Our health data remains with Microsoft for now. In a decision published on Tuesday, April 29, and initially announced by l’Informé, the Council of State, the highest administrative court, dismissed an appeal that sought to annul, implicitly, the CNIL’s validation of Microsoft as host of the “Health Data Hub,” the health data platform of French.
Several organizations, including Clever Cloud and the National Free Software Council and Open Internet Project, had filed an interim appeal and a substantive appeal against the two CNIL decisions published last March. In these decisions, the data protection authority authorized the European Medicines Agency (EMA) to carry out computer processing, for three years, on the health data of 10 million French people – notably via the "Health Data Hub," which stores this sensitive data on the cloud of the American company Microsoft.
The objective: to conduct studies on the use of medication among the French
But the CNIL ordered the government to quickly find a hosting provider other than the American giant. Since a government report in January 2024 recommending switching cloud providers to a European company, no call for tenders has been published. The independent authority took advantage of its two deliberations to "reiterate its regret that the health data platform still does not have a service provider capable of meeting its needs while protecting the data of the SNDS (national health data system) against access by public authorities of third countries" - in this case, the American authorities.
Specifically, the two CNIL deliberations published last March gave the green light to the European Medicines Agency. The latter wanted to subcontract to the "Health Data Hub" (HDH) the extraction of "relevant data from the national health data system (SNDS), their pseudonymization, their conversion into "OMOP-CDM" format and their storage." The objective of the operation was to conduct "studies on the estimation of the incidence and prevalence of pathologies and the use of medications in the general population in France," the Council of State recalled.
No urgency to act
For the interim relief appeal against these two decisions to be accepted, the organizations had to prove an "urgency" to act. To do this, they emphasized that Microsoft Ireland was a company subject to American law. This constituted serious and immediate harm due to the "risk of access (to health data, editor's note), which concerns ten million (French) people, by United States authorities, in a context of legal instability that has increased in this country since 2024," the organizations argued.
The argument did not convince the administrative judges. For the Council of State, the condition of urgency was not met. While the highest administrative court acknowledges that French data may "be subject to access requests by the United States authorities, through the host's parent company, and that the host cannot object, this risk remains hypothetical at the current stage of the investigation." Furthermore, Microsoft Ireland does indeed have French certification as a "health data host," the judges note. However, this label implies a "security framework and regular audit by an accredited body, guarantees and security measures," as well as data that is "repeatedly pseudonymized and not directly identifiable," the Council of State also notes. The interim relief application is therefore dismissed, but the substantive proceedings are continuing - they will be judged in the coming months.
The Council of State has always rejected appeals against the HDH
This is not the first time that the Council of State has examined the "Health Data Hub" and its American host, Microsoft. Last year, a first appeal, which aimed to urgently suspend the CNIL's decision to validate Microsoft taken in December 2023, was rejected in March 2024. The second appeal, on the merits, suffered the same fate a few months later. In 2020, during the establishment of the Health Data Hub, the administrative judges also rejected a similar procedure.
But since then, the international context has changed, and the American geopolitical shift has brought the Old Continent's desire for digital sovereignty back into the spotlight: these two elements could change things, believe the organizations, which brought the matter before the administrative judge last March. The Council of State's next decision on the merits will therefore be closely monitored.
0 Comments