CE - 492369

From GDPRhub
CE - 492369
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law:
Article L. 1461-1 of the French Public Health Code
Article L. 521-1 French Code of Administrative Justice
Decided: 22.03.2024
Published:
Parties: Clever Cloud
Nexedi
Rapid
Space International
Open Internet Project
Association de défense des libertés constitutionnelles
Association les Licornes Célestes
Cleyrop
Conseil national du logiciel libre
National Case Number/Name: 492369
European Case Law Identifier: ECLI:FR:CEORD:2024:492369.20240322
Appeal from: CNIL (France)
Délibération n°2023-146 du 21 décembre 2023
Appeal to:
Original Language(s): French
Original Source: Legifrance (in French)
Initial Contributor: nzm

In an urgency procedure, the Supreme Administrative Court considered that the risk posed by hosting health data on Microsoft Ireland's servers, namely, the possible access by US authorities to said data, is not sufficiently serious and immediate to affect a public interest, even though the risk cannot in principle be totally ruled out.

English Summary

Facts

Under Article L. 1461-1 of the French Public Health Code, the public interest group “Plateforme des données de santé” (‘controller’) is responsible for collecting, organising and making data from the national health data system available as well as promoting the use of data in the health sector.

The controller wished to implement an automated processing of personal data for the purpose of creating a health data warehouse called EMC2. However, the processing did not comply on certain points with the guidelines for the processing of personal data for the creation of data warehouses in the healthcare sector adopted by the French DPA (‘CNIL’). According to Article 66 of the French Data Protection Act, if processing operations relating to the guarantee of high standards and safety of healthcare do not comply with guidelines adopted by the CNIL, the processing may only be implemented after the CNIL authorises it. Therefore, the controller applied to the CNIL for an authorisation.

On 21 December 2023, the CNIL authorised this processing and admitted the legality of hosting health data by a processor, Microsoft Ireland. Therefore, in March 2024, several companies and associations lodged an appeal with the French High Supreme Administrative Court (‘Conseil d’Etat’) asking the suspension of the CNIL deliberation.

In French law, Article L. 521-1 of the French Code of Administrative Justice establishes that urgency justifies the suspension of an administrative act when its execution is sufficiently serious and immediate to affect a public interest, the applicant’s situation or the interests they intend to defend. The judge must take into account the justifications provided by the applicant as to whether the effects of the disputed act characterise an urgency justifying that the execution of the decision be suspended. Urgency must be assessed objectively, taking into account all the circumstances of the case.

In the present case, the applicants argued that they market services linked to cloud data hosting without being exposed to the risk of extra-territorial application of US law. However, this authorisation of the CNIL admits the legality of hosting sensitive data by Microsoft Ireland acting as a processor, whose parent company is subject to US law. The applicants considered that this seriously harms their economic interests. They also argued that the implementation of this processing would expose health data concerning several million people to a non-negligible risk of disclosure to administrative or judicial authorities in the United States. They pointed out that if Microsoft is unable to oppose requests made by these entities under Section 702 Foreign Intelligence Surveillance Act (FISA), Executive Order 12333 or the Clarifying Lawful Oversight Use of Data Act (CLOUD Act), it would cause serious and immediate harm to the interests of the applicants.

Additionally, they asked the Conseil d’Etat to refer a question to the CJEU on the assessment of the validity of the Data Privacy Framework and at least refer the following questions:

  1. US law continues to provide for rules enabling public authorities to gain general access, without judicial review, to the content of electronic communications of EU nationals hosted on or in transit to US territory. Is such a limitation of rights framed in such a way to meet the requirements of EU law, in particular Article 52(1) of the Charter of fundamental rights?
  2. US law does not provide any possibility for individuals to exercise legal remedies to prevent access to personal data concerning them, or to obtain the communication, rectification or deletion of such data. Is this practice compatible with EU law, in particular Article 47 of the Charter of fundamental rights?
  3. Does the new Data Privacy Framework comply with the Charter of Fundamental rights, in particular Articles 7, 8 and 47?

Holding

First, the Conseil d’Etat pointed out that on the one hand, during the investigation for the authorisation, the CNIL requested that a team of experts examined the possibility of carrying out the EMC2 project using a cloud provider free from any risk of extraterritorial application of the law of a third country. In December 2023, this mission concluded that no available solution would meet such a requirement and meet the technical needs of the project within the required time frame. On the other hand, the Conseil d’Etat considered that the execution of the contested decision was only likely to have an indirect and limited impact on the activities of the applicants. Therefore, the Conseil d’Etat held that the implementation of the contested decision was not likely to cause serious and immediate harm to the interests of the applicants.

Second, the EMC2 data warehouse is intended to process data from the medical files of 300,000 to 500,000 patients treated each year in four hospitals. This data will then be matched with the data concerning them contained in the national health database (‘SNDS database’) which concerns around 1,5 million people. Under the terms of the authorisation, only pseudonymised data will be collected within the EMC2 data warehouse, and patients National Identification Numbers and full date of birth will not be retained. Additionally, the data in the EMC2 data warehouse will be stored in Microsoft data centers located in France.

On the one hand, the Stored Communications Act as amended by the CLOUD Act provides that companies subject to U.S. law within the meaning of that Act may be required to provide data they control, regardless of where it is hosted, when such provision is authorized by a judge for the purposes of a criminal investigation. While these provisions apply to Microsoft, the Conseil d’Etat considered that the applicants did not provide any evidence to suggest that the pseudonymised health data hosted by Microsoft could be the subject of requests on this basis.

On the other hand, the Conseil d’Etat held that the risk that the US authorities might request access to certain data processed and hosted in the EMC2 warehouse cannot in principle be totally ruled out. However, they found that the risk of these authorities gaining access to the data, if Microsoft does not object to such a request, was hypothetical at the stage of the investigation, in view of the safeguards implemented, in particular the fact that the data will be pseudonymised and not directly identifiable. Therefore, in view of the precautions taken, the Conseil d’Etat judged that the implementation of the contested decision could not be considered as a serious and immediate infringement of the right to privacy of the persons concerned. The Conseil d’Etat added that the public interest in ensuring that the project contributes to the European Medicines Agency’s project to pool ‘real life databases’ in order to enable research, studies and evaluations to be carried out on the use, efficacy and risks of a large panel of medicines and medical devices marketed in France, justified not suspending the contested authorisation.

Therefore, the Conseil d’Etat concluded that the condition of urgency required by Article L. 521-1 of the French Code of Administrative Justice were not met. Consequently, the Conseil d'Etat considered that there was no need to refer the questions to the CJEU and the request was rejected.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Given the following procedure:
By a request and three new briefs, registered on March 5, 15, 18 and 19, 2024 at the litigation secretariat of the Council of State, the company Clever Cloud, the company Nexedi, the company Rapid. Space International, the Open Internet Project association, the association for the defense of constitutional freedoms, the Celestial Licornes association, Mr. F... B..., Mr. C... E..., Mr. D... A..., the Cleyrop company and the National Free Software Council association ask the judge of the Council of State, ruling on the basis of article L. 521-1 of the code of administrative justice:

1°) to suspend the execution of deliberation no. 2023-146 of December 21, 2023 of the National Commission for Information and Liberties (CNIL) authorizing the public interest group “Health Data Platform” to implement automated processing of personal data with the aim of creating a data warehouse in the field of health called “EMC2”;

2°) to refer a preliminary question to the Court of Justice of the European Union on the assessment of the validity of Implementing Decision (EU) 2023/1795 of the European Commission of July 10, 2023, and to any the least of the following questions:
- Taking into account that United States law continues to provide for regulations allowing public authorities to access in a generalized manner and without judicial supervision the content of electronic communications of nationals of the Union which would be hosted on or in transit to the United States territory, are these attacks on the rights guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union framed in a way that meets requirements substantially equivalent to those required, in law of the 'Union, in Article 52(1), second sentence, of the Charter'
- Taking into account that US law does not provide any possibility for the litigant to exercise legal remedies in order to prevent access to personal data concerning him or to obtain communication, rectification or the deletion of such data, does it offer to persons whose data are transferred to the United States guarantees substantially equivalent to those required in Article 47 of the charter?
- Does Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 infringe Articles 7, 8 or 47 of the Charter?
3°) to charge the CNIL with the payment of the sum of 2,000 euros to each of the exhibitors under article L. 761-1 of the administrative justice code.

They argue that:
- they justify, respectively as natural persons likely to see their health data processed by the EMC2 warehouse, as companies marketing secure cloud data hosting solutions capable of meeting the needs of the project without being exposed to the extra application -territorial under United States law, and as associations, with regard to their corporate purpose, an interest giving them standing to act;
- the deliberation of the CNIL authorizing the processing of personal data constitutes an adverse decision;
- the emergency condition is satisfied since, on the one hand, the authorized processing of personal data concerns almost all of the health data of French people, and there is a risk of transmission to the intelligence services of United States, and that the processing is likely to be implemented at any time, causing serious and immediate harm to the protection of the private life of the requesting natural persons and the interests defended by the requesting associations, on the other hand , that the contested deliberation calls into question the offers proposed by the applicant companies;
- there is serious doubt as to the legality of the contested decision;
- the contested decision, in that it authorizes the Health Data Platform to implement EMC2 processing even though it plans to entrust the hosting of the data it processes to the company Microsoft, subject to data protection law. United States, disregards the right to respect for private life guaranteed by article 2 of the Declaration of the Rights of Man and of the Citizen of 1789, authorizes interference in the right to respect for private life contrary to the Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and disregards the constitutional requirements inherent in safeguarding the fundamental interests of the Nation;
- this decision ignores the provisions of article R. 1461-1 of the public health code according to which no transfer of data from the national health data system (SNDS) can be carried out outside the European Union;
- the contested decision disregards rule no. 9 of circular no. 6404/SG of May 31, 2023, by authorizing the hosting of particularly sensitive personal data, including data from the SNDS, on servers from the company Microsoft, which does not benefit from SecNumCloud certification;
- the legality of the contested decision is based on the assessment of the validity of implementing decision (EU) 2023/1795 of the European Commission of July 10, 2023 which, in that it notes that the United States ensures a adequate level of protection of personal data transferred from the European Union, while United States law allows public authorities general access to the content of electronic communications, without effective possibility of recourse for the persons concerned, without obligation for the intelligence services to obtain prior authorization from an independent administrative authority or a judicial authority to collect data in bulk, and by simply setting up a para-jurisdictional body on the basis of 'a presidential decree, on the one hand, disregards Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, and on the other hand, is incompatible with Article 45(1) of Regulation (EU) 2016 /679 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, read in the light of articles 7, 8 and 47 of this charter, as well as with articles 28 and 32 of this regulation.
By a defense brief, registered on March 14, 2024, the National Commission for Information Technology and Liberties concluded that the request should be rejected. She maintains that the emergency condition is not satisfied and that the arguments raised are unfounded.

By a defense, registered on March 18, 2024, the Health Data Platform concludes that the request should be rejected. She maintains that the emergency condition is not satisfied and that the arguments raised are unfounded.

The Minister of Labor, Health and Solidarity presented observations, recorded on March 19, 2024.

Considering the other documents in the file;

Seen :
- the Constitution, in particular its Preamble;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- the Charter of Fundamental Rights of the European Union;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- the public health code;
- Law No. 78-17 of January 6, 1978;
- the administrative justice code;

After having convened a public hearing, on the one hand, the company Clever Cloud and the other applicants and, on the other hand, the CNIL, the Health Data Platform, as well as the Minister of Labor, Health and solidarity;

Were heard during the public hearing on March 19, 2024, at 11 a.m.:

- representatives of the company Clever Cloud and other applicants;

- representatives of the CNIL;

- representatives of the Health Data Platform;

- representatives of the Minister of Labor, Health and Solidarity;

at the end of which the judge closed the investigation;

Considering the following:

1. Under the terms of article L. 521-1 of the code of administrative justice: "When an administrative decision, even one of rejection, is the subject of a request for annulment or reformation, the emergency judge, seized of 'a request to this effect, may order the suspension of the execution of this decision, or of certain of its effects, when the urgency justifies it and there is mention of a means capable of creating it, in state of the investigation, a serious doubt as to the legality of the decision".
2. Under the terms of article 66 of the law of January 6, 1978 relating to data processing, files and freedoms, relating to the processing of personal data in the field of health: "I.- Processing relating to of this section may only be implemented in consideration of the public interest purpose that they present (...) / III.- The processing operations mentioned in I which do not comply with a standard mentioned in. They can only be implemented after authorization from the National Commission for Information Technology and Liberties (...)".

3. According to Article L. 1462-1 of the Public Health Code, the public interest group called “Health Data Platform” is notably responsible for gathering, organizing and making available the data from the national data system of health (SNDS) mentioned in article L. 1461-1 of the same code and to promote the use of data in the field of health.

4. It follows from the instruction that the Health Data Platform wishes to implement automated processing of personal data with the aim of establishing a health data warehouse called EMC2, within the framework of an agreement of services concluded on December 13, 2021 with the European Medicines Agency for the creation of a database in order to conduct pharmacoepidemiology studies. The envisaged processing does not comply, on certain points, with the framework relating to the processing of personal data implemented for the purposes of creating data warehouses in the field of health adopted by the National Commission on Health. information technology and freedoms (CNIL) in its deliberation no. 2021-118 of October 7, 2021, the Health Data Platform requested it for authorization, in application of the provisions of article 66 of the law of January 6, 1978 cited in point 2. The company Clever Cloud and the other applicants ask the judge of the Council of State, ruling on the basis of article L. 521-1 of the code of administrative justice, to suspend the execution of the execution of the deliberation of December 21, 2023 by which the CNIL authorized the Health Data Platform to implement this processing.

5. Urgency justifies the suspension of an administrative act when its execution harms, in a sufficiently serious and immediate manner, a public interest, the situation of the applicant or the interests he or she has. intends to defend. It is up to the judge hearing the summary judgment to assess concretely, taking into account the justifications provided by the applicant, whether the effects of the contested act are such as to characterize an emergency justifying that, without waiting for the judgment of the application on the merits, the execution of the decision is suspended. Urgency must be assessed objectively and taking into account all the circumstances of the case.

6. To justify the urgency of suspending the execution of the contested deliberation, the applicants, who include companies indicating that they market offers of services linked to cloud data hosting without being exposed to the risk of extra-territorial application of United States law, argue that the authorization given by the CNIL, in that it admits the legality of the hosting of sensitive data by a subcontractor, Microsoft Ireland, whose parent company is subject to the law of the United States, constitutes a precedent which seriously harms the economic interests of these companies. They further maintain that, under these conditions, the implementation of the planned processing, in that it exposes health data concerning several million people to a non-negligible risk of disclosure to administrative or judicial authorities of the States- United, in the event that Microsoft would not be able to oppose the requests made by these authorities in the context, on the one hand, of surveillance programs based on article 702 of the "Foreign Intelligence Surveillance Act" ( FISA) or "Executive Order" (presidential decree) No. 12333, on the other hand, of the "Stored Communications Act" as amended by the "Clarifying Lawful Oversas Use of Data Act" (CLOUD Act), would carry a serious and immediate harm to the interests of the applicants who are individuals and to the interests defended by the applicant associations.

7. Firstly, on the one hand, it follows from the investigation that during the investigation of the request for authorization of the disputed processing, at the request of the CNIL, an expert mission by the delegation of digital health, the interministerial delegation of digital and the digital health agency was commissioned to examine the possibility of carrying out the EMC2 project using a host free from any risk of extra-territorial application of the right to a third country. This mission concluded on December 13, 2023 that there was no solution available to meet both such a requirement and the technical needs of the Health Data Platform within the framework of the conditions, in particular deadlines, set by the service provision agreement between it and the European Medicines Agency. If the hypothesis of an offer associating an infrastructure provider as a service (IaaS) with the SecNumCloud qualification issued by the National Information Systems Security Agency with one of the applicant companies has been considered within the framework of this study, in which it participated, and if the applicants argue that better anticipation of the project by the Health Data Platform would have enabled it to consider such a solution, it does not follow from the instruction that on the date of this study, this company or one of the other applicant companies, whose application is limited to presenting the activity in general terms, would have been able to present an offer of services related to accommodation of cloud data meeting the needs of the EMC2 project within the required time frame.

8. On the other hand, and in any event, the execution of the contested deliberation, which limits the authorization to a period of three years corresponding to the time necessary for the completion of the Data Migration Project of the Data Platform. health data to a hosting solution meeting the recommendations of the CNIL, and which therefore in no way hinders the development of cloud data hosting services likely to meet the needs of hosting health data without being exposed to the risks linked to submission to the law of a third country, is likely to have only an indirect and limited impact on the activities of these companies. Consequently, the execution of the contested decision is not likely to cause serious and immediate harm to the interests of the applicant companies justifying that this execution be suspended in summary proceedings pending the judgment of the application on the merits.
9. Secondly, it follows from the instruction that the EMC2 data warehouse is intended to process, on the one hand, data from the medical files of 300,000 to 500,000 patients treated each year in four establishments hospitals, which will be matched with data from the main SNDS database concerning them, on the other hand, data concerning a control population of approximately 1.5 million people, coming from this database. It follows from the terms of the contested authorization that only pseudonymized data will be collected within the EMC2 health data warehouse. Pseudonymization will be carried out by hospitals and by the National Health Insurance Fund before the data is placed in the warehouse, and the registration number in the national directory for the identification of natural persons (NIR) and the date of birth Complete patient data will not be retained after matching. Data from the health data warehouse will be stored in Microsoft data centers located in France.
10. On the one hand, the Stored Communications Act, as amended by the CLOUD Act, provides that companies subject to American law within the meaning of this law may be required to provide data that they control, regardless of their place of accommodation, when this provision is authorized by a judge for the purposes of a criminal investigation. If these provisions can apply to the company Microsoft, as indeed to certain European companies carrying out activity in the United States, the applicants do not provide any elements from which it would appear that the health data, pseudonymised as well as it was indicated in point 9, that this company hosts health data on behalf of the Platform, could be the subject of requests on this basis.

11. On the other hand, the risk that the American authorities will formulate, within the framework of the surveillance programs mentioned in point 6, a request for access to certain data processed and hosted in the EMC2 warehouse, assuming that they there see an interest with regard to the objective of obtaining information in terms of foreign intelligence pursued by these programs, cannot in principle be completely ruled out. However, the risk of access by these authorities to this data, in the event that Microsoft does not oppose such a request, is, in the state of the instruction, hypothetical, in view of the important guarantees whose implementation implementation of the project is surrounded, in particular due to the fact that the data will be pseudonymized and not directly identifying, in consideration of which the CNIL considered that this risk was reduced to a level which did not justify it refusing the requested authorization. Having regard to the precautions thus taken, the execution of the contested deliberation cannot be regarded as seriously and immediately affecting the right to respect for the private life of the persons concerned, such as to characterize an emergency justifying that, without waiting for the judgment of the motion on the merits, the execution of the contested deliberation be suspended. Furthermore, the public interest in ensuring that the Health Data Platform contributes without undue delay to the project of grouping "real-life" databases led by the European Medicines Agency, in order to enable the carrying out research, studies and evaluations on the use, effectiveness and risks of a large panel of medicines and medical devices marketed in France, justifies that the contested authorization should not be suspended.
12. It follows from the above that the emergency condition required by article L. 521-1 of the administrative justice code is not met. Therefore, and without there being any need to refer the preliminary questions formulated or to rule on the existence of a serious doubt as to the legality of the contested deliberation, the conclusions for the purpose of suspension of the applicants thus, in all state of affairs, that those which they presented on the basis of article L. 761-1 of the code of administrative justice, can only be rejected.

O R D O N N E:
------------------
Article 1: The request from the company Clever Cloud and others is rejected.
Article 2: This order will be notified to the company Clever Cloud, the first named applicant, to the National Commission for Information Technology and Liberties and to the Health Data Platform.
A copy will be sent to the Minister of Labor, Health and Solidarity.
Done in Paris, March 22, 2024
Signed: Jean-Yves Ollier

ECLI:FR:CEORD:2024:492369.20240322