The Health Data Hub, known as “Health Data Hub”, is an information system that has been projected in order to bring together all the health data of the whole French population. This centralization, asked by the legislator, must promote, in particular, the medical research. In order to manage the health crisis, the Health Data Hub has been put into service in April 2020 in advance and on a limited scope. 

The hosting of the platform has been given to Microsoft, it has been presented by many association and experts in front of the State Council in order to ask the suspension of the Health Data Hub, for the intervention of the recent judgement of the European Court of Justice (CJEU) of the 16 July 2020, known as “Schrems II”. With this judgement the Court of Justice has established that the surveillance exerted by american secret service on personal data of european citizens was excessive, not sufficiently controlled and without any real possibility of appeal. It has inferred that transfers of personal data from the UE to the USA are in contrast with the General Data Protection Regulation (GDPR) and the European Charter of Fundamental Right, except for any specific guarantees or in other exceptional cases. 

The State Council has invited the CNIL to comment on this appeal. In its brief, the CNIL has considered that the election of a guest subjected to the american legislation seems to be incompatible with the CGUE requirement about privacy protection. From one hand, it has invited the judge to verify that the guest commitments of suppressing the personal data transfer out of the UE would cover the whole center of health data. But on the other hand, it has considered that the hosting of the platform by a company under US law, which could be obliged to reply to data communication requests, even if pseudonymized, was in itself problematic and should have led to a change of operator or provide specific guarantees. He recommended the creation of a transition period to achieve this goal.

In his order, the summary judge of the Council of State held that:

• The Schrems II judgment of the CJEU implies that Microsoft must refrain from transferring health data to the United States. On this point, the judge noted the important safeguards already provided by the Health Data Hub and requested contractual clarifications.
• The judge confirmed that a risk of transmission of health data at the request of the US intelligence services cannot be excluded. 
• Given the importance of the Health Data Hub, in particular for the management of the health crisis, this risk does not justify the immediate interruption of the platform. On the other hand, the judge calls for guarantees to be provided to minimise this risk.
• As such, it notes the willingness expressed by the Government to transfer the Health Data Hub to French or European platforms following the Schrems II judgment. In the meantime, the judge asks the Health Data Hub to work to minimise this risk, in particular by concluding a new amendment with Microsoft.
• The judge asks the CNIL to investigate applications for authorization for research projects using the Health Data Hub, verifying that the interest of the project, given the current health emergency, is sufficient to justify the risk incurred and that the use of the platform is necessary.

The CNIL will carefully analyse the position of the summary judge when examining applications for authorisation of research projects using the Health Data Hub and advising public authorities on the implementation of adequate long-term guarantees. 

In this regard, the CNIL welcomes the statements made by the Secretary of State for Digital Affairs on 8 October before the Senate, who indicated the Government’s intention to transfer the Health Data Hub to French or European platforms. SOURCE:AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL