The French Health Data Hub, under development to store health data of French data subjects, is supposed to be hosted by Microsoft Azure cloud. Microsoft Azure, a US company, would store French health data on a server in the Netherlands. Following the invalidation of the Privacy Shield by the Court of Justice of the European Union, France’s data protection agency - Commission nationale de l'informatique et des libertés (CNIL) has issued recommendations for French services that handle health data to avoid using US cloud hosting companies altogether, regardless of where the cloud servers are located. This recommendation was based on concern that US authorities have the right to access data hosted by US companies, regardless of where the servers would be located.
Now, the Conseil d’Etat (Council of State), the highest administrative court in France, has ruled in N° 444937 Association le Conseil National Du Logiciel Libre et autres that the Health Data Hub and Microsoft are already contractually bound to refuse any transfer of health data outside the EU. The Council of State ruled that processing of data by Microsoft on the territory of the EU is not illegal and does not justify the immediate suspension of data processing by this platform. The Health Data Hub was ruled to continue, under the control of the CNIL, to work with Microsoft to strengthen the protection of the rights of data subjects over their personal data and take special precautions, if needed.
The above decision goes against the recommendations of CNIL on complete withdrawal from US cloud hosting services in France.