It is with regret that the CNIL has authorized the hosting of French health insurance data at Microsoft. A situation that displeases him because this sensitive information is subject to American extraterritorial laws…
While Europe is more determined than ever to establish its digital sovereignty and to guarantee respect for the privacy of users, the National Commission for Information Technology and Liberties (CNIL) had to authorize, although with regret, temporary hosting at Microsoft of a health data warehouse for research powered by Health Insurance, called EMC2. A great first given that, until now, the digital policeman had always been opposed to warehouses supplied with data from the National Health Data System (SNDS, managed by Health Insurance) being hosted on a “cloud” platform – a dematerialized IT infrastructure – that is non-European, and therefore subject to extraterritorial laws, particularly American ones.
But in a decision rendered on December 21 and published on January 31, 2024 on Legifrance, the CNIL has indeed validated the storage of Health Insurance data by Microsoft, for a period of three years. A temporary solution to wait for the future Health Data Club warehouse, due to the fact that“no potential service provider [parmi les opérateurs de cloud européens] does not offer a hosting offer that meets technical and functional requirements”and which in no way eliminates the risks of communicating data to foreign powers.
Health Data Club: the risk of access to data by foreign powers
In 2019, the Government created the Health Data Club, a public platform intended to allow researchers to access the vast health data sets of the SNDS in order to train artificial intelligence models. Indeed, AI offers many promises for the health sector, in particular for predicting crises or the evolution of diseases, establishing more reliable and more precise diagnoses, or even discovering new drugs. However, access to data is essential to be able to train such AI.
Obviously, you need a warehouse to store all your data, and the CNIL has always been strongly opposed to the latter being hosted on a non-European “cloud” platform, because of the risk of access to the data by foreign authorities. , particularly with American laws with extraterritorial scope. Indeed, thanks to these laws, American authorities can require in certain cases that American cloud operators provide them with data stored there, wherever it is in the world. However, it turns out that Microsoft is the host, because no other service provider has shown itself capable of meeting the requirements of such a device in the eyes of the authorities, thus authorizing the Redmond firm to short-circuit the procedure. classic tender. Also, because of its host, the Health Data Club was never able to obtain the full copy of the SNDS.
Microsoft: temporary storage for EMC2
Subsequently, the CNIL had to authorize the choice of this American cloud provider for the European health data warehouse project called EMC2 – a European version of the Health Data Hub, which had just won the call for tenders for this project, in partnership with other European companies. Three French start-ups, OVH Cloud, Numspot and Cloud Temple, were evaluated by the Digital Health Delegation (DNS) – a branch of the Ministry of Health responsible for e-health projects – in order to find out if one of them could take over from Microsoft. As none of the three French companies offered sufficiently advanced cloud solutions to replace Microsoft in this European project, the CNIL finally agreed to temporarily validate the creation of such a warehouse, on behalf of the European Medicines Agency, on the infrastructures of the Redmond firm.
The CNIL authorization is valid for three years, the time for the Health Data Hub to migrate to a qualified host SecNumCloud — which therefore has one of the highest levels of security on the market. note that Laure Martin-Tervonen, Cloud Temple’s Director of Brand and Public Affairs, explains the company’s compliance with the technical and functional requirements presented by the Health Data Club “will reach 95% in spring 2024, after the SecNumCloud qualification of the new trusted PaaS functional layers of our platform”. The data concernedhave those of certain patients from four French hospitals (Hospices Civils de Lyon, Léon Bérard center, Nancy University Hospital and Saint-Joseph Hospital Foundation), as well as Health Insurance data (care pathway, prescriptions, etc.). They will be stored in Microsoft data centers located in France. Note that health information will not leave our territory. However, certain technical data from the platform may be transferred to administrators on American soil. These transfers will, however, be closely monitored and supervised by the European Commission (and the CNIL) with a reinforced obligation of information.