Privacy espresso seriesResourcesSeptember 1, 2022Microsoft Azure and data protection in Norway: The health analysis platform case

In this PrivacyEspresso we discuss with Susanne Lie, senior advisor at the Norwegian DPA (the Datatilsynet),  the Norwegian studies held for creating a National Health Analysis Platform.

According to Susanne, in Norway, many health registers contain this type of data, so the Government decided to find new ways to simplify the data processing at the medical research level. Due to the large amount of data involved in the process, a cloud storage system appeared to be the best solution, particularly the one of Microsoft Azure. For this reason, the Norwegian DPA was invited to undergo a deep analysis of the privacy risks related to creating such a platform using the Microsoft service.

In particular, after the Schrems II case, two main issues arose concerning the usage of Azure:

  1. Using this cloud opens the risk of transferring data to the US;
  1. Microsoft Azure has a standard contract with a very vaguely defined “use for their own purposes” that does not permit the user to identify the conditions by which Microsoft will use the personal data in its systems, transferring them to the USA. Additionally, the clause is so broad that it includes the possibility to transfer all the data inserted in the platform, including health data.

An additional problem relates to the Microsoft support service as it is located in the US only and will always require access to data from there to be activated.

Following the above findings, Susanne’s key takeaways from this case are:

  1. That the most significant risk is not data transfer per sé, but the too broad definition of “Microsoft purposes” in the Standard Agreement, as it would allow unlimited data usage.
  1. Many people are impatient in getting a solution on the EU-US data transfer system, but (unfortunately) this still looks pretty far from being reached.

So, is there a solution?

  1. On the one hand, Microsoft is trying to solve the issue by starting to store data in the EU. Currently, this still looks like a solution far from being fully implemented.
  1. On the other hand, the more viable solution seems to come at the Authority level and lies behind creating a new functioning transatlantic framework capable of ensuring the proper protection of EU personal data. However, even this solution doesn’t seem to be expected before the end of 2022.

In conclusion, the solution to this problem is still far from being achieved. In the meantime, companies will have to rely on case-by-case solutions that would remain unreliable due to the constant shifting of laws in the sector. Considering this complex picture, the only good news is that DPAs have generally demonstrated a very understanding behaviour, mostly issuing fines in overt violation of the EU GDPR.