A petition, appeals to come before the Council of State… The confirmation, at the end of last week, by the National Commission for Information Technology and Liberties (CNIL), the choice of Microsoft to host French health data as part of the European EMC2 project, was experienced as a cold shower by the champions of sovereignty. “It’s a scandal,” whispers Senator (LR) Catherine Morin-Desailly on the line, who promises to send a salty letter to Prime Minister Gabriel Attal. The latter defends the idea of entrusting them to one or more French actors. A question of independence, linked to the “strategic” nature of this data according to her. But above all there is a risk: the American authorities can require companies registered in the country to provide them with data that they host. Two texts, the “Cloud Act”, adopted in 2018, as well as the so-called “Fisa” law (Foreign Intelligence Surveillance Act), make these breaches possible. “The government pretends to be ignorant of the value of this health data. It is the complete health map of a country,” criticizes Thomas Fauré, the founder of Whaller and author of the aforementioned petition.
The controversy is not new. In 2019, the government, on the basis of the Villani report, supports the creation of a Health Data Hub, with the aim of centralizing all health data in France. The idea is laudable: it involves taking advantage of this “gold mine” of information for the purposes of prevention, disease diagnosis, or advanced research, using new technologies such as ‘Artificial intelligence (AI). And put the outdated National Health Data System (SNDS) in the closet. After consultation with several French and European players, the hosting of this platform is entrusted to Microsoft and its Azure solution, without a public call for tenders. The Covid-19 pandemic is unfolding and justifies the speed with which the operation is being carried out. First outcry.
The Minister of Health at the time, Olivier Véran, then committed to doing without the American giant within two years. A failure, already attested in 2022, and now obvious in view of the CNIL’s decision on the EMC2 project, the European “big brother” directly inspired by the Health Data Hub. Microsoft remains firmly in control.
Delay of French “clouders”
The desire for French “sovereignty”, a very popular word in the fields of energy, food or digital technology, comes up against two pitfalls. On the one hand, the lack of alternatives of an equivalent level. Contacted by L’Express, Stéphanie Combes, head of the Health Data Hub, deplores that “sovereign solutions are not yet comparable” to that of Microsoft. “This was our observation during our last ‘benchmark’ [NDLR : un comparatif entre différentes solutions]confirmed more recently by the work of the Digital Health Delegation.” An opinion which agrees with that of the Digital Secretary at the time, Cédric O, who explained, in essence, that Microsoft was the only one able to meet security needs and techniques required by the platform, particularly concerning artificial intelligence. The French personal data policeman does not refute it either. In its aforementioned opinion, the CNIL “regrets” the lack of “a European offer capable of responding” to the current needs. France, forever married to the Redmond firm? “It now appears difficult to [s’en] detach in the short term despite the gradual emergence of sovereign suppliers”, concludes the CNIL.
This is not surprising, as the cloud is currently dominated by three firms: Microsoft, of course, but also Amazon and Google, which share two-thirds of the market share. An observation that goes beyond health data. Recently, emerging players in AI have entered into agreements with these companies, which offer higher levels of service, and have the valuable chips essential for high-performance computing. French companies such as Scaleway or OVH have since presented investment plans in order to catch up. But the efforts will be substantial.
“The longer we wait, the more difficult it will be to migrate, judges Thomas Fauré. We do not know precisely the requirements given that there was no call for tenders at the origin of the Health Data Hub.” At the end of December, the president of OVH Cloud, Octave Klaba, was publicly moved by the complexity of the task. The latter attacked, on (ex-Twitter), the increasing number of injunctions formulated within a short period of time – a few weeks -, with immediate response obligations. Rather firm requests which, moreover, would not all be requested from Azure. Like the label “SecNumCloud” of Anssi: this de facto excludes cloud service providers subject to non-European laws such as the “Cloud Act”.
A change from 2025?
The other problem comes from the notion of sovereignty itself. How far should this go? Is it urgent? The CNIL assesses the risk posed by the Cloud Act and the “Fisa” as “most often acceptable”. The United States remains allies of France. With L’Express, Microsoft France reminds several things: the company contractually commits to its customers not to transmit any data, contests all requests whatever happens, publishes half-yearly transparency reports informing of any request for requisition , and now makes it possible to localize the storage and processing of data in the European Union. So many reassuring guarantees from the Health Data Hub. “Personally, I think it is more necessary than ever to provide a precise definition of sovereignty and the objectives pursued,” emphasizes Stéphanie Combes, in order “not to hamper the future in an extremely dynamic context in digital technology and in particular artificial intelligence. That French players can use the most efficient products, whatever their origin, has obvious advantages.
Most observers nevertheless agree on a time limit of 18 to 36 months to perhaps make a shift. The CNIL has granted its approval to Microsoft for only three years. An interministerial report on the subject of health data, dated last December, considers the cessation of hosting on Azure within 24 months “credible”. Stéphanie Combes, for her part, talks about migration “by 2025”. “Cloud providers have announced that they will be able to enrich their offering with a certain number of features starting this year,” she acknowledges. OVH Cloud, NumSpot and Cloud Temple were, for example, very serious candidates to supplant the American on the EMC2 project and the Health Data Hub.
The most zealous hope to further reduce this delay. Senator Catherine Morin-Desailly, as well as Vendée MP Philippe Latombe, both very sensitive to the issue, intend to strengthen articles 10 bis A and 10 bis B, proposed in the SREN law (Securing and regulating the digital space). Parliamentarians would demand the “SecNumCloud” label for hosting health data. The text, voted on in the Assembly in the fall, is currently blocked due to criticism from the European Union on the aspects of moderation or age control operated by the large platforms. “The implementation of the SREN law could allow the CNIL to reconsider its opinion before three years,” presumes Catherine Morin-Desailly. Let us remember, however, that the American giant is also preparing for it. Microsoft has formed an alliance with Orange and Capgemini, called Blue. This should be able to obtain the SecNumCloud pass from 2025 and be a credible candidate for hosting health data. A new headache in sight, for the defenders of French “sovereignty”.
.