Will our health data one day be hosted by a French or European provider? While the new geopolitical context has brought back into fashion the Old Continent's desire for digital sovereignty, the CNIL, the French authority responsible for protecting our personal data, has asked the government to "work actively towards implementing a sovereign solution" other than Microsoft for the French (and European) health data platform, intended for research.
In two deliberations published On March 11, the watchdog of our privacy ordered the government to "actively" seek a new host for the European health data warehouse project called "EMC2," a European version of the "Health Data Hub," the French health data platform developed in France since 2019.
The independent authority takes advantage of the two deliberations to "reiterate its regrets that the health data platform still does not have a service provider capable of meeting its needs while protecting the data of the SNDS (national health data system) against access by public authorities of third countries" - in this case, the American authorities.
Authorization until December 2026 under conditions
In December 2023, the CNIL had indeed validated the fact that Microsoft, an American company subject to American extraterritorial laws, hosts the health data of French and European citizens. In its decision, the personal data watchdog had to validate or invalidate the controversial choice of this American cloud provider. Expected to be decisive, it had finally given its green light, but only for three years, and with certain "regrets". The CNIL "deplored that no service provider currently able to meet the needs expressed by the (HDH) protects data against the application of extraterritorial laws of third countries."
The French authority recalled, implicitly, that Microsoft, as an American company, is indeed subject to the extraterritorial laws of the United States – including the Cloud Act and the FISA law, which has been extended until 2026. It does not matter whether Microsoft Azure data centers are located in France or in Europe. As a result, French health data could be accessible to American intelligence services, without the main parties concerned ever being informed.
A call for tenders in preparation
And if, since then, a government report on the platform, published on January 18, 2024, recommended "programming the cessation of hosting on (Microsoft) Azure of the HDH platform and (the launch of) work for hosting the HDH on a cloud qualified SecNumCoud, within 24 months", i.e. until January 2026, no call for tenders has been published to this effect to date, regrets the CNIL. However, the law now requires the Health Data Hub to be hosted on a "SecNumCloud" (SNC) certified cloud – although its implementing decree has not yet been published. This SNC is the highest cybersecurity label in France. The latter, which has become mandatory for the most sensitive data, also includes sovereignty requirements that effectively exclude all American cloud providers such as Microsoft.
The authority also points out that its December 2023 authorization was granted on the condition that the government "quickly" find a solution "to ensure sovereign hosting of SNDS data." However, "while the draft national strategy for the secondary use of health data provides for an action plan on this subject," "no call for tenders has been published to this effect," it regrets. The only new element, provided by the CNIL, is that this call for tenders, which has been requested for months by French cloud providers, is indeed being prepared within the government.
0 Comments