France’s data regulator CNIL has issued some recommendations for French services that handle health data, as Mediapart first reported. Those services should avoid using American cloud hosting companies altogether, such as Microsoft Azure, Amazon Web Services and Google Cloud.
Those recommandations follow a landmark ruling by Europe’s top court in July. The ruling, dubbed Schrems II, struck down the EU-US Data Privacy Shield. Under the Privacy Shield, companies could outsource data processing from the EU to the US in bulk. Due to concerns over US surveillance laws, that mechanism is no longer allowed.
The CNIL is going one step further by saying that services and companies that handle health data should also avoid doing business with American companies — it’s not just about processing European data in Europe. Once again, this is all about avoiding falling under U.S. regulation and rulings.
The regulator sent those recommendations to one of France’s
PARIS (Reuters) – France’s data privacy watchdog CNIL recommended on Thursday that websites operating in the country should keep a register of internet users’ refusal to accept online trackers known as cookies for at least six months.
In specifying a registration timeframe, the guideline goes beyond European Union-wide data privacy rules adopted two years ago, adding an extra hurdle that a data protection lawyer said would put some of the companies exploiting such tools to target advertising out of business.
Under the CNIL guideline, which the watchdog said must be adopted by March, internet users have the right to withdraw their consent on cookies – small pieces of data stored while navigating on the Web – at any time and they can refuse trackers when they go on a website.
“The internet user’s silence actually implies a refusal (to accept cookies),” said Etienne Drouard of American-British law firm Hogan Lovells.