France: Conseil d'Etat decision on Health Data Hub
The Conseil d'Etat issued a summary decision, on 13 October 2020, on the topic of whether the Health Data Hub should be suspended following the issuance of a decree that has prevented the Health Data Hub to transfer personal data to third countries. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses the Conseil d'Etat decision and potential solutions to hosting health data in the US.
The Conseil d'Etat does not identify any serious and manifest illegality which would justify the immediate suspension of data processing by US-based providers hosting health data in a datahub, at least for the time being.
Per the court:
- the Court of Justice of the European Union ('CJEU') has not, to date, ruled that European data protection law would prohibit entrusting the processing of data, on the territory of the EU to an American company;
- a violation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is only hypothetical and depends on whether or not the provider that is subject to US law would not be able to oppose a possible request by the US authorities;
- health data is also pseudonymised before it is hosted and processed which provides another risk mitigation; and
- there is a significant public interest in allowing the continued use of health data for the needs of the COVID-19 ('Coronavirus') epidemic thanks to the technical means available to the health data platform.
The CJEU instructed the French data protection authority ('CNIL') to work to strengthen data subject rights while awaiting a solution that will eliminate any risk of access to personal data by US authorities.
In its submission to the Conseil d'Etat, CNIL set out its thoughts and considerations regarding the use of a provider, subject to US law, for hosting the French Health Data Hub. These considerations provide insight into how CNIL may assess other cases in connection with the decision of the CJEU in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'):
Storage in the EU is subject to US surveillance
CNIL views, in the state of the information available to it, that the Foreign Intelligence Surveillance Act of 1978 ('FISA') legislation and Executive Order 123333 ('EO 123333') apply to data stored outside the territory of the US.
Unlike the US Clarifying Lawful Overseas Use of Data Act ('CLOUD Act'), Section 702 of FISA does not provide explicit clarification on the extraterritorial scope of the orders to be produced but does not restrict these requests to only data stored on US territory.
Even in the absence of transfers of personal data outside the EU for purposes of the provision of the service, a company may be subject, on the basis of FISA, or perhaps even EO 123333, to injunctions from intelligence services requiring it to transfer data stored and processed on the territory of the EU.
Disclosures to US authorities in relation to requests issued under Section 702 of FISA or EO 123333 and sent to a company processing data under the GDPR should be regarded as disclosures not authorised by the law of the EU, in application of Article 48 of the GDPR.
CNIL is aware that these conclusions have impact beyond health data and into other sectors.
- Do not use a US provider: The most effective solution is to entrust the hosting of this data to companies not subject to US law:
- It is not enough for the host to have its head office outside the US so as not to be partially subject to US law, if it operates in that country.
- A subsidiary with a US subsidiary is one option. CNIL is studying this question.
- CNIL recommends that public authorities urgently assess the existence of alternative suppliers and their capacities, both in terms of storage volume and quality of service, in order to assess the time needed to ensure the transition is as short as possible.
- Limiting licence agreements:
- It may also be possible to set up a contractual mechanism whereby the US company sets up a licence agreement with a European company which has only the ability to act on the decrypted data, and who benefits from the services and expertise of the US company, without the latter ever having access to the data.
- This solution is currently being studied in conjunction by the EU data protection authorities, as part of the work on the 'additional measures' envisaged for Standard Contractual Clauses ('SCCs') by the CJEU in the Schrems II Case.
- US–EU international agreement:
- CNIL proposes a long term solution under Article 48; that is, an international agreement, such as a treaty on mutual legal assistance, in force between the requesting third country and the EU or a Member State.
- Such an agreement would also have to comply with Article 8 of the Charter of Rights of the European Union on the protection of personal data, which appears delicate when reading the reasons for the CJEU's decision in the Schrems II Case, in the absence of additional guarantees granted by the US.
Transition to new solution
The change in the hosting solution should be carried out in as short a time as possible and no more than strictly necessary. However, it is clear that a transition period is necessary to ensure these changes without loss of data or technology and without compromising the uses of data in the context, for example, of emergencies related to the management of the health crisis or medical research.
Interim legal basis - Broader reading of Article 49
This transitional period could be based on Article 49(1)(d) of the GDPR, which allows exceptions to the minimum transfer protection requirements for important reasons of public interest, provided that they are recognised by the law of the Member State.
While the CNIL generally has a particularly restrictive interpretation of this provision, it advocates a broader reading of the conditions of Article 49 of the GDPR in light of the unprecedented situation opened by the Schrems II Case to resolve these transitional situations. This is because the invalidation of the EU-U.S. Privacy Shield and the reasons for the decision of the CJEU in the Schrems II Case results in the obligation to stop a very large number of transfers which can, in some cases, disproportionately affect the general interest. In addition, the CJEU, in point 202 of their decision in the Schrems II Case, refused to modulate in time the effects of its decision, on the grounds that the invalidation did not create a legal vacuum prohibiting any transfer to the US when the derogations provided for in Article 49 of the GDPR allow, under certain conditions, to continue certain transfers in the absence of an adequacy decision or other appropriate guarantees.
CNIL notes that, while a transfer resulting from a request for disclosure of data present on European soil sent by the US intelligence services to an operator subject to US law is obviously not by itself of public interest, there is a clear public interest to arrange this transition period and to guarantee the continuity of data hosting health and related uses. As a result, temporarily maintaining the risk of these transfers to US intelligence services, a risk that already existed and on which the CNIL drew the government's attention in its opinion in April 2020, is temporarily necessary to ensure a satisfactory transition to a sovereign data hosting of health data, which the CNIL calls for.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia