French data protection authority says it can’t trust top US Internet companies with EU personal data – even if they keep it in the EU

Posted on Oct 15, 2020 by Glyn Moody

Last month, this blog looked at the continuing repercussions of the decision by the EU’s top court, the Court of Justice of the European Union (CJEU), to strike down the Privacy Shield framework that legalizes most flows of personal information from the EU to the US. The privacy activist who brought the original case against Facebook some seven years ago, Max Schrems, is still fighting to get the Irish Data Protection Commission (DPC) to investigate whether Facebook complies with the EU’s General Data Protection Regulation (GDPR). As Privacy News Online wrote, instead of responding to Schrems’s original complaint, the DPC has opened up a second investigation – one, moreover, that is largely irrelevant, for reasons explained last month. Schrems’ organization has now taken further legal action against the DPC, and has been granted a judicial review into the DPC’s actions by the Irish High Court. Schrems hopes the hearing will take place by the end of the year, and says: “The DPC has already pledged to the Court in 2015 that it will swiftly decide. It seems like we need a clear judgment to force the DPC to do its job.”

A “clear judgment” could make it much harder for not just Facebook, but many other major US Internet companies to transfer personal data from the EU to the US. But even without that judgment, the CJEU’s decision to strike down the Privacy Shield framework has already led to a major development in France. Back in December 2019, the French government announced the creation of a Health Data Hub, which would consolidate many separate holdings of French citizens’ personal health data in a single, massive database. The hope is that such a hub will allow research into diseases, their cures and treatments, to proceed more efficiently.

Creating a massive database of this sensitive data raises important privacy issues. Things were not helped when the French government announced that it was giving the contract to run the database to Microsoft, rather than to a local company. When the CJEU invalidated the Privacy Shield framework, 18 French organizations, including a group representing the French open source community, CNLL, called for the transfer to the US of French health data held by Microsoft to be halted. Initially, the French authorities refused to consider the idea. But the 18 organizations made another attempt, this time with more success. Because of the seriousness of the matter, France’s national data protection authority, CNIL, produced a report exploring the legal and technical issues of using US companies to store French personal data (original document in French).

It pointed out that initially, Microsoft’s transfers from France to the US were authorized by the Privacy Shield agreement. However, after the most recent CJEU decision, that is no longer the case. As a previous blog post explained, even though there is an alternative to Privacy Shield transfers, in the form of standard contractual clauses (SCCs), there is still a requirement that it must be clear the personal data of EU citizens will be protected in the US. For major companies like Facebook and Microsoft, that’s not the case. They are both subect to Section 703 of the FISA Amendments Act, which allows the collection of foreign intelligence from non-Americans located outside the US. In the view of the CNIL, this means that there is no legal way for Microsoft to transfer French health data to the US.

That in itself is not a surprising conclusion: most privacy experts agree. But the CNIL document goes even further. It believes that the reach of FISA is so great that even if Microsoft kept all French health data within the EU, it could still be required by the US government to send it across the Atlantic. As a result, the CNIL came to a ground-breaking conclusion: that the Health Data Hub should not be run by Microsoft – or by any other US company. It has recommended that the French government finds another solution from an EU company. It recognizes that shifting from Microsoft to a new EU outfit is not a trivial operation, and therefore suggests that the data should remain with Microsoft for a little while longer, despite the privacy risks. It justifies this on the basis that a rushed migration could cause more harm to French citizens than the risk of US government surveillance. The French government’s legal advisor, the Conseil d’État, has a similar view.

CNIL points out that its conclusions apply not only to Microsoft hosting the Health Data Hub, but also to all the other kinds of French health data held on systems run by US companies. By implication, then, it suggests that all of these should be transferred to EU hosting companies. By further extension, the conclusions would apply to any kind of EU personal data. For companies like Facebook, it is clearly going to be harder transferring their data to local EU companies, than it will be for the Health Data Hub. But CNIL has come up with an interesting solution that may well prove to be the way forward. It suggests creating a kind of partnership with an EU business that has a license to access to all of a US company’s EU data – for example, Facebook’s – and is able to use it to provide a similar service in the EU. It’s a complicated approach, and one that companies like Facebook will doubtless hate. But if other EU countries follow France’s lead here, US Internet giants may not have much choice.

Featured image by Coldcreation.