, C-311 / 18,16 July 2020.
 Article 702 of FISA applies to all ‘providers of electronic communication services’ (see definition in Section 50 USC § 1881 (b) (4)), while Executive Order 12333 organises electronic surveillance, which is defined as “the acquisition of a non- public communication by electronicmeans without the consent of a person who is a party to an electronic communication or, in the case of a non-electronic communication, without the consent of a person who is visibly present on place of communication, of excluding the use of an equipment only for determining the location of a transmitter ”(3.4; b).4
Under these conditions, if transfers are actually envisaged to the United States, in particular on the basis of standard contractual clauses, additional measures must be provided by the controller. They appear particularly difficult to bring. Two situations can be distinguished insofar as the monitoring programs governed by FISA and E0 12333 do not cover all US organizations but only some of them, especially electronic communication service providers.
- When the recipient of the data (not encrypted or decryptable by him) is directly subject to surveillance and requests from intelligence authorities governed by FISA and E0 12333, the implementation of additional guarantees protecting this surveillance appears particularly difficult to implement. It is the situation in which Microsoft finds itself in the United States.
- When the recipient is not directly within the scope of the surveillance instituted by the two standards deemed incompatible with the minimum standard of protection required by the GDPR and Article 8 of the Charter of Fundamental Rights of the European Union (for example an industrial company in the United States), the data is, despite this, usually subject to the relevant surveillance programs during transit to the recipient. Indeed, this transit uses communication channels which are ubject to surveillance programs reviewed by the CJEU. Measures of additional encryption are, on the other hand, probably likely to allow, under certain conditions, the maintenance of a sufficient level of data protection. The EDPB (European Data Protection Board) is working to clarify these conditions. In any event, the recipient must also provide sufficient guarantees on the processing which it will make of the data, in particular during their transfer between its various potential sites through channels subject to these laws and take into account other provisions of the American law.
Finally, in the third place, if the Court only considered the case where an operator on its own initiative transfers personal data to the United States, which was that of the present case, the reasons for its decision involve examining the legality of a situation where an operator processing data on European soil is exposed to having to transfer it on judicial or administrative injunction to the US intelligence services, as mentioned in the request (see below).
3. On the existence of data transfers from the PDS to the United States on the initiative of PDS, its users or Microsoft.
When examining the situation in April, the Commission concluded that there were residual health data transfers to the United States, which, in the case of a platform called upon to centralise a considerable amount of data, justified a call from the Commission for extreme vigilance and additional efforts to suppress these transfers. Indeed, if it was established that the data at rest were stored in Europe and if the use of data by researchers, for their calculation, must not, according to the indications available to the Commission, give rise to transfers, these were still possible within the framework of
various information systems administration operations that Microsoft will have to achieve. It should be noted that the encryption keys are held by Microsoft.
The PDS has chosen to use a device set up by Microsoft which establishes a system of access control by Microsoft administrators to data, by hand from the PDS, referred to as “Customer Lockbox ”. This system constitutes a guarantee of limitation of transfers, to the extent that PDS assures that it will refuse any transfer. However, this device, framed by certain elements of the contract, includes exceptions to the principle of a priori control of the PDS, “in the context of unexpected or unforeseeable scenarios corresponding to catastrophes or in the event of accidental access to the data by a Microsoft engineer”.
The pseudonymization of personal data is also often advanced as aanother guarantee to limit data misappropriation. If this measure effectively limits the risks, the CNIL considers that it does not allow to reduce all risk identification of persons. Indeed, the data held by the PDS are very detailed data of health and therefore very strongly identifying. They will be more and more that this new infrastructure will gain momentum. Even if the first and last names do not appear, it will be possible to re-identify a part, probably substantial, of the people by crossing health data with other data sources.
This analysis justified the position taken by the Commission in its opinion of 20 April last.
Following this notice, the PDS concluded a new amendment with Microsoft, communicated to the Commission and which further limits transfers. Indeed, the amendment provides that PDS data will be stored (at rest) in the geographic area determined by the PDS, and confirms the possibility for the PDS to also determine the zone in which the data will be processed, including for the resolution of incidents. This paragraph of the rider mentions a restrictive list of specific services. If this list were to cover all services used by the PDS for the establishment of the health data hub , the signing of this amendment would lead to the conclusion that there is no longer any possibility of data transfers to the United States which is possible at Microsoft’s initiative, also subject to the PDS undertaking never to authorise them. However, the CNIL questioned the PDS on the fact that it is not ensured, from reading the documents, that the rider covers all Azure services subscribed by the main contract. CNIL also wishes to ensure that this rider prevails over the contractual documents relating to the ” Customer lockbox” which, for their part, provide exceptions, as noted. These points are under investigation. It is therefore not possible to conclude with certainty, at this stage of the investigation, that there was no transfer of personal data, in particular relating to health. It is referred on these points to the details that will be provided by the PDS.
If transfers were to continue, they would therefore be illegal following the Schrems II judgment.
4. Regardless of the existence of transfers initiated by the platform or Microsoft, on the possibility of on-demand transfers of United States intelligence.
Regardless of this issue of transfers made by Microsoft within the framework of the administration of the technological solution offered to the PDS, the question arises, raised by
the request, transfers made by Microsoft at the request of the intelligence services of the United States.
From this point of view, the CNIL has re-questioned itself since the intervention of the Schrems II judgment on whether US law legally obliges Microsoft to communicate to intelligence services data stored and processed only outside the territory of the United States, for which it holds the encryption keys. The CNIL reports from this point of view that the amendment signed recently by the PDS, which severely limits transfers at the initiative ofMicrosoft, also states that Microsoft “will not disclose or give access to any data processed to authorities, except if required by law” (emphasis added).
If we leave aside the Clarifying Lawful Overseas Use of Data Act or “CLOUD Act”, which is not examined in the Schrems II judgment (but the extraterritorial character of which is in no doubt), the CNIL considers, in the state of the information available to it, that the FISA legislation and EO 123333 apply to data stored outside the territory of the United States.
Regarding the FISA “ Foreign Intelligence Surveillance Act ”
Section 702 FISA concerns the “targeting of persons whom one can reasonably expect are located outside the United States to obtain investigative information on foreigners ”and applies to“ providers of electronic communication services ”.
FISA 702, paragraph (h), provides that U.S. authorities may order an electronic communications service provider to “immediately provide to the government any information, facilities or assistance necessary to carry out acquisition in a manner which will protect the secrecy of the acquisition and produce minimal interference with the services that this electronic communication service provider provides to the target of the acquisition ”. This provision confirms the absence of notification topeople or companies affected by any access requests.
In 2016, the G29 considered that section 702 FISA “ targets providers of electronic communications established in the United States for the collection of information fromforeign intelligence on persons located outside of the United States. It includes in particular” information relating to a foreign power or to a foreign territory which relate to the conduct of foreign affairs of the United States, “which raises a certain uncertainty about what kind of information can be collected in practice ”.
Unlike the Cloud Act, section 702 FISA does not provide explicit clarification on the extraterritorial scope of the orders to be produced but does not restrict these requests to only data stored on US territory. The material scope of this text, on information from foreign intelligence ( “foreign intelligence information “) and concerning persons who can reasonably be thought to be outside
 including “(A) a telecommunications company, within the meaning of Section 3 of the Communications Act of 1934(47 USC 153) ; (B) an electronic communications service provider, as that term is defined in Section 2520 of Title 18 of the US Code; “(C) a remote computer service provider , as that term is defined in Section 2711 of Title 18 of the US Code; (D) any other communications service provider who has access to electronic or wired communications, either when these communications are transmitted , or when these communications are stored; or (E) an officer, an employee or agent of an entity described in sub-paragraphs (A), (B), (C) or (D) ”.
of the United States implies the possibility of access to this information outside the American territory. The US authorities themselves confirm existence of requests concerning data stored in the territory of the Union, in particular in the recent White Paper on the follow-up to the Schrems II judgment published in September 2020 jointly by the Department of Commerce, Department of Justice, and Office of the Director of Intelligence (ODNT) which refers to “companies that transfer data from the EU and who have received orders authorised by FISA 702 requiring disclosure of data to US intelligence agencies for foreign intelligence purposes ”(emphasis added).
Regarding Executive Order 12 333:
This presidential decree mainly founded the techniques of interceptions for the purpose of information on signals (“signal intelligence”) and therefore in particular the techniques of collection and filtering of data in transit, to or outside the United States (submarine cables, satellite communications, etc. …). In 2016, the G29 considered that “ the field of application of EO12333 is broad; in principle, any collection of intelligence data on aliens may take place at the discretion of the President of the United States on the basis of the executive order , but it has been argued that since the introduction of FISA, EO12333 can only be used for data collection outside the United States.[6,7]. The G29 notes that EO12333 does not does not provide much detail on its geographic scope and the extent to which data may be collected, stored or disseminated, nor on the nature of the offenses likely to give rise to surveillance or on the type of information that can be collected or used ”.
Mainly, this decree does not therefore concern requests addressed directly to operators subject to American law, the intelligence services themselves carrying out interceptions. The decree could, however, establish other intelligence techniques and data interceptions, mainly outside the United States, without excluding the possibility of requests for assistance to entities subject to US law.
Part 2 of Executive Order 12333, relating to the conduct of intelligence activities, specifies that the decree aims to “improve human and technical collection techniques, in particular those undertaken abroad, and the acquisition of important foreign intelligence ”(EO 12333, 2.2) . EO 12333 covers a very wide field of “information” obtainable by intelligence services, which includes “ information constituting foreign intelligence or counterintelligence, including such
 Emphasis added.
 The decree also provides: “2.2 Purpose. This Order is intended to enhance human and technical collection techniques, especially those undertaken abroad, and the acquisition of significant foreign intelligence, as well as the detection and countering of international terrorist activities and espionage conducted by foreign powers. Set forth below are certain general principles that, in addition to and consistent with applicable laws, are intended to achieve the proper balance between the acquisition of essential information and protection of individual interests. Nothing in this Order shall be construed to apply to or interfere with any authorized civil or criminal law enforcement responsibility of any department or agency ”.
information about companies or other business organizations. “(EO 12333, 2.3).
Unlike section 702 FISA, the decree certainly remains vague on the form that acquisitions and interceptions can take. In view of the information available to the CNIL, it is not excluded that this acquisition may also be made through requests for assistance or access addressed to service providers.
In conclusion on this point, in the state of its instructions, the CNIL therefore considers that, even in the event that the absence of transfers of personal data outside the EU for purposes of the provision of the service would be confirmed, Microsoft may be submitted, on the basis of FISA, or perhaps even EO 123333, to injunctions from the intelligence services requiring it to transfer data stored and processed on the territory of the European Union.
5. On the resulting illegality for HDH and health data warehouses hosted by actors subject to US law.
The CNIL considers that the requests of the US authorities, issued under section 702 FISA or EO 12333, and sent to Microsoft for processing submitted to GDPR, should be regarded as disclosures not authorized by the law of the Union, in application of article 48 of the GDPR. In fact, on the one hand, these requests intervene outside any international agreement or mutual legal assistance treaty. On the other hand, these requests may not be based on any other case provided for by chapter V of the GDPR, under reservation of what will be said below on the derogations of article 49, insofar as the court ruled that the monitoring programs established by these standards, as well as the lack of judicial recourse, made these transfers structurally incompatible with the minimum protection.
The Commission is not unaware that this situation, induced by the Schrems II judgment , goes beyond largely within the scope of the only HDH at issue in the application. It reserves its appreciation of consequences to be drawn from this in other sectors and for other data with less sensitivity. Regarding health data, it emphasizes, however, that there are, to its knowledge, many health data warehouses, depending hospitals or other data controllers, which are hosted by American companies and which are therefore placed in the same situation as the HDH, even more broadly authorize transfers to the United States by the subcontractor, in particular
 Article 48: Transfers or disclosures not authorized by Union law: “Any decision of a court or an administrative authority of a third country requiring a controller or a processor that it transfers or discloses personal data cannot be recognized or made enforceable by in any way, on condition that it is based on an international agreement, such as a treaty on mutual legal assistance, in force between the requesting third country and the Union or a Member State, without prejudice to other reasons for transfer under this chapter ”.
 Such an agreement would also have to comply with Article 8 of the Charter of Rights of the European Union, which appears delicate when reading the reasons for the Schrems II judgment, in the absence of additional guarantees granted by the United States
for administration operations. Consequently, the continuation of the authorizations of processing of this data, particularly in the context of scientific research, appears problematic due to the intervention of the Schrems II judgment .
6. On the resulting obligation to modify the accommodation conditions of health data, in particular within the PDS, and the possibility of transition period.
The Commission therefore concludes that the wish it expressed in its opinion of 20April 2020 is now based on a legal obligation, the Schrems II judgment having to lead according to it, in the case of health data and in particular with a view to their centralisation within the PDS, to exclude these data from the possibility of communication to the intelligence services on the basis of FISA, or even E0123333.
In so far as this conclusion does not follow directly from the Schrems II judgment , which concerned transfers, but from the application of its reasons to access requests of data not yet transferred to the US intelligence services, the Commission stresses that it bases its position on the particularities of health data and does not issue its opinion only on this one case.
According to it, this situation should lead to a change in the hosting conditions of the PDS, thus than those of other health data warehouses that are hosted by companies subject to U.S. law. The most effective solution is to entrust the hosting of this data to companies not subject to U.S. law, without prejudice to compliance with legislation on contracts and public procurement. The CNIL stresses that it is not enough for the host to have its head office outside the United States so as not to be partially subject to US law, if it operates in that country. In this case, it is up to the Montier host that measures appropriate organizational structures allow it to ensure the required level of protection. The subsidiary of the activities deployed in the United States is one of the avenues put forward by the actors. The CNIL is studying this question in conjunction with its counterparts.
It may also be possible to set up a contractual mechanism whereby theAmerican company sets up a license agreement with a European company which has only the ability to act on the decrypted data, and who benefits from the services and expertise of the American company, without the latter ever having access to the data. Such an assembly, which may also depend on the nature of the services required, should be accompanied by particularly strong guarantees. Its feasibility is currently being studied in conjunction with its counterparts by the CNIL, as part of the work on the “additional measures” envisaged by the Schrems II judgment for standard contractual clauses.
The CNIL considers that the change in the hosting solution for HDH and other health warehouses hosted by companies subject to US law should intervene in as short a time as possible. A transition period is necessary to ensure these changes without loss of data or technology and without compromising the uses that are now made of these data in the context, for example, of emergencies related to the management of the health crisis or medical research. The objective established by the legislator to allow in the long term, the centralisation of health data in an infrastructure of an unprecedented size and facilitating new research uses may also justify the first
developments put in place benefit from the time necessary to migrate to other solutions. Finally, a large part of the processing of health data, in particular for warehouses and research, remain subject to a prior authorisation regime from the CNIL. While the current situation of health data hosts subject toAmerican intelligence is illegal, it should result in the inability to authorise such treatments. It is therefore necessary, as long as the situation is not rectified, to have a legal basis allowing, if necessary, to issue such authorisations, under certain guarantees. However, this transitional period must remain limited to what is necessary and it must be used to ensure, through active approaches, the modification of data hosting conditions.
Legally, the Commission considers, at first analysis, that this transitional period could be based on d) of 1 of article 49, which allows exceptions to the minimum requirements transfer protection for important reasons of public interest, provided that they are recognised by the law of the Member State. Usually, the CNIL has an approach particularly restrictive of this provision, but it notes that the invalidation of the Privacy Shield and the reasons for the SchreMs II judgment of the CJEU legally entail the obligation to stop a very large number of transfers, which can, in some cases, affect disproportionate to the general interest. It also notes that the court, in point 202 of its judgment, refused to modulate in time the effects of its decision, on the grounds that the invalidation did not create a legal vacuum prohibiting any transfer to the United States when the derogations provided for in Article 49 allow, under certain conditions, to continue certain transfers in the absence of an adequacy decision or other appropriate guarantees. The conditions of Article 49 must be read in the light of the unprecedented situation opened by the Schrems II judgment, to resolve these transitional situations.
Article 49 authorises certain transfers by way of derogation; or any request for disclosure of data present on European soil sent by the US intelligence services to an operator subject to US law will result in a transfer. These transfers are not obviously not by themselves of public interest. However, there is a clear public interest to arrange this transition period, to guarantee the continuity of data hosting health and related uses. As a result, temporarily maintaining the risk of these transfers to US intelligence services, a risk that already existed and on which the CNIL drew the government’s attention in its opinion last April, turns out temporarily necessary to ensure a satisfactory transition to a sovereign data hosting of health data, which the CNIL calls for.
Such a derogation should result from a specific and temporary normative provision.
Regarding the length of this period, it must be limited to what is strictly necessary. CNIL recommends that public authorities urgently assess the existence of suppliers alternatives and their capacities, both in terms of storage volume and quality of service, in order to assess the time needed to ensure this transition, as short as possible. The Commission does not does not have sufficient information to decide for itself at this stage on the eligible duration of this transition period.
These are the observations that the CNIL, informed by a debate within the college of Commission during its plenary session on October 8, 2020, intends to inform your high jurisdiction.
8 OCT. 2020