France's data protection authority, the CNIL, has released guidance for French organizations managing health information, initially reported by Mediapart. These organizations are advised to refrain from utilizing American cloud service providers, including Microsoft Azure, Amazon Web Services, and Google Cloud.

This guidance stems from a significant decision by the European Court of Justice in July. The ruling, known as Schrems II, invalidated the EU-U.S. Data Privacy Shield. Previously, this shield allowed companies to transfer data processing from the EU to the U.S. on a large scale. However, due to worries regarding U.S. surveillance legislation, this practice is no longer permitted.

The CNIL is taking a further step by suggesting that entities handling health data should also avoid engaging with U.S. companies – the concern extends beyond simply processing European data within Europe. This recommendation is rooted in the desire to avoid being subject to U.S. laws and legal decisions.

These recommendations were communicated by the regulator to France’s highest administrative court, the Conseil d’État. The initial notification to the CNIL regarding concerns about France’s Health Data Hub came from SantéNathon, a coalition of organizations and unions.

Currently, France is developing a national platform for storing health data. The intention is to create a central hub that facilitates the study of uncommon illnesses and leverages artificial intelligence to enhance diagnostic accuracy. This platform is designed to consolidate data from various sources and enable controlled data sharing with both public and private entities for specific purposes.

The technical decisions surrounding this project have generated debate, as the French government initially selected Microsoft and its Microsoft Azure cloud platform as a partner.

Microsoft, similar to many other businesses, utilizes Standard Contractual Clauses for data transfers between the EU and the U.S. However, the Court of Justice of the EU has clarified that EU regulators must intervene if data is being transferred to a country deemed unsafe regarding privacy and surveillance.

The CNIL maintains that even if an American company processes data within Europe, it could still be subject to U.S. laws like FISA702 and other surveillance regulations, potentially leading to data access by American authorities. Essentially, the CNIL is exercising heightened caution with health data while the implications of Schrems II are being determined.

“We are collaborating with Health Minister Olivier Véran on migrating the Health Data Hub to French or European platforms in light of the Privacy Shield ruling,” stated France’s Minister for Digital Affairs, Cédric O, to Public Sénat.

The French government is now exploring alternative solutions for the Health Data Hub. Should France’s top court endorse the CNIL’s recommendations, it could also impact French companies that manage health data, such as Doctolib and Alan.