CE - N° 444937: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 88: | Line 88: | ||
}} | }} | ||
The French Supreme Administrative Court (Conseil d’Etat) ruled on the legality of | The French Supreme Administrative Court (Conseil d’Etat) ruled on the legality of the french Health Data Hub, in contract with Microsoft as a data processor, in light of the recent ''Schrems II'' CJEU decision. The risk of a potential violation of the GDPR through transfers of data to the US was not sufficient to suspend the Health Data Hub. | ||
==English Summary== | ==English Summary== | ||
Revision as of 09:08, 16 October 2020
The French Supreme Administrative Court (Conseil d’Etat) ruled on the legality of the french Health Data Hub, in contract with Microsoft as a data processor, in light of the recent Schrems II CJEU decision. The risk of a potential violation of the GDPR through transfers of data to the US was not sufficient to suspend the Health Data Hub.
English Summary
Facts
The parties asked the French Supreme Administrative Court (Conseil d’Etat) to suspend the centralisation and data processing of personal data relating to Covid-19 on the health data platform ‘Health Data Hub’ (data controller). The EU subsidiary of the American corporation Microsoft, established in Ireland, has access to personal data on the Hub as it licenses the software necessary to operate it (data processor). The data centre is located in the Netherlands.
The parties also asked the Court to request the French DPA (CNIL) to rule on the implication of the invalidation of the Privacy Shield agreement in relation to personal data processed in the Health Data Hub.
The parties highlighted that the condition of urgency was met. This is due to the urgent nature of the Covid-19 pandemic, the sensitive nature of the data centralised and processed in the Health Data Hub and the recent CJEU decision (“Schrems II” of the 16th July 2020).
Finally, they deemed that there was a serious violation of the right to privacy and to protection of personal data. This is due to the fact that the company in charge of the Health Data Hub’s technical aspects, Microsoft, is subject to US law. The risk that this posed to the above-mentioned rights were outlined in the Schrems II decision.
Dispute
Is the contract between the French Health Data Hub and Microsoft, as a company subject to US surveillance law, in violation of Article 44 to 49 GDPR following the Schrems II decision?
Holding
With regard to the Schrems II decision:
The French Court outlined relevant segments in the the Schrems II CJEU decision. In this case, the CJEU held that Articles 46(1) and 46(2)(c) GDPR must be interpreted as meaning that a data subject, whose personal data is transferred to a third country, benefits from a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights.
The French Court also highlighted that the CJEU held that the Privacy Shield adequacy decision (adopted as per Article 45(3) GDPR) was invalid. It was deemed invalid as it did not provide an adequate level of protection to personal data transfers from the EU to companies in the US. This is notably because public authorities in the US are able to request access to such personal data as a result of surveillance laws: Article 702 Foreign Intelligence Surveillance Act (FISA) or the Executive Order (EO) 12333. These law allow for bulk collection of personal data. They do not allow a data subject to enforce any rights before a tribunal.
With regard to national law relating to collection and processing of data:
The French Court outlined that Article L. 1462-1 of the public health code provides for the Health Data Hub and the collection of health data from the existing national health data system (as per Article L. 1461-1).
Article L. 3131-1 of the public health code stipulates that the Health Minister can prescribe an Order in the public interest in case of a public health emergency, such as a pandemic. This order must be proportionate and necessary. As such, a Ministerial Order of the 10 July 2020 prescribed measures necessary to combat covid-19, including the processing of personal data concerning health (see Article L. 3131-16 public health code)
With regard to the risk of transfer of data due to the contractual arrangement with Microsoft:
The French Court stipulated the FISA and EO allows US public authorities to have access to transfers of data to the US from the EU without such appropriate safeguards for data subject. Therefore, any transfer of data to the US would be deemed to infringe Article 44 and subsequent of the GDPR, following the recent Schrems II decision by the CJEU. This is the case unless justified within derogation pursuant to Article 49.
The Court highlighted that the contract with Microsoft stipulates that data must not be processed outside of the stipulated geographical zone (Netherlands). This is true unless resolution of issues must be achieved outside of this zone subject to authorisation by the Health Data Hub. However, the Minister for Solidarity and Health introduced a Order of the 9th October 2020, which stipulated that no data transfer outside of the EU would be performed. The French Court therefore outlined that this imposed on a barrier on the contractual arrangement with Microsoft which allowed for such a possibility. Therefore, the Court deemed that there was no possibility of transfer of personal data outside of the EU as a result of the contract. The claimant’s claim that there was an interference with fundamental rights, including to data protection, is not well founded.
With regard to the risk of other transfers of personal data:
The Court addressed the claimant’s concern that Microsoft, as an American company, is subject to FISA and EO. This means that it can be under the obligation to transfer data to American public authorities even if the data is stored in the EU and the contract between the Health Data Hub and Microsoft preclude such transfers. The Court held that it was necessary to consider the level of protection afforded during the transfers of data in light of the contractual stipulation, the law in the third country and the judicial system there.
The Court highlighted that the French DPA (CNIL) stipulated in its defense that the risk of a transfer to the US by virtue of US surveillance law could not be excluded. This would subsequently infringe Article 28 and 48 GDPR which prohibit transfers to third countries unless agreed upon by the data controller or as a result of a legal obligation provided for in EU law or a Member State’s law.
However, the French Court outlined that the CJEU in Schrems II only discussed circumstances where data is transfers to the US and did not discuss circumstances where such data is processed in the EU by American corporations subject to US law. The French Court also noted that the CJEU held that derogations found under Article 49 may allow for such transfers where necessary for a public interest recognised by EU law or the law of a Member State. It also deemed that there was public interest in allowing the use of health data in the context of the Covid-19 crisis and therefore, public interest in contracting with Microsoft on the technical aspects. The Court noted that such measures must be proportionate to the risk posed by the public health emergency and necessary considering the urgency and the absence of technical alternatives. The Court highlighted that it is the French DPA which must assess any potential public interest in link with the Covid-19 pandemic.
The French Court also outlined that the claimants only claimed that there was a risk of a violation of the GDPR should Microsoft have to grant access to personal data to US public authorities rather than claiming a direct violation of the Regulation.
The Court stipulated that the Health Data Hub must ensure that the data processor, Microsoft, adopts appropriate technical and organisational measures to ensure the protection of the rights of data subjects (pursuant to Article 28 GDPR). In light of this Article, Microsoft must also provide all information required and allow audits to be conducted.
The Court therefore did not order the suspension of the Health Data Hub.
Comment
It is interesting that the French Supreme Administrative Court seems to go further than the wording of the Schrems II decision. The French Court outlined that the CJEU had not pronounced itself on cases where US companies, processing data in the EU, were subject to a request by US authorities (under US surveillance law) to grant access to the data.
The Supreme Administrative Court also goes further than the French DPA (CNIL), which suggested that such service providers, subject to US law, should not be relied upon as US authorities may request access.
It is also interesting that the Court highlighted the distinction between a direct violation of EU law, and the risk of a violation, should Microsoft be requested by US authorities to grant access to the data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
No. 444937 FRENCH REPUBLIC IN THE NAME OF THE FRENCH PEOPLE THE REFEREES JUDGE __________ ASSOCIATION THE COUNCIL NATIONAL FREE SOFTWARE and other __________ Ordinance of 13 October 2020 Considering the following procedure: By a request, registered on September 28, 2020 at the litigation secretariat of the Council of State, the association the National Council of Free Software (CNLL), the Ploss association Rhones-Alpes, the SoLibre association, the Nexedi company, the Interhop association, hospitals French for the interoperability and free sharing of algorithms, Ms. B ... I ..., MC .. A ..., the national union of journalists (SNJ), the general medicine union (SMG), the union French for a free medicine (UFML), MH .. J ..., MD .. G ..., the general union of engineers, executives and technicians CGT (UGICT-CGT), the federal union of doctors, engineers, managers, CGT health and social action technicians (UFIMCT - CGT health and social action), Ms. L ... K ..., ME .. F ..., the association Constances, the association the Actupiennes and the association French hemophiliacs (AFH) ask the judge of the Conseil d'Etat, on the basis of article L. 521-2 of the code of administrative justice: 1 °) primarily, to order the suspension of centralization and processing of data related to the covid-19 epidemic on the health, as well as all measures necessary to ensure the absence of serious harm and manifestly illegal to the right to privacy and the protection of personal data in connection with the processing and centralization of health data on the Health Data Hub; 2 °) in the alternative, to request the National Commission for Informatics and freedoms, in particular for the purposes of ruling on the implications of the invalidation of the "Privacy Shield" on the processing and collection of data within the Platform of health data; Page 2 No. 444937 2 3 °) to charge the State for the sum of 5,000 euros under article L. 761-1 of the code of administrative justice. They argue that: - they can prove an interest giving them standing to act; - the condition of urgency is fulfilled having regard, first of all, to the situation health emergency declared since 23 March 2020, the effects of which were renewed by the decree of 10 July 2020 prescribing the general measures necessary to deal with the epidemic of covid-19 in territories that have emerged from the state of health emergency and in those where it has been extended, then, within the scope of the contested measure allowing very wide collection and centralization particularly sensitive data, as well as reservations made by the National Commission data processing and freedoms, and, finally, the risks highlighted by the judgment of the Court of Justice of the European Union of July 16, 2020; - there is a serious and manifestly illegal interference with the right to respect for privacy and the right to protection of personal data, with regard to the submission to American law of the company chosen to provide the technical solution of the Platform health data, without sufficient guarantees with regard to the risks involved, on the one hand, data transfer to the United States, highlighted by the judgment of the Court of Justice of the European Union of July 16, 2020, and, on the other hand, the extraterritorial application of American. By a defense, registered on October 7, 2020, the Minister of Solidarités et de la santé concludes that the request should be rejected. He maintains that the condition of urgency is not fulfilled and that no serious and manifestly illegal interference with a freedom fundamental. The National Commission for Informatics and Freedoms produced observations, recorded on October 8, 2020. The request was communicated to the Prime Minister, to the Platform of health data and the company Microsoft France, which did not produce a memory. After having summoned to a public hearing, on the one hand, the National Council software and the other applicants and, on the other hand, the Prime Minister, the Minister of solidarity and health, the Health Data Platform and Microsoft France, as well as that the National Commission for Informatics and Liberties; Were heard during the public hearing on October 8, 2020, at 2 p.m. 30 : - representatives of the CNLL and the other applicants; - representatives of the Minister of Solidarity and Health; - representatives of the Health Data Platform; Page 3 No. 444937 3 - representatives of Microsoft France; at the end of this hearing, the summary judge postponed the closing of instruction on October 13 at 12 noon; Having regard to the observations, recorded on October 9, 2020, presented by the company Microsoft France; Having regard to the new briefs, recorded on October 12 and 13, 2020, presented by the CNLL and the other applicants, who have the same ends as their application; Having regard to the new pieces and the new brief, recorded on October 10 and 13 2020, produced by the Minister of Solidarity and Health, tending to the same end as his previous thesis; Considering the note under advisement, recorded on October 13, 2020, presented by the CNLL and the other applicants; Having regard to the other documents in the file; Seen: - the Charter of Fundamental Rights of the European Union; - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016; - the public health code; - Law n ° 78-17 of January 6, 1978; - Law n ° 2019-774 of July 24, 2019; - Law n ° 2020-856 of July 9, 2020; - the decree of the Minister of Solidarity and Health of July 10, 2020 prescribing the general measures needed to deal with the covid-19 epidemic in the territories out of the state of health emergency and in those where it has been extended; - the code of administrative justice; Considering the following: 1. Under the terms of article L. 511-1 of the administrative justice code: “ The judge summary proceedings rule by measures which are of a provisional nature. It is not seized of principal and take a decision as soon as possible ”. Under the terms of article L. 521-2 of the same code: "When seized of a request to this effect justified by urgency, the summary judge may order all measures necessary to safeguard a fundamental freedom to which a person public law legal entity or a private law body responsible for the management of a public service would have caused serious and manifestly unlawful interference in the exercise of one of his powers. The summary judge decides within forty-eight hours ”. On the office of the summary judge: Page 4 No. 444937 4 2. It results from the combination of the provisions of Articles L. 511-1 and L. 521-2 of the administrative justice code that belongs to the summary judge, when seized on the basis of Article L. 521-2 and that it notes a serious and clearly illegal brought by a legal person of public law to a fundamental freedom, resulting from the action or the failure of this public person, to prescribe the measures which are likely to disappear the effects of this attack, as soon as there is a marked emergency justifying the pronouncement of safeguard measures at very short notice and which can be taken usefully such measures. These must, in principle, be of a provisional nature, except when no measure of this nature is likely to safeguard the effective exercise of the fundamental freedom which is infringed. 3. The right to respect for private life, which includes the right to the protection of personal data, constitutes a fundamental freedom within the meaning of the provisions of article L. 521-2 of the code of administrative justice. On the legal framework: With regard to European Union protection law Datas : 4. On the one hand, under Article 44 of Regulation (EU) 2016/679 of European Parliament and of the Council of April 27, 2016 on the protection of individuals physical with regard to the processing of personal data and the free movement of these data, and repealing Directive 95/46 / EC, or general regulation on the protection of data: " A transfer, to a third country (...), of personal data which makes or are intended to be processed after this transfer can only take place if, under subject to the other provisions of these regulations, the conditions defined in this chapter are complied with by the controller and the processor (…). All the provisions of this chapter are applied so that the level of protection of natural persons guaranteed by this Regulation is not compromised ”. Section 45 of this regulation provides that: " 1. A transfer of personal data to a third country (...) can take place when the Commission has found by decision that the third country, a territory or one or more specific sectors in this third country (...) ensures a level of adequate protection. Such a transfer does not require specific authorization. / 2. When she assesses the adequacy of the level of protection, the Commission takes into account, in particular, the following elements: / a) rule of law, respect for human rights and freedoms fundamental, (…) access by public authorities to personal data, as well as that the implementation of said legislation, the rules on data protection, (…) as well as the effective and enforceable rights enjoyed by the data subjects and administrative and judicial remedies that people can actually bring data subjects whose personal data are transferred; (…) / 3. The Commission, after having assessed the adequacy of the level of protection, may decide, by means of acts execution, that a third country, a territory or one or more specific sectors in a country third party (…), ensures an adequate level of protection (…) ”. According to article 46 of this regulation: " 1. In the absence of a decision under Article 45, paragraph 3, the person responsible processing or the processor cannot transfer personal data to a third country or to an international organization only if it has provided for appropriate guarantees and provided that the data subjects have opposable rights and remedies effective. / 2. The appropriate guarantees referred to in paragraph 1 may be provided without Page 5 No. 444937 5 this does not require a specific authorization from a supervisory authority, by: / (…) / c) of Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2) (…) ”. 5. On the other hand, under the terms of Article 48 of the same regulation: “ Any decision of a court or administrative authority of a third country requiring a controller or a processor that transfers or discloses data to personal character cannot be recognized or made enforceable in any way provided that it is based on an international agreement, such as a mutual assistance treaty judicial process, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer under this chapter ”. Article 28 of this regulation provides that: " 1. When processing must be carried out on behalf of a controller, it only uses subcontractors who present sufficient guarantees regarding the implementation of technical and organizational measures appropriate so that the processing meets the requirements of this Regulation and guarantees the protection of the rights of the data subject. / (…) / 3. Processing by a subcontractor is governed by a contract or other legal act under Union or EU law law of a Member State, which (...) provides, in particular, that the subcontractor: / a) does not process personal data only on the documented instruction of the controller, including including with regard to transfers of personal data to a third country or to an international organization, unless it is required to do so under the law of the Union or the law of the Member State to which the subcontractor is subject; in this case, the sub- processing informs the controller of this legal obligation before processing, unless the law concerned prohibits such information for important reasons of public interest (…) ”. 6. By a grand chamber judgment of July 16, 2020, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, C-311/18, the Court of Justice of the European Union has ruled that Article 46, paragraph 1, and Article 46, paragraph 2 (c) of Regulation 2016/679 must be interpreted as meaning that the appropriate guarantees, enforceable rights and effective legal remedies required by these provisions must ensure that the rights of the persons whose personal data are transferred to a third country on the basis of standard data protection clauses benefit from a level of protection substantially equivalent to that guaranteed within the European Union through this regulation, read in the light of the Charter of Fundamental Rights of the European Union. To this end, the assessment of the level of protection provided must, in particular, take into consideration both the contractual stipulations agreed between the person responsible for treatment or its subcontractor established in the European Union and the recipient of the transfer established in the third country concerned that, with regard to possible access by the authorities of that third country to the personal data thus transferred, the elements relevant to its legal system, in particular those set out in Article 45 (2), of the regulations. 7. By this judgment, the Court of Justice also held that the implementing decision (EU) 2016/1250 of the Commission of 12 July 2016 on the adequacy of protection provided by the European Union - United States Privacy Shield, taken from the basis of Directive 95/46 and equivalent to an adequacy decision within the meaning of Article 45, paragraph 3 of the General Data Protection Regulation was invalid on the grounds that, even within this framework, the United States did not ensure an adequate level of protection of personal data transferred from the Union to organizations established in this Page 6 No. 444937 6 country. It has, in fact, noted interference with the fundamental rights of people whose personal data are thus transferred, because of the possibilities of access to these data and use thereof by the American public authorities, within the framework of surveillance programs based on section 702 of the Foreign Intelligence Surveillance Act (FISA) or law on oversight in matters of foreign intelligence and, on the other hand, of the " Executive Order (EO) 12333 ”or Presidential Decree No. 12333, which are not limited to the strict necessary. Article 702 of the FISA does not limit the authorization it contains and the court of US foreign intelligence surveillance only checks whether these programs correspond to the objective of obtaining information on foreign intelligence, but not if people are properly targeted for this purpose. As for OE 12333, it must be implemented in compliance with Presidential Policy Directive 28 (PPD-28), which however to carry out a "bulk" collection of a relatively large volume information or data when intelligence services cannot use identifier associated with a specific target to guide the collection, making it possible to access data in transit to the United States without judicial oversight or sufficient supervision. Finally, for these different monitoring programs, there is no text conferring on data subjects rights that can be enforced against the American authorities in court, their allowing to benefit from a right of effective remedy. Under these conditions, the limitations of protection of personal data resulting from the internal regulations of United States are not framed so as to substantially meet the requirements equivalent to those required by the Charter of Fundamental Rights of the European Union, including Article 52 only allows limitations on the exercise of the rights and freedoms that it recognizes if they are necessary and effectively meet objectives of general interest recognized by Union or the need to protect the rights and freedoms of others. With regard to the national provisions governing the collection and processing of data related to the covid-19 epidemic on the health: 8. On the one hand, Article L. 1462-1 of the Public Health Code, in its wording resulting from the law of July 24, 2019 relating to the organization and transformation of health system, provides that a public interest group, called the "Data Platform of health ”and formed between the State, bodies ensuring representation of patients and users of the health system, producers of health data and public users and private health data, including health research organizations, is particularly responsible for collecting, organizing and making available data from the national data system of health mentioned in article L. 1461-1 of the same code and to promote innovation in the use of health data. The amendment to the agreement constituting the interest group public "National Institute for Health Data" establishing the public interest group "Health Data Hub" or "Health Data Hub" was approved on November 29 2019 by an order of the Minister for the Armed Forces, the Minister for Solidarity and Health, Minister of Economy and Finance, Minister of Labor, Minister of Education national and youth, the Minister of Action and Public Accounts, the Minister of higher education, research and innovation and the Minister of Agriculture and food. 9. On the other hand, under the terms of the first paragraph of Article L. 3131-1 of the Code of public health: " In the event of a serious health threat requiring emergency measures, especially in the event of an epidemic threat, the Minister of Health may, by reasoned decree, prescribe in the interest of public health any measure proportionate to the risks incurred and Page 7 No. 444937 7 appropriate to the circumstances of time and place in order to prevent and limit the consequences possible threats to the health of the population. The Minister may also take Such measures after the end of the state of health emergency expected in Chapter I er bis of this title, in order to ensure the lasting disappearance of the health crisis ”. Article 30 of the decree of 10 July 2020 prescribing the general measures necessary to deal with the epidemic of covid-19 in territories that have emerged from the state of health emergency and in those where it has been extended, taken on the basis of these provisions and those of Article L. 3131-16 of the Health Code public, provides, in a chapter dedicated to the processing of personal data of the health system, that: " I.- For the sole purpose of facilitating the use of health data for the needs for managing the health emergency and improving knowledge on the covid-19 virus, the public interest group mentioned in Article L. 1462-1 of the Code of public health and the National Health Insurance Fund are authorized to receive following categories of personal data: / - data from the system national health data mentioned in article L. 1461-1 of the same code as well as, in the compliance with its security reference system: / - pharmacy data; / - take data load in the city such as diagnoses or declarative symptom data from mobile health applications and remote monitoring, remote monitoring or telemedicine tools; / - of results of biological examinations carried out by hospital laboratories and laboratories city medical biology; / - data relating to emergencies collected by the Agency national public health in the framework of the coordinated emergency surveillance network; / - data relating to calls collected from emergency medical aid services and services contributing to urgent medical aid; / - data relating to the activity and consumption of care in medico-social establishments or services, in particular in accommodation establishments for dependent elderly people; / - surveys carried out with people to assess their experiences; / - data not directly identifying from the unique victim identification system mentioned in Article L. 3131-9-1 of the Code public health; / - clinical data such as imaging, pharmacy, biology, of virology, medical reports from cohorts of patients treated in health centers with a view to their aggregation. / II.- The public interest group and the Fund national health insurance can only collect the data necessary for the public interest in connection with the current epidemic of covid-19. They are responsible storage and provision of data. They are allowed to cross data mentioned in I. / The National Health Insurance Fund is responsible for the operations pseudonymization in the context of data matching and can process the number registration in the national register of identification of natural persons for this purpose. / Alone data controllers authorized under the conditions provided for in Articles 66 and 76 of the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, the State implementing the processing mentioned in 6 ° of article 65 of the same law, the Fund national health insurance implementing the treatments mentioned in 3 ° of article 65 of the same law, or the bodies and services entrusted with a public service mission mentioned in article 67 of the same law, may process the data thus collected by the public interest group. / III.- The data can only be processed for projects pursuing a purpose of public interest in connection with the current epidemic of covid-19 and up to the entry into force of the measures taken in application of article 41 of the law of July 24 2019 above and no later than October 30, 2020. / Data can only be processed on the technological platform of the public interest group and on the Caisse platform national health insurance, and cannot be extracted from it. Within these platforms, the above-mentioned data may not contain the names and surnames of persons, nor their registration number in the National Directory for the Identification of Natural Persons, nor their address. / The public interest group establishes and makes available on its website a public directory which lists the list and characteristics of all projects relating to these Page 8 No. 444937 8 data ”. These provisions extend until October 30, 2020 the effects of those of the decree of April 21, 2020 supplementing the decree of March 23, 2020 prescribing the organizational and functioning of the health care system necessary to deal with the epidemic of covid-19 in the state of health emergency. On the main conclusions of the request: 10. For the purposes of storing and making available data from health for which it is responsible, the Health Data Platform signed on April 15, 2020 with the company incorporated under Irish law Microsoft Ireland Operations Limited, a subsidiary of the American company Microsoft Corporation, a contract giving it access to a set of "Microsoft Azure ', including in particular the hosting of the health data mentioned in point 9 and the licensing of the software necessary to process this data for legally authorized purposes. The association the National Free Software Council and others applicants argue the risks that this situation entails with regard to the right to respect for privacy, taking into account possible data transfers to the United States, either in application of the contract concluded with Microsoft Ireland Operations Limited, either because of requests that would be addressed to this company even outside the contractual transfers consented by the Health Data Platform. With regard to the risk of transfers of personal data in application of the contract concluded with Microsoft: 11. It follows from the judgment of the Court of Justice of the European Union of 16 July 2020 that no transfer of personal data to the United States can no longer take place on the basis of Article 45 of the General Data Protection Regulation. Yes a transfer remains possible on the basis of article 46, it is on the condition that appropriate guarantees and that the data subjects have enforceable rights and effective legal remedies. However, it follows from the same judgment that, in the case where the public authorities United States would have access, on the basis of Article 702 of FISA or EO 12333, to personal data transferred from the European Union, the data subjects would not have rights enforceable against the American authorities in court, without that it appears, in the state of the investigation, that appropriate guarantees can be provided to remedy. Under these conditions, any transfer of personal data to the United States, by a company that may be the subject of requests by the American authorities on foundations mentioned above, is likely to contravene by itself Articles 44 and of the General Data Protection Regulation, unless it can be justified of its article 49, which includes exemptions for a certain number of situations particular. 12. It follows from the instruction, on the one hand, that the data processed by the Health data platform is hosted in data centers located in the Netherlands Low, before being soon in data centers located in France. On the other hand, the Health Data Platform and the company Microsoft Ireland Operations Limited have concluded, on September 3, 2020, an amendment providing for the “Azure” online services that it lists, that Microsoft will not process Platform data outside the geographic area specified by the latter without its approval and that in the event that access to the data would be necessary for the operational needs of online services and incident resolution carried out by Microsoft from a location outside this zone, it would be subject to Page 9 No. 444937 9 prior authorization from the Platform. The Health Data Platform is committed to with regard to the National Commission for Informatics and Freedoms to refuse any transfer. Finally, it also results from the instruction that the only data whose transfer outside of the European Union presents a utility are telemetry data, to control the correct operation of services offered by Microsoft, as well as billing data. So, he does not appear, in the state of the investigation, that the Platform of health data can be forced, for technical reasons, to give consent to a transfer of health data. 13. In addition, by an order of 9 October 2020 subsequent to the introduction of the request, the Minister of Solidarity and Health completed article 30 of the decree of July 10 2020, relating to measures concerning the processing of personal data in the system health, to provide that: " No transfer of personal data may be produced outside the European Union ”. These provisions are therefore now an obstacle to this that the Health Data Platform can make use of the faculty which remains open to it in the contract with Microsoft to authorize a transfer of personal data from health system. It will belong to the Platform, which told the audience, in accordance with its co-contracting party, that the services listed in the amendment of September 3, 2020 corresponded to all the services covered by the contract concluded with Microsoft which may include the processing of health data, without this point being able to be verified against the documents constituting the contract otherwise paid to the contradictory, to justify, within fifteen days from the notification of this order, from the conclusion of a new amendment intended to provide this clarification. 14. Under these conditions, in the state of the investigation, it does not appear that personal data from the health system can currently be transferred outside the European Union in application of the contract concluded between the Data Platform health and Microsoft. Consequently, the applicants are not justified in maintaining that, because of such transfers, a serious and manifestly illegal interference with the right to respect for life private, including the right to the protection of personal data. With regard to the risk of other transfers of personal data: 15. The applicants argue that, by virtue of its submission to American law, Microsoft Corporation and, by virtue of its status as a subsidiary of a company under US, Microsoft Ireland Operations Limited may be the subject of claims access to certain health data by the American authorities, within the framework of surveillance based on Article 702 of FISA or EO 12333, even though these data are hosted on the territory of the European Union and that the terms of the contract concluded between the Health Data Platform and Microsoft would oppose it. By applying to relations between controller and processor of the criteria applied by the Court of justice in its judgment of July 16, 2020, the level of protection provided during of data processing taking into consideration not only the stipulations contractual agreements agreed between the controller and his subcontractor, but also, by if this subcontractor is subject to the law of a third State, the relevant elements of the system legal of it. 16. With regard to the contractual stipulations agreed between the Platform health data and Microsoft, they include an annex 3 to the addendum on the protection of data for Microsoft online services, whereby the company agrees to comply with the Page 10 No. 444937 10 conditions of the general data protection regulation, in particular its article 28, in processing personal data "in accordance with the documented instructions of the client, including with regard to the transfer of personal data to a country third party or an international organization, unless Microsoft is required to do so by under Union law or the law of the member state to which Microsoft is subject ”. Yes the addendum on data protection, to which the addendum concluded on September 3, 2020 refers, also provides that "Microsoft will not disclose the processed data to public authorities, unless it is required to do so by law ”, it can therefore only refer to Union law European Union or one of its member states, as should be specified on the occasion of the conclusion of the rider mentioned in point 13. In addition, the same annex provides that Microsoft must immediately notify the Platform if the company believes that an instruction constitutes a violation of the General Regulation or other provisions of Union law European Union or a Member State relating to data protection. 17. However, the National Commission for Informatics and Liberties, in the observations that it produced following the communication of the request, considers, as it stands information available to it, that the risk of a request such as those mentioned in point 15 cannot be completely ruled out. In addition, it follows from the instruction that the measures techniques implemented by Microsoft or likely to be implemented in the short term do not rule out no possibility for this company to access the data processed under the responsibility of the Health Data Platform, despite the precautions, limiting this risk, which surround the encryption to which they are subject and the storage of the encryption keys used. He cannot thus be totally excluded, from a technical standpoint, that Microsoft is required to grant a request of the American authorities based on article 702 of FISA, which would then ignore Articles 28 and 48 of the General Data Protection Regulation, cited in point 5, which prohibit a processor from transferring personal data to a third country if this is not on the instructions of the controller or by virtue of an obligation provided for by law of the European Union or of a Member State, and that may be recognized or made enforceable a decision of an administrative authority of a third country requiring a controller or a subcontractor that he transfers or discloses personal data, except under certain conditions which are not in this case not fulfilled. 18. It should be noted, however, first of all that the Court of Justice only ruled, in its judgment of July 16, 2020, on the conditions under which transfers of personal data to the United States may take place and not over those in which such data may be processed, within the territory of the Union European, by companies incorporated under American law or their subsidiaries as subcontractors, or even of data controllers. A fortiori, it did not comment on the consequences that could have the findings made by his judgment on such treatments, even though, with regard to transfers of personal data to third countries, its judgment in mentions the possibility on the basis of Article 49 of the General Protection Regulation data, which allows in particular the transfers necessary for important reasons of public interest recognized by Union law or the law of the Member State to which the controller is submitted. 19. Second, the applicants do not allege a direct violation of general data protection regulation but only the risk of such a breach, in the event that Microsoft would not be able to oppose a request to access certain data formulated by the American authorities, if they saw an interest in with regard to the objective of obtaining information in matters of foreign intelligence pursued Page 11 No. 444937 11 by the monitoring programs already mentioned, then in addition that these data are pseudonymized by the National Health Insurance Fund, in accordance with the decree of March 22, 2017 relating to the security reference system applicable to the National System of health and the agreement concluded on June 14 and 15, 2020 between the Health Data Platform and the National Fund, before being transmitted to the Platform and quantified using the tools made available to it by Microsoft. 20. Third, there is an important public interest in allowing the continued use of health data for the needs of health emergency management and the improvement of knowledge about SARS-CoV-2 and, to this end, to allow the use of the technical means, unmatched to date, available to the Data Platform health through the contract with Microsoft, subject to each project, as well as follows from the decree of July 10, 2020, that this recourse, and the storage of data that it implies, either a measure proportionate to the health risks incurred and appropriate to the circumstances of time and place, taking into account both the urgency attached to his conduct and the absence of a satisfactory alternative technical solution allowing it to be carried out within the necessary deadlines. 21. In view of the particular sensitivity of health data, the authorities public authorities have expressed their willingness to adopt, as soon as possible, measures to eliminate any risk, such as the choice of a new subcontractor, mentioned publicly by the Secretary of State in charge of digital transition and communications electronic devices, or the use of a license agreement, suggested by the National Commission of computing and freedoms in his observations. In the meantime, it belongs to the Health data platform to continue research, under Article 28 of the Regulation general information on data protection, the implementation by Microsoft of technical measures and appropriate organizational structures to best guarantee the protection of the rights of individuals concerned. In this regard, the company must moreover, by virtue of appendix 3 to the addendum on data protection mentioned above, make all information available to them necessary to demonstrate compliance with the obligations provided for in this article 28 and to allow carrying out audits. It also belongs to the National Commission for Informatics and freedoms, when it authorizes, in accordance with articles 66 and 76 of the law of 6 January 1978 relating to data processing, files and freedoms, projects called upon to process data collected by the Health Data Platform, to verify that they pursue a purpose of public interest in connection with the covid-19 epidemic and that the use of the Platform meets the conditions mentioned in point 20. 22. On the other hand, it does not appear, in the state of the investigation, that the measures suitable for eliminating any risk of the nature mentioned in point 19 and proportionate to the public interest mentioned in point 20 would fall under the protective measures which the judge of summary proceedings, ruling on the basis of the provisions of Article L. 521-2 of the Code of Justice administrative, can order in the event of serious and manifestly illegal infringement carried out in a proven by a legal person of public law to a fundamental freedom and in the very short time limit that these provisions provide. On the subsidiary and ancillary conclusions: 23. If the applicants ask the interim judge, in the alternative, to solicit the National Commission for Informatics and Liberties, so that it can decide in particular on the implications that may have on the processing and collection of data at Page 12 No. 444937 12 within the Health Data Platform, the invalidation of the decision to implement the Commission of 12 July 2016 on the adequacy of the protection provided by the data protection European Union - United States, the observations produced by this authority in the context of the present proceedings satisfy this request, which has thus become not applicable. 24. The provisions of Article L. 761-1 of the Code of Administrative Justice make obstacle to upholding the applicants' claims in this regard. ORDERS: ------------------ Article 1 st : The Platform of health data justify having concluded, within fifteen days from the notification of this decision, a new addendum to the documents contractual uniting it with the company Microsoft Ireland Operations Limited to specify that the law applicable which is mentioned in the addendum of September 3, 2020 is that of the right of Union or the law of the Member State to which the company is subject and that the changes that this amendment brings to the addendum on data protection for online services Microsoft apply to all services provided by Microsoft that may be used for the processing of personal data of the health system. The Health Data Platform will send a copy to the litigation secretariat of the Board of state. Article 2: There is no need to rule on the conclusions of the association's request the Council national free software and other applicants in that they tend to adopt a measure such as that mentioned in point 13 and the referral to the National Commission for computing and freedoms. Article 3: Having regard to the reminder made in point 20 of the scope of the decree of the Minister of Solidarity and Health of July 10, 2020 prescribing the general measures necessary to deal with the covid-19 epidemic in territories that have emerged from a state of health emergency and in those where it has been extended, the remainder of the conclusions of the association's request the National Council of free software and the other applicants is rejected. Article 4: This ordinance will be notified to the association the National Software Council free, first referred, for all the applicants, to the Minister for Solidarity and health and the Health Data Platform. A copy will be sent to the Prime Minister, to the National Commission for Informatics and liberties and to the company Microsoft France.
