French decision to have Microsoft host Health Data Hub still attracts criticism

"If we had made a public contract at the time, Microsoft would have responded to the public contract (...) and would have won it," said Stéphanie Combes - director of the Health Data Hub (HSH). [Piotr Swat/Shutterstock]

The French government’s decision to have Microsoft host the country’s Health Data Hub is causing outrage in the French and European digital ecosystem, and it is also worrying data protection advocates. EURACTIV France reports.

France’s decision to use Microsoft’s infrastructure – via its Azure cloud platform – for its centralised health data platform, remains controversial.

So much so that during a National Assembly hearing of Stéphanie Combes – director of the Health Data Hub (HSH) – MP Philippe Latombe wondered whether the decision had not become a “ball and chain” that the platform will have to drag.

The new platform was officially created in November 2019 by government decree, to centralise and facilitate the sharing of health data for research and development purposes.

Very quickly, concerns emerged regarding the risks of using a company subject to US data protection law. On top of that, calls for accountability were made with regards to the decision not to give priority to the French and European technology park.

Google challenges French data watchdog's €100 million fine in court

France’s administrative court known as the Council of State considered on Thursday an application for interim measures filed by Google LLC and Google Ireland after the French Data Protection Authority known as the CNIL fined the digital giant €100 million last December for its cookie collection policy. EURACTIV France was at the hearing.

‘We’re much better in Europe!’

It is “incomprehensible” why “the French government pushed for Microsoft,” Jean-Paul Smets, the managing director of Nexedi – one of France’s leading open-source software publishers – told EURACTIV France.

Nexedi, together with the SantéNathon collective, asked France’s highest legal entity known as the Council of State in September 2020 to suspend the processing and centralisation of health data due to privacy concerns.

Not to mention that “there was no call for tenders”, as Combes pointed out during her hearing, explaining that she went through a central purchasing body that deals with public contracts, known as UGAP.

Although SantéNathon questions the procedure’s legality, HSH’s director argued that the public procurement code “was not circumvented” because while “the call for competition was made, it was made in a general way, not in relation to a given project like ours” by UGAP.

“Microsoft is worse. We are much better in Europe”, insisted Smets, stressing that “European industry had the technology and contacted HDH in 2018 and never got an answer.” This is something Combes appears to be refuting, as she evoked “bilateral exchanges to study the offers of all the French players”.

Combes nevertheless told lawmakers that they had “chosen a solution that met [their] demand, whereas the French players did not have the functionalities” needed.

According to her “one cannot choose to work with a French actor because one wants to support its industrial development.” And had that choice been made, “one would have had to build [the missing functionalities], so it would have taken a certain amount of time.” Even OVH – a French company specialising in cloud technologies – does “not have it all”, she added.

“If we had made a public contract at the time, Microsoft would have responded to the public contract (…) and would have won it,” Combes added.

'Geopolitical' Europe aims to extend its digital sovereignty from China

The European Commission intends to act as a strong geopolitical player at next week’s EU-China video meeting. But to do so, Europe must extend its ‘digital sovereignty’, also with regards to China. EURACTIV Germany reports.

Fearing the Cloud Act

Alongside the battle for digital sovereignty backed by France and the EU, some civil society organisations are concerned about US-based Microsoft and how it will protect the health data of Europeans.

“The government has put French health data in the hands of a company that is subject to US law when it comes to communicating data to US authorities,” Quadrature du Net‘s Bastien Le Querrec told EURACTIV France.

The US’ so-called Cloud Act – which was adopted on 23 March 2018 – is causing particular concern. According to the law, police and intelligence agencies have access to information stored on the servers of telecommunications operators and providers of services such as the cloud, both in the US and abroad.

Basing its findings on the observations of French data watchdog CNIL, the French Council of State said in one of its decisions that such a “risk […] cannot be ruled out altogether”.

However, Combes reminded MPs that data hosted by Microsoft will be pseudonymised and encrypted, yet Le Querrec warned that because Microsoft is a “host but also an application provider”, it will have access to encryption keys.

“I can’t help but imagine that somewhere there is an exchange on access to data,” said Smets, specifying that “this kind of thing is not done explicitly within the contract’s terms”.

ECJ opinion backs EU data transfer contracts

The European Commission’s standard contractual clauses (SCC), used for data transfers between EU and non-EU countries, are “valid”, according to a non-binding opinion from an advocate general at the Court of Justice of the European Union (CJEU).

A ‘new technical solution’ within two years

In a letter obtained by Mediapart in response to CNIL’s request that the platform is hosted by a company subject to European law, Health Minister Olivier Véran explained in November that he “fully shares [the] concerns regarding the risk of data hosted by the platform being disclosed to the US authorities with Microsoft’s choice.”

The minister then spoke of a “new technical solution” to protect HDH against “possible illegal disclosures to the US authorities (…) within a period that is as far as possible between 12 and 18 months and, in any event, does not exceed two years”.

However, according to Combes’ letter, the health minister “does not talk about migration [of the platform] but about cancelling extra-territorial risk.”

This maximum two-year period is envisaged to give French and/or European players time to be ready: “It is so that the target is ready, and the target is not ready. (…) We have put a figure on migration. It would take us a few months.”

In the meantime, the Health Data Hub, contacted by EURACTIV France, explained that it will continue “to strengthen their contractual framework and implement additional security measures. Three successive amendments have been signed between the Health Data Hub and Microsoft in order to provide a better framework for subcontracting arrangements.”

Moreover, the latest amendment, dated 30 October 2020, specifies that “EU and French law will apply to the contract between parties and that all services processing health data do so within the European Union.”

“A global benchmark of sovereign solutions as well as workshops with DINUM [ed. France’s interministerial digital department] to update the reversibility study are planned for the first quarter of 2021,” the Health Data Hub added.

Moreover, the HDH should soon submit a request for authorisation to the CNIL, which will focus in particular on the choice of the Microsoft Azure hosting solution, according to information from TICpharma – an information service dedicated to digital developments within the healthcare sector.

Edited by Samuel Stolton

Subscribe to our newsletters