Con­seil d’E­tat on the trans­fer of per­so­nal data to Micro­soft in the Netherlands

The supre­me admi­ni­stra­ti­ve court of Fran­ce (the Con­seil d’É­tat) has alrea­dy ruled on Octo­ber 13, 2020 – in the con­text of pro­vi­sio­nal legal pro­tec­tion – on a con­tract with Micro­soft for the hosting of health data on MS Azu­re for the plat­form “Health Data Hub” expres­sed. The Health Data Hub is a public faci­li­ty for the exchan­ge of health data for rese­arch pur­po­ses. In April 2020, the plat­form had signed a hosting con­tract with Micro­soft Ire­land for this pur­po­se. Asso­cia­ti­ons, tra­de uni­ons and indi­vi­du­als in Fran­ce have sub­se­quent­ly reque­sted that the “Health Data Hub” plat­form be pro­hi­bi­ted from pro­ces­sing health data becau­se the­re is a fear of per­so­nal data being trans­fer­red to the USA; accord­ing to the Schrems II ruling of the ECJ Howe­ver, an ade­qua­te level of data pro­tec­tion was lacking.

The Con­seil d’E­tat dis­mis­sed the action (a machi­ne trans­la­ti­on of the deci­si­on in Ger­man can be found at here as PDF). The fol­lo­wing con­si­de­ra­ti­ons were decisive:

  • As ser­ver loca­ti­on were the Nether­lands been agreed.
  • The con­tract bet­ween Micro­soft and the plat­form pro­vi­ded that Micro­soft would collect custo­mer data not without con­sent out­side the ser­ver loca­ti­on (“Geos”) may pro­cess, even for main­ten­an­ce or sup­port. The Con­seil d’E­tat the­re­fo­re assu­med that custo­mer data would be in regu­lar ope­ra­ti­on not to the USA get
  • In view of the unde­nia­ble resi­du­al risk that Micro­soft could nevertheless beco­me the Release of custo­mer data to US aut­ho­ri­ties the Con­seil d’E­tat poin­ted out the fol­lo­wing: Part of the con­tract appar­ent­ly obli­ga­ted Micro­soft to com­ply with the GDPR, in par­ti­cu­lar Art. 28 GDPR regar­ding com­mis­sio­ned pro­ces­sing. Howe­ver, Micro­soft reser­ved the right to release data if the­re is a legal obli­ga­ti­on to do so. The Con­seil d’E­tat sta­ted that this could only be a mat­ter of EU law or the law of a mem­ber sta­te [Art. 28 (3) a GDPR]. In addi­ti­on, Micro­soft must inform if the law app­li­ca­ble to Micro­soft is incom­pa­ti­ble with the GDPR.
  • The Con­seil d’E­tat fur­ther sta­tes that the In the Schrems II ruling, the ECJ only exami­ned the que­sti­on of data trans­fer to the USA and not, for examp­le, the con­di­ti­ons under which data can be pro­ces­sed in the ter­ri­to­ry of the EU.. Thus, accord­ing to the Con­seil d’E­tat, the Sche­mes II juris­pru­dence does not seem to app­ly to pro­ces­sing ope­ra­ti­ons whe­re the data at rest are stored in the ter­ri­to­ry of the EU.
  • In addi­ti­on, the Con­seil d’E­tat sug­gests that it is not the sto­rage at Micro­soft that may vio­la­te the GDPR, but at most a hypo­the­ti­cal, future dis­clo­sure by Microsoft.
  • Final­ly, the data of the plat­form befo­re the encryp­ted Sto­rage in Micro­soft infra­st­ruc­tu­re pseud­ony­mi­zed.

Against this back­ground – but also in view of the public inte­rest in the plat­form – the Con­seil d’E­tat saw no rea­son to order the immedia­te ces­sa­ti­on of data pro­ces­sing by the plat­form. Howe­ver, it requi­res that the plat­form and Micro­soft spe­ci­fy that the law on the basis of which Micro­soft could release custo­mer data, if any, can only be the law of the EU or the mem­ber states.

As a result, the deci­si­on of the Con­seil d’E­tat is hel­pful, but lea­ves many que­sti­ons unans­we­red. At least the deci­si­on can be read as an indi­ca­ti­on that, when per­so­nal data is trans­fer­red abroad not abstract risks from the local law of the pro­vi­der are to be asses­sed, but rather the con­cre­te risks for the per­son con­cer­ned. This is not con­si­stent with EDSA’s approach in its Draft state­ment on Schrems II mea­su­reswhich places the weight of the risk assess­ment more on the local right of the reci­pi­ent than on the resul­ting risks, if any, for the data sub­jects of the spe­ci­fic transfer.