Companies, but also associations, are contesting the CNIL’s decision approving the hosting of health data by Microsoft.
The hosting of health data in Microsoft’s Azure cloud for a European program, called EMC2, was validated by the CNIL in early 2024 for a period of three years. This decision pushed eleven players, including Clever Cloud, Nexedi, Rapid.Space, Cleyrop, the Open Internet Project, and Bernard Benhamou of the Digital Sovereignty Institute, to challenge this approval before the Council of State which must decide this Tuesday, March 19, 2024.
This legal initiative aims to challenge the CNIL’s decision and highlight the long-term implications of the use of Microsoft’s Azure cloud for pharmaco-epidemiological research. Quentin Adam, head of Clever Cloud, underlines the importance of this action by presenting it as a crucial step towards the establishment of a European health data structure for the European Medicines Agency. But what exactly is the CNIL accused of?
How the CNIL justifies its choice of the American Microsoft at the expense of sovereign clouds
Already well known to the Council of State for a precedent having led several organizations to issue
“ a legitimate doubt about the legality of the award of the public contract for hosting public health data (Health Data Hub) to Microsoft Azure “,
The Health Data Hub is a health data platform in France. It was created as part of the national digital health strategy to facilitate access to health data for research and innovation purposes while guaranteeing the protection of personal data. Its objective is to centralize and make quality health data available to stakeholders in the health sector, such as researchers, pharmaceutical companies, health professionals, etc. The Health Data Hub aims to promote the development of new applications and innovative solutions in the field of health while respecting data security and confidentiality standards.
In its decision, the CNIL emphasized that the alternatives offered by other online storage providers did not fully meet the requirements. She also mentioned that creating a new platform to host EMC2 would not only be more time-consuming and expensive, but would also risk compromising relations with the European Medicines Authority, which initiated this project.
The security and confidentiality of French data on American soil are called into question
Although Microsoft’s application is technically more suitable, legal concerns are raised. Being an American company, Microsoft is subject to American law, which raises concerns about the confidentiality of French health data.
Critics point to the risk this represents in terms of access to data by American intelligence services. French companies in the sector and the authorities also express their concerns, regretting the lack of consideration for alternative French or European solutions and highlighting the potential security risks linked to this decision.
Furthermore, and this is probably the funniest thing, the CNIL itself was concerned about this hosting, in February 2024, regarding the choice of Microsoft: “ the United States authorities are likely to send orders to Microsoft to communicate the data it hosts », had alerted the French regulatory policeman.
Finally, the choice of Microsoft is considered a missed opportunity to promote the development of the sector on the continent via local solutions. Despite the approval given by the CNIL to Microsoft to host EMC2 for three years, it is emphasized that this period should be used to develop a European alternative respecting data confidentiality standards.
Source : The Computer World
2