France's data regulator, CNIL, has released a range of guidelines for French programs dealing with health data, as Mediapart first reported. These providers should stop using American cloud hosting companies as a whole, such as Microsoft Azure, Amazon Web Services and Google Cloud.
These guidelines are the outcome of a landmark decision by the European Supreme Court in July. The decision, dubbed Schrems II, reversed the EU-US Data Privacy Shield. Under the Privacy Shield, businesses have been able to outsource data collection from the EU to the US in bulk. Due to concerns about US surveillance regulations, this process is no longer authorized.
CNIL goes a step further by suggesting that services and businesses that manage health data should also stop doing business with American companies — it's not just about processing European data in Europe. Again, it's just about avoiding coming under U.S. laws and rulings.
The regulator submitted those recommendations to one of the top courts in France. SantéNathon, a coalition of organisations and unions, initially told the CNIL of questions regarding the French Health Data Centre.
France is currently building a platform for the storage of health data at national level. The idea is to create a hub that will make it easier to research rare diseases and to use artificial intelligence to enhance diagnostics. It is intended to aggregate data from various sources and to allow such data to be exchanged with public and private entities in these particular cases.
Technical choices were controversial as the French government initially decided to collaborate with Microsoft and its Microsoft Azure cloud platform.
Like several businesses, Microsoft relies on Standard Contract Clauses for EU-US data transfers. However, the EU Court of Justice has made it clear that EU regulators must interfere if data is moved to an unsafe country when it comes to privacy and surveillance.
CNIL claims that an American company could process data in Europe but would still be subject to FISA702 and other supervisory legislation. Data will also end up in the possession of the US authorities. In other words, it's been extra vigilant with health data for now, though Schrems II is still unfolding.
We are working with health minister Olivier Véran on the transition of the Health Data Center to French or European platforms following the Privacy Shield blast, French digital minister Cédric O told Public Sénat.
The French Government is also looking for other options for the Health Data Centre. In the near future, if the French Supreme Court confirms the recommendations of the CNIL, it could also have some impact on French companies handling health data, such as Doctolib and Alan.
Image Credits: Irwan Iwe / Unsplash