We explain to you why the storage of French health data by Microsoft raises eyebrows

Can an American tech giant keep French people’s health data secure? Part of the answer will be provided on Tuesday March 19. French companies in the information storage sector and associations for the protection of personal data have filed an appeal before the Council of State to cancel Microsoft’s choice to host the health data of hundreds of thousands of French people in the framework of the Health Data Hub. Why is this choice criticized? Explanations.

What is the Health Data Hub?

Behind this anglicism hides a national base project supposed to bring together the health data of the French. Considered since the publication of a report on artificial intelligence written by mathematician Cédric Villani published in 2018, this project aims to make French health data more easily usable by medical research to conduct in-depth analyses.

The Health Data Hub was officially launched in December 2019 as part of the Health System Transformation Act. And Microsoft has been involved from its creation: it is the American giant which was chosen to operate the technological platform of the project. A decision justified by the need for rapid implementation, and by capacities at the time considered insufficient in France and Europe, but which had already provoked numerous criticisms.

Why was Microsoft chosen?

In February, the National Commission for Information Technology and Liberties (Cnil) also accepted Microsoft’s application to host EMC2, a new data platform resulting from a European call for projects, part of which was awarded to the Health Data Hub. EMC2 must “accommodate the data [pseudonymisées] of 300,000 to 500,000 patients from different hospitals per year and compare them with their data from the national health data system, managed by Medicare (and ultimately by the Health Data Hub), to enable the ‘achievement of research, studies and evaluations in the field of health'”explains the specialized media Acteurspublics.fr.

To justify maintaining Microsoft as EMC2 host, the CNIL notably considered in its decision that the solutions offered by other online storage providers did not sufficiently meet the requirements. According to the French digital authority, creating a new platform to host EMC2 would also be much longer and more expensive and would risk damaging relations with the European Medicines Authority which commissioned this project.

What’s the problem then?

Microsoft’s application may well be considered more technically suitable, but it raises questions of a different order. As a US company, Microsoft is subject to US law. However, several laws allow the United States and its intelligence services to access data hosted by national companies in certain situations, notably within the framework of the Foreign Intelligence Surveillance Act, a law recently extended by Joe Biden until April 2024.

In the eyes of critics, storing all the health data of French people in the United States therefore amounts to serving them on a platter to American intelligence. In a press release, the Internet Society association explains that “the disparities between the laws and legislation relating to data protection in force in the two countries could compromise the confidentiality of the health data of the French”. This situation “threatens some of the most sensitive data of our fellow citizens”also denounced the deputy Philippe Latombe during the question session to the government to the Assembly.

French companies in the sector have also stepped up to the plate. The host OVH deplored that “the alternative and transitional solutions proposed to comply with the requirements are not[aient] not been considered”, according to Context.com. The company Cloud Temple raises another flaw in this choice: “a new step in the multiplication of partial copies of the SNDS [système national des données de santé]“which in fact increases the risk of this data leaking.

Choosing Microsoft rather than a French or European solution would also be a missed opportunity to develop the sector on the continent thanks to public procurement. The CNIL, which validated Microsoft’s choice, “regret” moreover in his decision “that the strategy put in place to promote researchers’ access to health data has not provided the opportunity to stimulate a European offer capable of meeting this need”.

“The CNIL itself deplores not having found a data host which is both compatible with the technical requirements and not subject to non-European legislation”

Nicolas Chagny, president of the Internet Society France association

in a press release

But the CNIL did not sign a blank check: it authorized the Microsoft platform to host EMC2 for a period of three years. Let the estimated time to develop a “‘trusted cloud’ demonstrator” which would comply with data confidentiality requirements.