05 Jun ECA: Data protection and sovereignty | Cybersecurity series part 2
In this series, thanks to our experts, we will report and evaluate the latest developments in Cybersecurity from a European point of view. Access the Introduction (ECA), Part One (Eperi) and Part Three (Systancia).
Data protection and sovereignty
A few days ago, it has been quite a surprise to hear that the French Health Data Hub, a platform launched end of 2019 under the umbrella of the Health Ministry, would finally have a contract with Microsoft to host the data.
This announcement has immediately started hot reactions: ATENA, a forum on digital usages, “the actors of Digital”, another forum, and others have exposed a decision both difficult to understand and dangerous.
What is at stake?
- The decision has been apparently taken without a call for competitive proposals, with the argument that only Microsoft could offer the service. Strange if you consider that, regardless of the specifications which we have not read, France and Europe do not lack serious hosting and Cloud providers. Among which: Orange, OVHCloud, Scaleway (a subsidiary of Iliad group), 3D Outscale.
- These Cloud providers have had the occasion, all along these last weeks, to demonstrate their ability to face a ramp-up in the demand. At least two of them rely on technologies which do not depend much on US or Asia suppliers. Among these two, OVHCloud has developed its own line of servers.
- Health data are not “just data”. Under French law, they are specifically protected. It is so true, that so far hosting such data has only been attributed to a limited number of suppliers, including a subsidiary of La Poste group and OVHCloud. All over the EU, data protection is organized thanks to the GDPR, the General Data Protection Regulation. Unfortunately, US suppliers have to abide by another regulation, the Cloud Act, under which they can be forced to give the data to US authorities when formally requested, wherever they are physically stored.
- The European Champions Alliance share the criticism which has been stated. It sounds strange that, at the very moment when prominent members of the French government pledge for more European digital sovereignty when the EU commissioner in charge of industrial matters says the same, an official body follows the opposite way. We would prefer acts and promises to be in line.
Head of the ECA focus group Cybersecurity