French court ruling: EU health data may be hosted on US companies’ clouds

The launch of the French Health Data Hub which plans to handle the health data of French citizens and host them on Microsoft Azure’s cloud services was in question following the invalidation of the Privacy Shield by the Court of Justice of the EU (CJEU). Microsoft Azure, a US company, would store French health data on a server in the Netherlands. France’s data protection agency, Commission nationale de l’informatique et des libertés (CNIL) has issued recommendations for French services that handle health data to avoid using US cloud hosting companies altogether, regardless of where the cloud servers are located. The recommendation was based on concerns about US authorities having the right to access data hosted by US companies, regardless of server locations.

Now, the Conseil d’Etat (Council of State), the highest administrative court in France, has ruled in No 444937 Association le Conseil National Du Logiciel Libre et autres that the Health Data Hub and Microsoft are already contractually bound to refuse any transfer of health data outside the EU. The Council of State ruled that the processing of data by Microsoft on EU territory is not illegal and does not justify the immediate suspension of data processing by this platform. The Health Data Hub was ruled to continue, under the control of the CNIL, to work with Microsoft to strengthen the protection of the rights of data subjects over their personal data and take special precautions, if needed.

The above decision goes against the recommendations of CNIL on complete withdrawal from US cloud hosting services in France.