Launched in 2019 after the French government affirmed its ambition to make health one of the priority sectors for the development of artificial intelligence, the Health Data Hub is supposed to gather all the health data collected when receiving care nationally. Such data is pseudonymised so that it cannot directly identify an individual.
The overall purpose of the platform is to centralise the data to address the issues that researchers are currently facing not only in France, but in most countries as well. Indeed, the plethora of databases, the complex access procedures, and the costs involved in processing this data make it inaccessible for smaller stakeholders, stifling innovation.
Similarly to others programmes all over the world, the data will be accessible to project coordinators contributing to the public interest, following an approval process involving an independent committee and the National Commission for Data Protection and Liberties (CNIL). For instance, some of this data has been used in managing the COVID-19 health crisis.
However, the platform has been subject to many challenges due to the hosting of the platform on Microsoft Azure. French and European stakeholders, denunciating a lack of transparency, have raised complaints on the awarding of the contract to Microsoft, which happened without any requirement specifications or a tender procedure for hosting providers to apply through.
Therefore, several associations, unions and individual applicants have urgently requested the Council of State to suspend the processing of data related to the COVID-19 epidemic on the Health Data Hub because of the risks that this situation entails given the possible data transfers to the United States, as explored in the landmark Schrems II ruling on 16th July 2020.
Council of State decision on 13th October 2020
The Council of State (Supreme Court of the Administrative System) noted that the Health Data Hub and Microsoft have made a contractual undertaking to prohibit any transfer of health data outside the European Union. Additionally, a ministerial decree also prohibits any transfer of personal data under this contract. Nevertheless, the judge confirmed that it cannot be completely excluded that the American authorities may ask Microsoft for access to the data as part of the US surveillance and intelligence programs.
Whilst the conclusion was that there is no serious and manifest illegality that justified the immediate suspension of data processing by this platform, the judge asked the Health Data Hub to continue, under the control of the CNIL, to work with Microsoft to strengthen the protection of the rights of data subjects over their personal data. These precautions should be taken pending a solution that will eliminate any risk of access to personal data by the US authorities. Afterwards, the CNIL asked and obtained new guarantees from the Ministry of Health, and in particular that the technical solution would be changed within a specified timeframe, including the elimination of this risk within 12 to 18 months.
Withdrawal of authorisation request to the CNIL on 10 January 2022
In 2021, the CNIL reiterated its position in a call for changes in the use of US computing solutions and expressed its wish that the platform hosting and the services related to its management can be reserved for entities falling exclusively under the jurisdiction of the European Union.
Consequently, the platform has since been in project mode.
But the full deployment of the Health Data Hub experienced a further twist since it is is now been put on hold. Indeed, a crucial authorisation request made to the CNIL, has just been withdrawn by the Health Data Hub this week. By doing so, the government is said to not really seek to bury the project, but rather to start again on good bases.
If the US firm ascertained that they heard Europe’s call and is committed to exceeding EU data protection laws’ standards, the organisations entrusting Microsoft to integrate their data into Azure cannot totally exclude the clash between European privacy rights and US surveillance law. Long-term solutions would include switching to European cloud solutions, such as the Gaia-X cloud project supposed to build the Europe of digital independence, or counting on the (doubtful) proper safeguards’ implementation by the US themselves.