New setback before the Council of State for Celestial Unicorns.
This association, led by one of the founders of La Quadrature du Net, sought to overturn a permit that the CNIL had granted to the Health Data Hub in February 2025. The objective: to extract data from the SNDS (Système national des données de santé, National Health Data System) and to process it within the framework of two studies. One focused on diseases, the other on the use of medicines and vaccines. Against this backdrop stood the DARWIN EU project (Data Analysis and Real-World Interrogation Network), coordinated by the European Medicines Agency, with the backing of a network of public and private institutions.
More precisely, there were two separate requests for annulment. The request from Celestial Unicorns was supported by Clever Cloud, Nexedi, Rapid Space International, Cleyrop, the CNLL (Conseil national du logiciel libre), and the Open Internet Project. The other came from the associations Interhop and Constances, the Syndicate of General Practice, the Sud Santé Federation, and the Human Rights League.
The CNIL did not authorize health-data transfers abroad
The Conseil d’État notes that the CNIL only authorized the processing of health data hosted in data centers located in France. It did not approve any transfer to the United States. In particular, on the basis of the Data Privacy Framework, Celestial Unicorns et al. cannot therefore invoke illegality. Likewise, in the absence of transfers to the USA, invoking Article R. 1461-1 of the Public Health Code—which last paragraph prohibits transfers of health data outside the EU—does not hold.
Given the value of the data in question and their hosting on Microsoft infrastructure, the Conseil d’État acknowledges that it is difficult to rule out access requests by US authorities. It nevertheless finds that the processing that is authorized is framed by sufficient security measures, including:
- Pseudonymization
- Limitation of the retention period for raw data extracted from the SNDS
- Risk analysis of reidentification at each export
- Analysis of usage traces by the Health Data Hub
The transfer of technical usage data from the platform to the United States is not entirely excluded. But these do not involve health data, the Conseil d’État explains. They are also based on standard contractual clauses that “constitute appropriate safeguards.”
Another annulment request rejected in 2024
Clever Cloud, Nexedi, Rapid Space Internatoinal, Cleyrop, Open Internet Project, Celestial Unicorns, and the CNLL had already brought the matter before the Conseil d’État in 2024 regarding another authorization granted to the Health Data Hub. The Internet Society France association had likewise raised the issue beforehand.
That case also involved a contract with the European Medicines Agency. But this time for pharmacoepidemiology studies.
The Conseil d’État reached a broadly similar conclusion. It noted that the CNIL had not authorized transfers of health data to the USA. It affirmed that the technical and legal safeguards were sufficient: multiple pseudonymizations, HDS certification, authorization limited to three years, and so on.
