CE - N° 444937

From GDPRhub
CE - N° 444937
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 28 GDPR
Article 44 GDPR
Article 45 GDPR
Article 46 GDPR
Article 48 GDPR
Article 49 GDPR
Article 702 Foreign Intelligence Surveillance Act
Article L. 1461-1 code de la santé publique
Article L. 1462-1 code de la santé publique
Article L. 3131-1 code de la santé publique
Article L. 3131-16 code de la santé publique
Executive Order 12333
Arrêté du 10 juillet 2020
Decided: 13.10.2020
Published: 14.10.2020
Parties: Syndicat de la Médecine Générale (SMG)
Association Française des Hémophiles (AFH)
Conseil national du logiciel libre (CNLL)
Constance
Les Actupiennes
Nexedi
PLOSS Auvergne Rhône-Alpes
SoLibre
Syndicat national des journalistes (SNJ)
Union française pour une médecine libre (UFML)
Union fédérale médecins, ingénieurs, cadres, techniciens CGT santé et action sociale (UFIMCT-CGT santé et action sociale)
Union générale des ingénieurs, cadres et techniciens CGT (UGICT-CGT)
InterHop
National Case Number/Name: N° 444937
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: n/a

The French Supreme Administrative Court (Conseil d’Etat) ruled on the legality of the Health Data Hub, in contract with Microsoft as a processor, in light of the Schrems II decision. The risk of a GDPR violation was insufficient to suspend the Hub.

English Summary

Facts

The parties asked the French Supreme Administrative Court (Conseil d’Etat) to suspend the centralisation and data processing of personal data relating to Covid-19 on the health data platform ‘Health Data Hub’ (data controller). The EU subsidiary of the American corporation Microsoft, established in Ireland, has access to personal data on the Hub as it licenses the software necessary to operate it (data processor). The data centre is located in the Netherlands.

The parties also asked the Court to request the French DPA (CNIL) to rule on the implication of the invalidation of the Privacy Shield agreement in relation to personal data processed in the Health Data Hub.

The parties highlighted that the condition of urgency was met. This is due to the urgent nature of the Covid-19 pandemic, the sensitive nature of the data centralised and processed in the Health Data Hub and the recent CJEU decision (“Schrems II” of the 16th July 2020).

Finally, they deemed that there was a serious violation of the right to privacy and to protection of personal data. This is due to the fact that the company in charge of the Health Data Hub’s technical aspects, Microsoft, is subject to US law. The risk that this posed to the above-mentioned rights were outlined in the Schrems II decision.

Dispute

Is the contract between the French Health Data Hub and Microsoft, as a company subject to US surveillance law, in violation of Article 44 to 49 GDPR following the Schrems II decision?

Holding

With regard to the Schrems II decision:

The French Court outlined relevant segments in the the Schrems II CJEU decision. In this case, the CJEU held that Articles 46(1) and 46(2)(c) GDPR must be interpreted as meaning that a data subject, whose personal data is transferred to a third country, benefits from a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights.

The French Court also highlighted that the CJEU held that the Privacy Shield adequacy decision (adopted as per Article 45(3) GDPR) was invalid. It was deemed invalid as it did not provide an adequate level of protection to personal data transfers from the EU to companies in the US. This is notably because public authorities in the US are able to request access to such personal data as a result of surveillance laws: Article 702 Foreign Intelligence Surveillance Act (FISA) or the Executive Order (EO) 12333. These law allow for bulk collection of personal data. They do not allow a data subject to enforce any rights before a tribunal.

With regard to national law relating to collection and processing of data:

The French Court outlined that Article L. 1462-1 of the public health code provides for the Health Data Hub and the collection of health data from the existing national health data system (as per Article L. 1461-1).

Article L. 3131-1 of the public health code stipulates that the Health Minister can prescribe an Order in the public interest in case of a public health emergency, such as a pandemic. This order must be proportionate and necessary. As such, a Ministerial Order of the 10 July 2020 prescribed measures necessary to combat covid-19, including the processing of personal data concerning health (see Article L. 3131-16 public health code)

With regard to the risk of transfer of data due to the contractual arrangement with Microsoft:

The French Court stipulated the FISA and EO allows US public authorities to have access to transfers of data to the US from the EU without such appropriate safeguards for data subject. Therefore, any transfer of data to the US would be deemed to infringe Article 44 and subsequent of the GDPR, following the recent Schrems II decision by the CJEU. This is the case unless justified within derogation pursuant to Article 49.

The Court highlighted that the contract with Microsoft stipulates that data must not be processed outside of the stipulated geographical zone (Netherlands). This is true unless resolution of issues must be achieved outside of this zone subject to authorisation by the Health Data Hub. However, the Minister for Solidarity and Health introduced a Order of the 9th October 2020, which stipulated that no data transfer outside of the EU would be performed. The French Court therefore outlined that this imposed on a barrier on the contractual arrangement with Microsoft which allowed for such a possibility. Therefore, the Court deemed that there was no possibility of transfer of personal data outside of the EU as a result of the contract. The claimant’s claim that there was an interference with fundamental rights, including to data protection, is not well founded.

With regard to the risk of other transfers of personal data:

The Court addressed the claimant’s concern that Microsoft, as an American company, is subject to FISA and EO. This means that it can be under the obligation to transfer data to American public authorities even if the data is stored in the EU and the contract between the Health Data Hub and Microsoft preclude such transfers. The Court held that it was necessary to consider the level of protection afforded during the transfers of data in light of the contractual stipulation, the law in the third country and the judicial system there.

The Court highlighted that the French DPA (CNIL) stipulated in its defense that the risk of a transfer to the US by virtue of US surveillance law could not be excluded. This would subsequently infringe Article 28 and 48 GDPR which prohibit transfers to third countries unless agreed upon by the data controller or as a result of a legal obligation provided for in EU law or a Member State’s law.

However, the French Court outlined that the CJEU in Schrems II only discussed circumstances where data is transfered to the US and did not discuss circumstances where such data is processed in the EU by American corporations subject to US law. The French Court also noted that the CJEU held that derogations found under Article 49 may allow for such transfers where necessary for a public interest recognised by EU law or the law of a Member State. It also deemed that there was public interest in allowing the use of health data in the context of the Covid-19 crisis and therefore, public interest in contracting with Microsoft on the technical aspects. The Court noted that such measures must be proportionate to the risk posed by the public health emergency and necessary considering the urgency and the absence of technical alternatives. The Court highlighted that it is the French DPA which must assess any potential public interest in link with the Covid-19 pandemic.

The French Court also outlined that the claimants only claimed that there was a risk of a violation of the GDPR should Microsoft have to grant access to personal data to US public authorities rather than claiming a direct violation of the Regulation.

The Court stipulated that the Health Data Hub must ensure that the data processor, Microsoft, adopts appropriate technical and organisational measures to ensure the protection of the rights of data subjects (pursuant to Article 28 GDPR). In light of this Article, Microsoft must also provide all information required and allow audits to be conducted.

The Court therefore did not order the suspension of the Health Data Hub.

Comment

It is interesting that the French Supreme Administrative Court seems to go further than the wording of the Schrems II decision. The French Court outlined that the CJEU had not pronounced itself on cases where US companies, processing data in the EU, were subject to a request by US authorities (under US surveillance law) to grant access to the data.

The Supreme Administrative Court also goes further than the French DPA (CNIL), which suggested that such service providers, subject to US law, should not be relied upon as US authorities may request access.

It is also interesting that the Court highlighted the distinction between a direct violation of EU law, and the risk of a violation, should Microsoft be requested by US authorities to grant access to the data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

No. 444937

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE
THE REFEREES JUDGE
__________
ASSOCIATION THE COUNCIL
NATIONAL FREE SOFTWARE and
other
__________
Ordinance of 13 October 2020

Considering the following procedure:
By a request, registered on September 28, 2020 at the litigation secretariat
of the Council of State, the association the National Council of Free Software (CNLL), the Ploss association
Rhones-Alpes, the SoLibre association, the Nexedi company, the Interhop association, hospitals
French for the interoperability and free sharing of algorithms, Ms. B ... I ..., MC .. A ..., the
national union of journalists (SNJ), the general medicine union (SMG), the union
French for a free medicine (UFML), MH .. J ..., MD .. G ..., the general union of
engineers, executives and technicians CGT (UGICT-CGT), the federal union of doctors, engineers,
managers, CGT health and social action technicians (UFIMCT - CGT health and social action), Ms.
L ... K ..., ME .. F ..., the association Constances, the association the Actupiennes and the association
French hemophiliacs (AFH) ask the judge of the Conseil d'Etat, on the
basis of article L. 521-2 of the code of administrative justice:
1 °) primarily, to order the suspension of centralization and
processing of data related to the covid-19 epidemic on the
health, as well as all measures necessary to ensure the absence of serious harm and
manifestly illegal to the right to privacy and the protection of personal data in connection
with the processing and centralization of health data on the Health Data Hub;
2 °) in the alternative, to request the National Commission for Informatics
and freedoms, in particular for the purposes of ruling on the implications of the invalidation of the
"Privacy Shield" on the processing and collection of data within the Platform of
health data;
Page 2
No. 444937
2
3 °) to charge the State for the sum of 5,000 euros under article
L. 761-1 of the code of administrative justice.
They argue that:
- they can prove an interest giving them standing to act;
- the condition of urgency is fulfilled having regard, first of all, to the situation
health emergency declared since 23 March 2020, the effects of which were renewed by the decree
of 10 July 2020 prescribing the general measures necessary to deal with the epidemic of
covid-19 in territories that have emerged from the state of health emergency and in those where it has been extended,
then, within the scope of the contested measure allowing very wide collection and centralization
particularly sensitive data, as well as reservations made by the National Commission
data processing and freedoms, and, finally, the risks highlighted by the judgment of the Court of
Justice of the European Union of July 16, 2020;
- there is a serious and manifestly illegal interference with the right to respect for
privacy and the right to protection of personal data, with regard to the submission to
American law of the company chosen to provide the technical solution of the Platform
health data, without sufficient guarantees with regard to the risks involved, on the one hand,
data transfer to the United States, highlighted by the judgment of the Court of Justice of
the European Union of July 16, 2020, and, on the other hand, the extraterritorial application of
American.
By a defense, registered on October 7, 2020, the Minister of
Solidarités et de la santé concludes that the request should be rejected. He maintains that the condition of urgency
is not fulfilled and that no serious and manifestly illegal interference with a freedom
fundamental.
The National Commission for Informatics and Freedoms produced
observations, recorded on October 8, 2020.
The request was communicated to the Prime Minister, to the Platform of
health data and the company Microsoft France, which did not produce a memory.
After having summoned to a public hearing, on the one hand, the National Council
software and the other applicants and, on the other hand, the Prime Minister, the Minister of
solidarity and health, the Health Data Platform and Microsoft France, as well as
that the National Commission for Informatics and Liberties;
Were heard during the public hearing on October 8, 2020, at 2 p.m.
30 :
- representatives of the CNLL and the other applicants;
- representatives of the Minister of Solidarity and Health;
- representatives of the Health Data Platform;
Page 3
No. 444937
3
- representatives of Microsoft France;
at the end of this hearing, the summary judge postponed the closing of
instruction on October 13 at 12 noon;
Having regard to the observations, recorded on October 9, 2020, presented by the company
Microsoft France;
Having regard to the new briefs, recorded on October 12 and 13, 2020, presented by
the CNLL and the other applicants, who have the same ends as their application;
Having regard to the new pieces and the new brief, recorded on October 10 and 13
2020, produced by the Minister of Solidarity and Health, tending to the same end as his
previous thesis;
Considering the note under advisement, recorded on October 13, 2020, presented by the CNLL
and the other applicants;
Having regard to the other documents in the file;
Seen:
- the Charter of Fundamental Rights of the European Union;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of
April 27, 2016;
- the public health code;
- Law n ° 78-17 of January 6, 1978;
- Law n ° 2019-774 of July 24, 2019;
- Law n ° 2020-856 of July 9, 2020;
- the decree of the Minister of Solidarity and Health of July 10, 2020 prescribing
the general measures needed to deal with the covid-19 epidemic in the territories
out of the state of health emergency and in those where it has been extended;
- the code of administrative justice;
Considering the following:
1. Under the terms of article L. 511-1 of the administrative justice code: “ The judge
summary proceedings rule by measures which are of a provisional nature. It is not seized of
principal and take a decision as soon as possible ”. Under the terms of article L. 521-2 of the same
code: "When seized of a request to this effect justified by urgency, the summary judge may order
all measures necessary to safeguard a fundamental freedom to which a person
public law legal entity or a private law body responsible for the management of a public service
would have caused serious and manifestly unlawful interference in the exercise of one of his powers.
The summary judge decides within forty-eight hours ”.
On the office of the summary judge:
Page 4
No. 444937
4
2. It results from the combination of the provisions of Articles L. 511-1 and L. 521-2
of the administrative justice code that belongs to the summary judge, when seized on the
basis of Article L. 521-2 and that it notes a serious and clearly illegal
brought by a legal person of public law to a fundamental freedom, resulting from the action
or the failure of this public person, to prescribe the measures which are likely to
disappear the effects of this attack, as soon as there is a marked emergency
justifying the pronouncement of safeguard measures at very short notice and which can be taken
usefully such measures. These must, in principle, be of a provisional nature, except
when no measure of this nature is likely to safeguard the effective exercise of the
fundamental freedom which is infringed.
3. The right to respect for private life, which includes the right to the protection of
personal data, constitutes a fundamental freedom within the meaning of the provisions of article
L. 521-2 of the code of administrative justice.
On the legal framework:
With regard to European Union protection law
Datas :
4. On the one hand, under Article 44 of Regulation (EU) 2016/679 of
European Parliament and of the Council of April 27, 2016 on the protection of individuals
physical with regard to the processing of personal data and the free movement of
these data, and repealing Directive 95/46 / EC, or general regulation on the protection of
data: " A transfer, to a third country (...), of personal data which makes or
are intended to be processed after this transfer can only take place if, under
subject to the other provisions of these regulations, the conditions defined in this
chapter are complied with by the controller and the processor (…). All the
provisions of this chapter are applied so that the level of protection of
natural persons guaranteed by this Regulation is not compromised ”. Section 45 of
this regulation provides that: " 1. A transfer of personal data to a third country
(...) can take place when the Commission has found by decision that the third country, a
territory or one or more specific sectors in this third country (...) ensures a level of
adequate protection. Such a transfer does not require specific authorization. / 2. When she
assesses the adequacy of the level of protection, the Commission takes into account, in particular,
the following elements: / a) rule of law, respect for human rights and freedoms
fundamental, (…) access by public authorities to personal data, as well as
that the implementation of said legislation, the rules on data protection, (…)
as well as the effective and enforceable rights enjoyed by the data subjects and
administrative and judicial remedies that people can actually bring
data subjects whose personal data are transferred; (…) / 3. The Commission,
after having assessed the adequacy of the level of protection, may decide, by means of acts
execution, that a third country, a territory or one or more specific sectors in a country
third party (…), ensures an adequate level of protection (…) ”. According to article 46 of this
regulation: " 1. In the absence of a decision under Article 45, paragraph 3, the person responsible
processing or the processor cannot transfer personal data to a
third country or to an international organization only if it has provided for appropriate guarantees and
provided that the data subjects have opposable rights and remedies
effective. / 2. The appropriate guarantees referred to in paragraph 1 may be provided without
Page 5
No. 444937
5
this does not require a specific authorization from a supervisory authority, by: / (…) / c) of
Standard data protection clauses adopted by the Commission in accordance with the
examination procedure referred to in Article 93 (2) (…) ”.
5. On the other hand, under the terms of Article 48 of the same regulation: “ Any
decision of a court or administrative authority of a third country requiring a
controller or a processor that transfers or discloses data to
personal character cannot be recognized or made enforceable in any way
provided that it is based on an international agreement, such as a mutual assistance treaty
judicial process, in force between the requesting third country and the Union or a Member State, without
prejudice to other grounds for transfer under this chapter ”. Article 28 of this
regulation provides that: " 1. When processing must be carried out on behalf of a
controller, it only uses subcontractors who present
sufficient guarantees regarding the implementation of technical and organizational measures
appropriate so that the processing meets the requirements of this Regulation and
guarantees the protection of the rights of the data subject. / (…) / 3. Processing by a
subcontractor is governed by a contract or other legal act under Union or EU law
law of a Member State, which (...) provides, in particular, that the subcontractor: / a) does not process
personal data only on the documented instruction of the controller, including
including with regard to transfers of personal data to a third country or
to an international organization, unless it is required to do so under the law of
the Union or the law of the Member State to which the subcontractor is subject; in this case, the sub-
processing informs the controller of this legal obligation before processing,
unless the law concerned prohibits such information for important reasons of public interest
(…) ”.
6. By a grand chamber judgment of July 16, 2020, Data Protection
Commissioner v Facebook Ireland Ltd and Maximillian Schrems, C-311/18, the Court of
Justice of the European Union has ruled that Article 46, paragraph 1, and Article 46,
paragraph 2 (c) of Regulation 2016/679 must be interpreted as meaning that the
appropriate guarantees, enforceable rights and effective legal remedies required by these
provisions must ensure that the rights of the persons whose personal data
are transferred to a third country on the basis of standard data protection clauses
benefit from a level of protection substantially equivalent to that guaranteed within
the European Union through this regulation, read in the light of the Charter of Fundamental Rights of
the European Union. To this end, the assessment of the level of protection provided must, in particular,
take into consideration both the contractual stipulations agreed between the person responsible for
treatment or its subcontractor established in the European Union and the recipient of the transfer
established in the third country concerned that, with regard to possible access by the authorities
of that third country to the personal data thus transferred, the elements
relevant to its legal system, in particular those set out in Article 45 (2),
of the regulations.
7. By this judgment, the Court of Justice also held that the implementing decision
(EU) 2016/1250 of the Commission of 12 July 2016 on the adequacy of protection
provided by the European Union - United States Privacy Shield, taken from the
basis of Directive 95/46 and equivalent to an adequacy decision within the meaning of Article 45,
paragraph 3 of the General Data Protection Regulation was invalid on the grounds that,
even within this framework, the United States did not ensure an adequate level of protection of
personal data transferred from the Union to organizations established in this
Page 6
No. 444937
6
country. It has, in fact, noted interference with the fundamental rights of people whose
personal data are thus transferred, because of the possibilities of access to these
data and use thereof by the American public authorities, within the framework of
surveillance programs based on section 702 of the Foreign Intelligence Surveillance Act
(FISA) or law on oversight in matters of foreign intelligence and, on the other hand, of the "
Executive Order (EO) 12333 ”or Presidential Decree No. 12333, which are not limited to the strict
necessary. Article 702 of the FISA does not limit the authorization it contains and the court of
US foreign intelligence surveillance only checks whether these programs
correspond to the objective of obtaining information on foreign intelligence,
but not if people are properly targeted for this purpose. As for OE 12333, it must be
implemented in compliance with Presidential Policy Directive 28 (PPD-28), which
however to carry out a "bulk" collection of a relatively large volume
information or data when intelligence services cannot use
identifier associated with a specific target to guide the collection, making it possible to access
data in transit to the United States without judicial oversight or sufficient supervision.
Finally, for these different monitoring programs, there is no text conferring on
data subjects rights that can be enforced against the American authorities in court, their
allowing to benefit from a right of effective remedy. Under these conditions, the limitations of
protection of personal data resulting from the internal regulations of
United States are not framed so as to substantially meet the requirements
equivalent to those required by the Charter of Fundamental Rights of the European Union, including
Article 52 only allows limitations on the exercise of the rights and freedoms that it recognizes if
they are necessary and effectively meet objectives of general interest recognized by
Union or the need to protect the rights and freedoms of others.
With regard to the national provisions governing the collection and
processing of data related to the covid-19 epidemic on the
health:
8. On the one hand, Article L. 1462-1 of the Public Health Code, in its
wording resulting from the law of July 24, 2019 relating to the organization and transformation of
health system, provides that a public interest group, called the "Data Platform
of health ”and formed between the State, bodies ensuring representation of patients and
users of the health system, producers of health data and public users and
private health data, including health research organizations, is particularly
responsible for collecting, organizing and making available data from the national data system
of health mentioned in article L. 1461-1 of the same code and to promote innovation in
the use of health data. The amendment to the agreement constituting the interest group
public "National Institute for Health Data" establishing the public interest group
"Health Data Hub" or "Health Data Hub" was approved on November 29
2019 by an order of the Minister for the Armed Forces, the Minister for Solidarity and Health,
Minister of Economy and Finance, Minister of Labor, Minister of Education
national and youth, the Minister of Action and Public Accounts, the Minister of
higher education, research and innovation and the Minister of Agriculture and
food.
9. On the other hand, under the terms of the first paragraph of Article L. 3131-1 of the Code of
public health: " In the event of a serious health threat requiring emergency measures,
especially in the event of an epidemic threat, the Minister of Health may, by reasoned decree,
prescribe in the interest of public health any measure proportionate to the risks incurred and
Page 7
No. 444937
7
appropriate to the circumstances of time and place in order to prevent and limit the consequences
possible threats to the health of the population. The Minister may also take
Such measures after the end of the state of health emergency expected in Chapter I er bis of this title,
in order to ensure the lasting disappearance of the health crisis ”. Article 30 of the decree
of 10 July 2020 prescribing the general measures necessary to deal with the epidemic of
covid-19 in territories that have emerged from the state of health emergency and in those where it has been extended,
taken on the basis of these provisions and those of Article L. 3131-16 of the Health Code
public, provides, in a chapter dedicated to the processing of personal data
of the health system, that: " I.- For the sole purpose of facilitating the use of health data for
the needs for managing the health emergency and improving knowledge on the
covid-19 virus, the public interest group mentioned in Article L. 1462-1 of the Code of
public health and the National Health Insurance Fund are authorized to receive
following categories of personal data: / - data from the system
national health data mentioned in article L. 1461-1 of the same code as well as, in the
compliance with its security reference system: / - pharmacy data; / - take data
load in the city such as diagnoses or declarative symptom data from
mobile health applications and remote monitoring, remote monitoring or telemedicine tools; / - of
results of biological examinations carried out by hospital laboratories and laboratories
city ​​medical biology; / - data relating to emergencies collected by the Agency
national public health in the framework of the coordinated emergency surveillance network; /
- data relating to calls collected from emergency medical aid services and
services contributing to urgent medical aid; / - data relating to the activity and
consumption of care in medico-social establishments or services, in particular in
accommodation establishments for dependent elderly people; / - surveys carried out
with people to assess their experiences; / - data not directly identifying
from the unique victim identification system mentioned in Article L. 3131-9-1 of the Code
public health; / - clinical data such as imaging, pharmacy, biology,
of virology, medical reports from cohorts of patients treated in
health centers with a view to their aggregation. / II.- The public interest group and the Fund
national health insurance can only collect the data necessary for the
public interest in connection with the current epidemic of covid-19. They are responsible
storage and provision of data. They are allowed to cross data
mentioned in I. / The National Health Insurance Fund is responsible for the operations
pseudonymization in the context of data matching and can process the number
registration in the national register of identification of natural persons for this purpose. / Alone
data controllers authorized under the conditions provided for in Articles 66 and 76 of the
law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, the State
implementing the processing mentioned in 6 ° of article 65 of the same law, the Fund
national health insurance implementing the treatments mentioned in 3 ° of article
65 of the same law, or the bodies and services entrusted with a public service mission
mentioned in article 67 of the same law, may process the data thus collected by the
public interest group. / III.- The data can only be processed for projects
pursuing a purpose of public interest in connection with the current epidemic of covid-19 and up to
the entry into force of the measures taken in application of article 41 of the law of July 24
2019 above and no later than October 30, 2020. / Data can only be processed on
the technological platform of the public interest group and on the Caisse platform
national health insurance, and cannot be extracted from it. Within these platforms,
the above-mentioned data may not contain the names and surnames of persons, nor
their registration number in the National Directory for the Identification of Natural Persons, nor
their address. / The public interest group establishes and makes available on its website a
public directory which lists the list and characteristics of all projects relating to these
Page 8
No. 444937
8
data ”. These provisions extend until October 30, 2020 the effects of those of the decree of
April 21, 2020 supplementing the decree of March 23, 2020 prescribing the organizational and
functioning of the health care system necessary to deal with the epidemic of covid-19 in the
state of health emergency.
On the main conclusions of the request:
10. For the purposes of storing and making available data from
health for which it is responsible, the Health Data Platform signed on April 15, 2020 with the
company incorporated under Irish law Microsoft Ireland Operations Limited, a subsidiary of the American company
Microsoft Corporation, a contract giving it access to a set of "Microsoft
Azure ', including in particular the hosting of the health data mentioned in point 9
and the licensing of the software necessary to process this data for
legally authorized purposes. The association the National Free Software Council and others
applicants argue the risks that this situation entails with regard to the right to respect for
privacy, taking into account possible data transfers to the United States, either in application
of the contract concluded with Microsoft Ireland Operations Limited, either because of
requests that would be addressed to this company even outside the contractual transfers
consented by the Health Data Platform.
With regard to the risk of transfers of personal data in
application of the contract concluded with Microsoft:
11. It follows from the judgment of the Court of Justice of the European Union of 16
July 2020 that no transfer of personal data to the United States can no longer
take place on the basis of Article 45 of the General Data Protection Regulation. Yes
a transfer remains possible on the basis of article 46, it is on the condition that
appropriate guarantees and that the data subjects have enforceable rights and
effective legal remedies. However, it follows from the same judgment that, in the case where the public authorities
United States would have access, on the basis of Article 702 of FISA or EO 12333, to
personal data transferred from the European Union, the data subjects
would not have rights enforceable against the American authorities in court, without
that it appears, in the state of the investigation, that appropriate guarantees can be provided
to remedy. Under these conditions, any transfer of personal data to the United States,
by a company that may be the subject of requests by the American authorities on
foundations mentioned above, is likely to contravene by itself Articles 44 and
of the General Data Protection Regulation, unless it can be justified
of its article 49, which includes exemptions for a certain number of situations
particular.
12. It follows from the instruction, on the one hand, that the data processed by the
Health data platform is hosted in data centers located in the Netherlands
Low, before being soon in data centers located in France. On the other hand, the
Health Data Platform and the company Microsoft Ireland Operations Limited have concluded,
on September 3, 2020, an amendment providing for the “Azure” online services that it lists,
that Microsoft will not process Platform data outside the geographic area
specified by the latter without its approval and that in the event that access to the data
would be necessary for the operational needs of online services and
incident resolution carried out by Microsoft from a location outside this zone, it would be subject to
Page 9
No. 444937
9
prior authorization from the Platform. The Health Data Platform is committed to
with regard to the National Commission for Informatics and Freedoms to refuse any transfer.
Finally, it also results from the instruction that the only data whose transfer outside of
the European Union presents a utility are telemetry data, to control the correct
operation of services offered by Microsoft, as well as billing data. So, he
does not appear, in the state of the investigation, that the Platform of health data can be
forced, for technical reasons, to give consent to a transfer of health data.
13. In addition, by an order of 9 October 2020 subsequent to the introduction of the
request, the Minister of Solidarity and Health completed article 30 of the decree of July 10
2020, relating to measures concerning the processing of personal data in the system
health, to provide that: " No transfer of personal data may be
produced outside the European Union ”. These provisions are therefore now an obstacle to this
that the Health Data Platform can make use of the faculty which remains open to it in
the contract with Microsoft to authorize a transfer of personal data from
health system. It will belong to the Platform, which told the audience, in accordance with its
co-contracting party, that the services listed in the amendment of September 3, 2020 corresponded to
all the services covered by the contract concluded with Microsoft which may include
the processing of health data, without this point being able to be verified against the documents
constituting the contract otherwise paid to the contradictory, to justify, within fifteen
days from the notification of this order, from the conclusion of a new
amendment intended to provide this clarification.
14. Under these conditions, in the state of the investigation, it does not appear that
personal data from the health system can currently be transferred
outside the European Union in application of the contract concluded between the Data Platform
health and Microsoft. Consequently, the applicants are not justified in maintaining that, because of such
transfers, a serious and manifestly illegal interference with the right to respect for life
private, including the right to the protection of personal data.
With regard to the risk of other transfers of personal data:
15. The applicants argue that, by virtue of its submission to American law,
Microsoft Corporation and, by virtue of its status as a subsidiary of a company under
US, Microsoft Ireland Operations Limited may be the subject of claims
access to certain health data by the American authorities, within the framework of
surveillance based on Article 702 of FISA or EO 12333, even though these data
are hosted on the territory of the European Union and that the terms of the contract concluded between the
Health Data Platform and Microsoft would oppose it. By applying to
relations between controller and processor of the criteria applied by the Court of
justice in its judgment of July 16, 2020, the level of protection provided during
of data processing taking into consideration not only the stipulations
contractual agreements agreed between the controller and his subcontractor, but also, by
if this subcontractor is subject to the law of a third State, the relevant elements of the system
legal of it.
16. With regard to the contractual stipulations agreed between the Platform
health data and Microsoft, they include an annex 3 to the addendum on the protection of
data for Microsoft online services, whereby the company agrees to comply with the
Page 10
No. 444937
10
conditions of the general data protection regulation, in particular its article 28, in
processing personal data "in accordance with the documented instructions of the
client, including with regard to the transfer of personal data to a country
third party or an international organization, unless Microsoft is required to do so by
under Union law or the law of the member state to which Microsoft is subject ”. Yes
the addendum on data protection, to which the addendum concluded on September 3, 2020 refers,
also provides that "Microsoft will not disclose the processed data to public authorities,
unless it is required to do so by law ”, it can therefore only refer to Union law
European Union or one of its member states, as should be specified on the occasion of
the conclusion of the rider mentioned in point 13. In addition, the same annex provides that
Microsoft must immediately notify the Platform if the company believes that an instruction
constitutes a violation of the General Regulation or other provisions of Union law
European Union or a Member State relating to data protection.
17. However, the National Commission for Informatics and Liberties, in
the observations that it produced following the communication of the request, considers, as it stands
information available to it, that the risk of a request such as those mentioned in
point 15 cannot be completely ruled out. In addition, it follows from the instruction that the measures
techniques implemented by Microsoft or likely to be implemented in the short term do not rule out
no possibility for this company to access the data processed under the responsibility of
the Health Data Platform, despite the precautions, limiting this risk, which surround the
encryption to which they are subject and the storage of the encryption keys used. He cannot thus
be totally excluded, from a technical standpoint, that Microsoft is required to grant a
request of the American authorities based on article 702 of FISA, which would then ignore
Articles 28 and 48 of the General Data Protection Regulation, cited in point 5, which
prohibit a processor from transferring personal data to a third country if this
is not on the instructions of the controller or by virtue of an obligation provided for by law
of the European Union or of a Member State, and that may be recognized or made enforceable
a decision of an administrative authority of a third country requiring a controller
or a subcontractor that he transfers or discloses personal data, except under
certain conditions which are not in this case not fulfilled.
18. It should be noted, however, first of all that the Court of Justice
only ruled, in its judgment of July 16, 2020, on the conditions under which
transfers of personal data to the United States may take place and not over
those in which such data may be processed, within the territory of the Union
European, by companies incorporated under American law or their subsidiaries as subcontractors, or even
of data controllers. A fortiori, it did not comment on the consequences that
could have the findings made by his judgment on such treatments, even though,
with regard to transfers of personal data to third countries, its judgment in
mentions the possibility on the basis of Article 49 of the General Protection Regulation
data, which allows in particular the transfers necessary for important reasons
of public interest recognized by Union law or the law of the Member State to which the
controller is submitted.
19. Second, the applicants do not allege a direct violation of
general data protection regulation but only the risk of such a breach,
in the event that Microsoft would not be able to oppose a request to access
certain data formulated by the American authorities, if they saw an interest in
with regard to the objective of obtaining information in matters of foreign intelligence pursued
Page 11
No. 444937
11
by the monitoring programs already mentioned, then in addition that these data are
pseudonymized by the National Health Insurance Fund, in accordance with the decree of
March 22, 2017 relating to the security reference system applicable to the National System of
health and the agreement concluded on June 14 and 15, 2020 between the Health Data Platform
and the National Fund, before being transmitted to the Platform and quantified using the tools
made available to it by Microsoft.
20. Third, there is an important public interest in allowing the
continued use of health data for the needs of health emergency management
and the improvement of knowledge about SARS-CoV-2 and, to this end, to allow the use of
the technical means, unmatched to date, available to the Data Platform
health through the contract with Microsoft, subject to each project, as well as
follows from the decree of July 10, 2020, that this recourse, and the storage of data that it implies,
either a measure proportionate to the health risks incurred and appropriate to the circumstances of
time and place, taking into account both the urgency attached to his conduct and the absence
of a satisfactory alternative technical solution allowing it to be carried out within the necessary deadlines.
21. In view of the particular sensitivity of health data, the authorities
public authorities have expressed their willingness to adopt, as soon as possible,
measures to eliminate any risk, such as the choice of a new subcontractor, mentioned
publicly by the Secretary of State in charge of digital transition and communications
electronic devices, or the use of a license agreement, suggested by the National Commission of
computing and freedoms in his observations. In the meantime, it belongs to the
Health data platform to continue research, under Article 28 of the Regulation
general information on data protection, the implementation by Microsoft of technical measures and
appropriate organizational structures to best guarantee the protection of the rights of individuals
concerned. In this regard, the company must moreover, by virtue of appendix 3 to the addendum on
data protection mentioned above, make all information available to them
necessary to demonstrate compliance with the obligations provided for in this article 28 and to allow
carrying out audits. It also belongs to the National Commission for Informatics and
freedoms, when it authorizes, in accordance with articles 66 and 76 of the law of 6 January 1978
relating to data processing, files and freedoms, projects called upon to process data
collected by the Health Data Platform, to verify that they pursue a purpose
of public interest in connection with the covid-19 epidemic and that the use of the Platform meets the
conditions mentioned in point 20.
22. On the other hand, it does not appear, in the state of the investigation, that the measures
suitable for eliminating any risk of the nature mentioned in point 19 and proportionate to
the public interest mentioned in point 20 would fall under the protective measures which the judge of
summary proceedings, ruling on the basis of the provisions of Article L. 521-2 of the Code of Justice
administrative, can order in the event of serious and manifestly illegal infringement carried out in a
proven by a legal person of public law to a fundamental freedom and in the very short
time limit that these provisions provide.
On the subsidiary and ancillary conclusions:
23. If the applicants ask the interim judge, in the alternative, to
solicit the National Commission for Informatics and Liberties, so that it can decide
in particular on the implications that may have on the processing and collection of data at
Page 12
No. 444937
12
within the Health Data Platform, the invalidation of the decision to implement the
Commission of 12 July 2016 on the adequacy of the protection provided by the
data protection European Union - United States, the observations produced by this
authority in the context of the present proceedings satisfy this request, which has thus become
not applicable.
24. The provisions of Article L. 761-1 of the Code of Administrative Justice make
obstacle to upholding the applicants' claims in this regard.
ORDERS:
------------------
Article 1 st : The Platform of health data justify having concluded, within fifteen
days from the notification of this decision, a new addendum to the documents
contractual uniting it with the company Microsoft Ireland Operations Limited to specify that the law
applicable which is mentioned in the addendum of September 3, 2020 is that of the right of
Union or the law of the Member State to which the company is subject and that the changes that
this amendment brings to the addendum on data protection for online services
Microsoft apply to all services provided by Microsoft that may be
used for the processing of personal data of the health system.
The Health Data Platform will send a copy to the litigation secretariat of the
Board of state.
Article 2: There is no need to rule on the conclusions of the association's request the Council
national free software and other applicants in that they tend to adopt a
measure such as that mentioned in point 13 and the referral to the National Commission for
computing and freedoms.
Article 3: Having regard to the reminder made in point 20 of the scope of the decree of the Minister of Solidarity
and Health of July 10, 2020 prescribing the general measures necessary to deal with
the covid-19 epidemic in territories that have emerged from a state of health emergency and in those where it has
been extended, the remainder of the conclusions of the association's request the National Council of
free software and the other applicants is rejected.
Article 4: This ordinance will be notified to the association the National Software Council
free, first referred, for all the applicants, to the Minister for Solidarity and
health and the Health Data Platform.
A copy will be sent to the Prime Minister, to the National Commission for Informatics and
liberties and to the company Microsoft France.