At the end of March, the French Anticor association seized the National Financial Prosecutor’s Office (PNF), specializing in the fight against serious economic and financial delinquency, believing that the hosting market for the Health Data Hub had been illegally attributed to the cloud platform. Microsoft Azure computing.
Indeed, “this contract was awarded without a call for competition (..) for the sole reason that only Microsoft would have the technological capabilities to provide such an infrastructure”, explains the association in its press release. She adds that the board of the National Health Insurance Fund (Cnam) and the Senate have also criticized this choice.
Anticor notes that this public contract is “particularly important both in terms of its object and in terms of its amount”. Indeed, the Health Data Hub will bring together all the health data of French people, from hospital invoices to medical causes of death. This information can be reused for artificial intelligence projects. Currently, 42 projects are supported.
The association concludes that “such an operation required a high level of transparency and an irreproachable competition procedure, relayed through regulatory information channels”.
A call for tenders launched … unanswered
The opacity in the award of this contract is regularly criticized. At a conference last June, the government announced the launch of a call for tenders “in order to have a wider choice with the specifications that will allow someone to position themselves“, explained Cédric O, the secretary of state for digital. Since this announcement, the procedure has not been regularly monitored by the government.
Guillaume Poupard, the director general of the National Agency for the Security of Information Systems (Anssi), also present during this event, had tried to justify the choice of Microsoft. “In a prototyping phase, the choice of an easy-to-use solution was favored. The portability of the system was mentioned from the start and is an important point“, he explained.
Washington could consult the data
What worries opponents of Microsoft’s choice is the risk that French health data ends up in the hands of the American authorities. Indeed, thanks to an arsenal of laws, the American intelligence services can force the service providers established in the United States to provide data stored on servers, whether they are located inside the territory or in the United States. outside.
This is what prompted the Court of Justice of the European Union (CJEU) to invalidate the Privacy Shield last July, considering that the American surveillance programs were not compatible with the General Regulation on the protection of data (GDPR).
Now, under a new decree, Microsoft must store data from the Health Data Hub in data centers located in the European Union. The Paris region was chosen. In any case, according to Stéphanie Combes, director of the Health Data Hub, “the decree does not prohibit recourse to Microsoft, but this must be properly supervised, this is what we do with contractual amendments while working on a sovereign trajectory“.
The government decided to find an alternative
But this text does not solve everything since even hosted in France, this data can be recovered by Washington. A problem that the government is trying to seize. “I fully share your concerns regarding the risk of disclosure of data hosted by the platform to US authorities with the choice of the Microsoft company “, wrote the Minister of Health and Solidarity Olivier Véran in this letter in November 2020.
Thus, he explained that he fully subscribed to the need to adopt “a new technical solution” in one “as much as possible between 12 and 18 monthsThe Gaia-X European cloud project was one of the preferred solutions, according to the minister.