The supreme administrative court of France (the Conseil d’État) has already ruled on October 13, 2020 – in the context of provisional legal protection – on a contract with Microsoft for the hosting of health data on MS Azure for the platform “Health Data Hub” expressed. The Health Data Hub is a public facility for the exchange of health data for research purposes. In April 2020, the platform had signed a hosting contract with Microsoft Ireland for this purpose. Associations, trade unions and individuals in France have subsequently requested that the “Health Data Hub” platform be prohibited from processing health data because there is a fear of personal data being transferred to the USA; according to the Schrems II ruling of the ECJ However, an adequate level of data protection was lacking.
- As server location were the Netherlands been agreed.
- The contract between Microsoft and the platform provided that Microsoft would collect customer data not without consent outside the server location (“Geos”) may process, even for maintenance or support. The Conseil d’Etat therefore assumed that customer data would be in regular operation not to the USA get
- In view of the undeniable residual risk that Microsoft could nevertheless become the Release of customer data to US authorities the Conseil d’Etat pointed out the following: Part of the contract apparently obligated Microsoft to comply with the GDPR, in particular Art. 28 GDPR regarding commissioned processing. However, Microsoft reserved the right to release data if there is a legal obligation to do so. The Conseil d’Etat stated that this could only be a matter of EU law or the law of a member state [Art. 28 (3) a GDPR]. In addition, Microsoft must inform if the law applicable to Microsoft is incompatible with the GDPR.
- The Conseil d’Etat further states that the In the Schrems II ruling, the ECJ only examined the question of data transfer to the USA and not, for example, the conditions under which data can be processed in the territory of the EU.. Thus, according to the Conseil d’Etat, the Schemes II jurisprudence does not seem to apply to processing operations where the data at rest are stored in the territory of the EU.
- In addition, the Conseil d’Etat suggests that it is not the storage at Microsoft that may violate the GDPR, but at most a hypothetical, future disclosure by Microsoft.
- Finally, the data of the platform before the encrypted Storage in Microsoft infrastructure pseudonymized.
Against this background – but also in view of the public interest in the platform – the Conseil d’Etat saw no reason to order the immediate cessation of data processing by the platform. However, it requires that the platform and Microsoft specify that the law on the basis of which Microsoft could release customer data, if any, can only be the law of the EU or the member states.
As a result, the decision of the Conseil d’Etat is helpful, but leaves many questions unanswered. At least the decision can be read as an indication that, when personal data is transferred abroad not abstract risks from the local law of the provider are to be assessed, but rather the concrete risks for the person concerned. This is not consistent with EDSA’s approach in its Draft statement on Schrems II measureswhich places the weight of the risk assessment more on the local right of the recipient than on the resulting risks, if any, for the data subjects of the specific transfer.