The French Council of State Upholds the Hosting of Health Data Hub by Microsoft
![Image [WHITE PAPER] Mastering our digital dependencies](https://incyber.org//wp-content/uploads/2026/05/incyber-eu26-cesin-2026-885x690.jpg)
On November 13, 2024, the French Council of State rejected the appeal filed by the InterHop association, supported by several organizations, against the hosting of the Health Data Hub’s health data by Microsoft. The plaintiffs argued that this decision potentially violated the General Data Protection Regulation (GDPR) due to risks associated with access to data by U.S. authorities under the Cloud Act.
In its ruling, the Council of State determined that while the European Commission’s adequacy decision on the EU-U.S. Data Protection Framework could be subject to criticism, it provides sufficient legal grounds. Consequently, the Council found it unnecessary to refer a preliminary question to the European Court of Justice (ECJ) regarding the compatibility of this framework with GDPR requirements. The ruling also noted that any changes to the hosting contract fall under the responsibility of the managing Public Interest Group (GIP) and not the Ministry of Health.
On the same day, a similar appeal regarding the EMC2 treatment, also hosted by Microsoft, was dismissed on procedural grounds, as the plaintiffs failed to demonstrate their legal standing to act.
These decisions raise critical questions about digital sovereignty and reliance on American tech giants, particularly as the sensitivity of health data remains a key public concern. They also highlight the challenges faced by associations and citizens in contesting decisions rooted in complex international agreements.