The CNIL has authorized the storage of French health data at the American giant Microsoft. And the decision arouses the incomprehension of certain French Cloud companies, like Leviia, who speak of a serious decision.
In a decision published in the Official Journal on January 31, 2024, the National Commission for Information Technology and Liberties (CNIL) officially authorized Microsoft to host the health data of French people. Everything will be managed by the Health Data Hub (HBU), the health data platform (PDS) which, in the form of a public interest group (GIP), is supposed to guarantee unified, secure and transparent access to this information, to improve patient care and the quality of care.
Except that the CNIL’s decision does not really seem to go in a Franco-French direction. Here is how and why the HBU now has complete freedom to entrust your health data to an American giant.
Microsoft, which is not certified among the most secure Clouds in France, will still store your health data
More precisely, the CNIL authorized the creation of what is called a health data warehouse, called EMC2, which draws on the automated processing of personal data and which is managed by the European Medicines Agency. So far, so good. Except that the health data of French people must in theory be hosted by qualified SecNumCloud providers.
As a reminder, SecNumCloud is comparable to a security visa issued by ANSSI, the National Agency for Information Systems Security, to actors who attest to a sufficiently high level of protection of sensitive data. And in France, the cybersecurity policeman has only issued the label to five companies: Secure Temple, Oodrive, Outscale, Wordline and OVH, all French players.
Microsoft, and that’s the whole problem, has not yet obtained this visa, even if it covets it for 2025 alongside Orange and Capgemini for their recently created joint venture Bleu. However, the CNIL decided, not without justification, we will talk about it again, to authorize the hosting of this famous Health Insurance health data warehouse by Microsoft.
“France is not capable of hosting its own health data”
The decision, as you will have understood, is debated. Because in addition to the choice of Microsoft, the deal provides for this health data to be entrusted to the American company for 3 years, the time necessary to complete the migration of the Health Data Hub to a sovereign solution. Initially, the contract was to last 10 years. The quality of Microsoft’s Azure Cloud is not in question, but it must be borne in mind that American laws with extra-territorial scope will apply to health data from another country, in this case France, whose “sovereignty” our leaders constantly praise.
“ What we can say and say it with seriousness: is that France is not capable of hosting its own health data. And we are talking about “France”, because this is data managed by the GIP PDS, the public interest group health data platform, under the direction of the Ministry of Solidarity and Health », exclaims the co-founder of Leviia, a French sovereign data storage company, William Méauzoone.
The CNIL apparently made a choice by default, since “ after consultation, no French service provider offers hosting offers meeting the technical and functional requirements » of the project, in the data policeman’s own words. And this bothers William Méauzoone all the more, whose company, like others, was not invited to the discussions. “ This highlights a huge gap in the planning and coordination of national resources to respond to a hugely important challenge. », he adds, asking for the pure and simple cancellation of the CNIL’s decision. “ It is imperative that France has its own certified data storage ecosystem “. It would indeed be time.
24