Read on Twitter
Very important decision today by the top French Administrative Court @Conseil_Etat on post #SchremsII developmentsThe Court rejects the request of the petitioners against the hosting of the #healthdatahub by @MicrosoftEU ...
Thread (1)
I will focus here on only one HUGE point in this decision re post #SchremsII developments: the Court didn't follow the French DPA @CNIL in its position that US Cloud Providers (or under 
Jurisdiction) should not be used as a matter of principle for hosting health data... (2)
Jurisdiction) should not be used as a matter of principle for hosting health data... (2)
As already explained 
DPA @CNIL invited Court to say that providers under US jurisdiction should not be used & this even if all data (encrypted in this case!) are localized in Europe & there are no "transfers" to bc US Gov might still make requests
https://twitter.com/TC_IntLaw/status/1314591793657372674?s=20
DPA @CNIL invited Court to say that providers under US jurisdiction should not be used & this even if all data (encrypted in this case!) are localized in Europe & there are no "transfers" to bc US Gov might still make requests https://twitter.com/TC_IntLaw/status/1314591793657372674?s=20
This seemed to go beyond what CJEU said in #SchremsII: this was a case abt Art. 45&46 #GDPR. Even before #SchremsII there was no legal basis for a company under US jurisdiction to transfer/disclose data directly to a foreign government. This could be violation Art.48 GDPR... (4)
...and create a conflict of laws. See for instance the whole discussion re extraterritorial effect of #CloudAct & the clear position of @EU_EDPB on this... (5)
https://edpb.europa.eu/sites/edpb/files/files/file2/edpb_edps_joint_response_us_cloudact_annex.pdf
https://edpb.europa.eu/sites/edpb/files/files/file2/edpb_edps_joint_response_us_cloudact_annex.pdf
The French Court reframes correctly debate by saying that this point has not been discussed by CJEU. #SchremsII was about data transfers for commercial/service purposes. It was NOT about whether US law has an extraterritorial effect & under which conditions a US company... (6)
......should process data solely in Europe or be able to oppose US requests if indeed found trapped in a conflict of laws situation. The Court also notes the importance of a new blocking statute adopted by France prohibiting any transfer of HDH data outside EU. (7)
The French Court thus rules that there is no “urgency” to strike down a system of hosting encrypted & pseudonymized health data strictly localized in Europe on the basis of such a hypothesis. It also notes that the petitioners DO NOT invoke a direct violation of #GDPR but ...(8)
...rather only the “risk of a violation in the event that Microsoft would not be able to oppose” a hypothetical request for access to these encrypted & pseudonymized data by US authorities... (9)
There are other interesting elements in this so important decision – I might return later. It must be noted that this was only a decision under an urgency procedure for interim measures of protection - and the Court heavily insists on this when rejecting the request... (10)
...A judgment on the merits will follow. All translations in this thread by DeepL.
Original Judgment in French here: https://www.conseil-etat.fr/actualites/actualites/health-data-hub-et-protection-de-donnees-personnelles-des-precautions-doivent-etre-prises-dans-l-attente-d-une-solution-perenne
(11 & end for now)
Original Judgment in French here: https://www.conseil-etat.fr/actualites/actualites/health-data-hub-et-protection-de-donnees-personnelles-des-precautions-doivent-etre-prises-dans-l-attente-d-une-solution-perenne
(11 & end for now)
