The derogation to the restriction to transfer data to the USA on the basis of the Covid-19 pandemic.
On 23 October 2020 the Conseil d’etat, a French public institution with the primary role of giving administrative judicial rulings, (‘the Conseil’) ruled on the issue whether the use of Microsoft to host the Health Data Hub on EU territory should be suspended on the basis of the possibility that American authorities would request access to the Health data Hub.
In its ruling, the Conseil referred the recent Schrems II ruling, in which the Court of Justice (‘CJEU’) held that the surveillance carried out by the US intelligence services on the personal data of EU subjects was excessive, not sufficient supervised and without any possible redress, and that therefore, any data transfer from the EU to the US is contrary to article 44 GDPR and the Charter of Fundamental Rights.
The Conseil essentially held that the CJEU did not rule in Schrems II that European data protection law would prohibit entrusting the processing of data on the territory of the European Union to an American company, and moreover, that the urgency of the Covid-19 pandemic does not justify a suspension of the processing of the personal data related to the pandemic nor the immediate change of provider. However, one may ask themselves whether the Conseil has not been too generous, leading to significant privacy violations. I believe so.
The adoption of the Health Data Hub
On 29 November 2019, on the basis of Article L. 1462-1 of the Public Health Code the “Health Data Hub” was approved by an order of, amongst others, the Minister of Solidarity of Health in France. In particular, the Health Data Hub is aimed at boosting and facilitating the use of available health data for research projects. Interest groups, such as the State, bodies ensuring representation of patients and users of the health system are responsible for collecting, organizing and making available data from national data systems of health to promote innovation in the use of health data. In addition, the above described Code, allows the Minister of Health in France to take emergency measures in the interest of public health in the event of an epidemic threat. As a response, the above-mentioned bodies concluded, for the purposes of making health data available, with Microsoft Ireland Operations Limited, a subsidiary from the American company Microsoft Cooperation, a contract which gives the Health Data Hub access to Microsoft Azure, where the health data will be hosted. Importantly, the parties stipulated, that any transfer of health data outside the EU should be refused.
Bone of contention
When reading the ruling of the Conseil, one might not be surprised of the concerns raised by plaintiffs, considering the recent ruling of Schrems II. They argue that this situation creates risks with regard to the right to respect for privacy and data protection, considering the fact that Microsoft can be subjected to US Government data access request that would oblige it to transfer EU personal data to US authorities. Keeping the Schrems II judgment in mind, it seems as if these concerns are very legitimate, given the fact that the US does not offer the same level of protection as the EU does. However, a critical reader might have noticed that the present case differs from the Schrems II ruling in three aspects. First, this case concerns the situation in which plaintiffs request for the suspension of the Health Data Hub because of the hypothetical situation that Microsoft will not be able to oppose to data transfer, whereas Schrems II dealt with actual transfers to the US. Secondly, in the current case, Microsoft and the Data Health Hub stipulated that Microsoft will refuse data transfers outside the EU, whereas in Schrems II this was not stipulated per contract. Lastly, and maybe the most important distinction is that the current pandemic may justify the need to share information with the US in order to proactively combat the global crises we are living in.
Importantly, the Conseil first notes that the Health Data Platform and Microsoft Ireland have put precautionary safeguards in place to limit the risk of data transfer, by concluding an agreement with each other in which is stipulated that Microsoft will not process platform data outside the geographical area without their approval. Therefore, the Court concludes that the transfer of data is unlikely to occur on the basis of a contract between the two of them. However, the court does recognize the fact that it cannot totally be excluded that Microsoft may be required to grant a request from the American authorities based on article 702 FISA and therefore interfering with the prohibition of a processor from transferring personal data to a third country if this is not on the instructions of the controller or by virtue of an obligation provided for by law.
The Conseil emphasizes that CJEU in Schrems II does not mention the possibility of data being transferred to third countries for important reasons of public interest recognized by EU law or Member State law. As the current Covid-19 pandemic can definitely be regarded as an issue of public interest, one might agree with the Conseil that data transfer to the US might be essential for the sharing of important research outcomes. However, on the other side, one can argue that the Conseil was too generous in its ruling. Firstly, it neglected to consider whether alternative EU platforms can provide for the same technical means as Microsoft and thereby omitting to do a sufficient balancing test. Also, arguably, the current Covid-19 pandemic will have a huge impact on our privacy while this emergency is lasting, but also after as it will be difficult, if not impossible, to back. Won’t there always be a ‘global emergency’?