Tribune. Can Microsoft legally host the health data of French people, even though as an American company it could have to transfer them to the United States in the event of an injunction from the American intelligence services?
This is the thorny question that was submitted to the summary judge of the Council of State. In its decision of October 14, 2020, without deciding this question definitively, it encourages the public authorities to provide a lasting response. This legal insecurity is not satisfactory, even though the stakes are considerable both for the protection of privacy and on the economic level.
Protection of private life
At the root of the problem lie the conflicting demands of two distinct legal systems. On the one hand, the law of the United States, and in particular the Foreign Intelligence Surveillance Act (FISA), whose extraterritorial scope allows the American authorities to order American companies to communicate certain data to them, including those processed by their subsidiaries outside the United States.
On the other hand, European law, and more particularly the European data protection regulation (GDPR) which, in the name of the protection of privacy, limits the possibilities of transfers of personal data outside the home. ‘European Union.
These tensions were vividly highlighted by the judgment of the Court of Justice of the European Union of July 16, 2020 known as “Schrems II”. It considers that the United States does not ensure a level of protection of personal data equivalent to European rules, in particular because of the absence of rights enforceable against the American authorities before the courts.
Consequently, the Court invalidated the decision of the European Commission of July 12, 2016, which allowed the transfer of data to the United States ” within the framework of the Privacy Shield “(“Privacy Shield”).
The shield has therefore fallen, opening the way to serious uncertainties.
Special precautions
In the case submitted to the Council of State, associations asked the interim judge to suspend the health data platform, also called Health Data Hub. This platform, which is a public body established by a law of July 24, 2019, is responsible for processing health data in France. However, it has concluded a contract with an Irish subsidiary of the American company Microsoft, to entrust it with the task of hosting this data in the Netherlands.
You have 61.51% of this article to read. The rest is for subscribers only.
