Con­seil d’E­tat on the trans­fer of per­so­nal data to Micro­soft in the Netherlands

The supre­me admi­ni­stra­ti­ve court of France (the Con­seil d’É­tat) has alre­a­dy ruled on Octo­ber 13, 2020 – in the con­text of pro­vi­sio­nal legal pro­tec­tion – on a con­tract with Micro­soft for the hosting of health data on MS Azu­re for the plat­form “Health Data Hub” expres­sed. The Health Data Hub is a public faci­li­ty for the exch­an­ge of health data for rese­arch pur­po­ses. In April 2020, the plat­form had signed a hosting con­tract with Micro­soft Ire­land for this pur­po­se. Asso­cia­ti­ons, trade uni­ons and indi­vi­du­als in France have sub­se­quent­ly reque­sted that the “Health Data Hub” plat­form be pro­hi­bi­ted from pro­ce­s­sing health data becau­se the­re is a fear of per­so­nal data being trans­fer­red to the USA; accor­ding to the Schrems II ruling of the ECJ Howe­ver, an ade­qua­te level of data pro­tec­tion was lacking.

The Con­seil d’E­tat dis­missed the action (a machi­ne trans­la­ti­on of the decis­i­on in Ger­man can be found at here as PDF). The fol­lo­wing con­side­ra­ti­ons were decisive:

• As ser­ver loca­ti­on were the Net­her­lands been agreed.
• The con­tract bet­ween Micro­soft and the plat­form pro­vi­ded that Micro­soft would coll­ect cus­to­mer data not wit­hout con­sent out­side the ser­ver loca­ti­on (“Geos”) may pro­cess, even for main­ten­an­ce or sup­port. The Con­seil d’E­tat the­r­e­fo­re assu­med that cus­to­mer data would be in regu­lar ope­ra­ti­on not to the USA get
• In view of the unde­niable resi­du­al risk that Micro­soft could nevert­hel­ess beco­me the Release of cus­to­mer data to US aut­ho­ri­ties the Con­seil d’E­tat poin­ted out the fol­lo­wing: Part of the con­tract appar­ent­ly obli­ga­ted Micro­soft to com­ply with the GDPR, in par­ti­cu­lar Art. 28 GDPR regar­ding com­mis­sio­ned pro­ce­s­sing. Howe­ver, Micro­soft reser­ved the right to release data if the­re is a legal obli­ga­ti­on to do so. The Con­seil d’E­tat sta­ted that this could only be a mat­ter of EU law or the law of a mem­ber sta­te [Art. 28 (3) a GDPR]. In addi­ti­on, Micro­soft must inform if the law appli­ca­ble to Micro­soft is incom­pa­ti­ble with the GDPR.
• The Con­seil d’E­tat fur­ther sta­tes that the In the Schrems II ruling, the ECJ only exami­ned the que­sti­on of data trans­fer to the USA and not, for exam­p­le, the con­di­ti­ons under which data can be pro­ce­s­sed in the ter­ri­to­ry of the EU.. Thus, accor­ding to the Con­seil d’E­tat, the Sche­mes II juris­pru­dence does not seem to app­ly to pro­ce­s­sing ope­ra­ti­ons whe­re the data at rest are stored in the ter­ri­to­ry of the EU.
• In addi­ti­on, the Con­seil d’E­tat sug­gests that it is not the sto­rage at Micro­soft that may vio­la­te the GDPR, but at most a hypo­the­ti­cal, future dis­clo­sure by Microsoft.
• Final­ly, the data of the plat­form befo­re the encrypt­ed Sto­rage in Micro­soft infras­truc­tu­re pseud­ony­mi­zed.

Against this back­ground – but also in view of the public inte­rest in the plat­form – the Con­seil d’E­tat saw no rea­son to order the imme­dia­te ces­sa­ti­on of data pro­ce­s­sing by the plat­form. Howe­ver, it requi­res that the plat­form and Micro­soft spe­ci­fy that the law on the basis of which Micro­soft could release cus­to­mer data, if any, can only be the law of the EU or the mem­ber states.

As a result, the decis­i­on of the Con­seil d’E­tat is hel­pful, but lea­ves many que­sti­ons unans­we­red. At least the decis­i­on can be read as an indi­ca­ti­on that, when per­so­nal data is trans­fer­red abroad not abstract risks from the local law of the pro­vi­der are to be asses­sed, but rather the con­cre­te risks for the per­son con­cer­ned. This is not con­si­stent with EDSA’s approach in its Draft state­ment on Schrems II mea­su­reswhich places the weight of the risk assess­ment more on the local right of the reci­pi­ent than on the resul­ting risks, if any, for the data sub­jects of the spe­ci­fic transfer.