← All articles·Sovereignty

Cloud Act vs SecNumCloud: why it matters for your health

A US law can compel access to your health data hosted in Europe. A French qualification builds the firewall. An educational article.

7 min read

In 2 sentences. The Cloud Act (US law of 2018) allows a US prosecutor to compel access to data held by a US company or its subsidiary — even if that data sits on European soil. SecNumCloud (French qualification issued by ANSSI) guarantees that a cloud service is immune to such compulsion.

The Cloud Act, in plain terms

Adopted in March 2018 by the US Congress, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) allows US judicial authorities to compel a company subject to US law to disclose the data it holds, regardless of where that data is physically stored.

Concrete example: if your health data sits with AWS Paris (AWS Europe SARL), a US federal prosecutor can compel Amazon Web Services Inc. to hand it over. Even if encrypted at rest, if AWS holds the key, it must deliver it. The French subsidiary AWS Europe is subject to this injunction by ricochet.

Why it's a problem for health

Health data is classified as "sensitive data" under GDPR article 9. It can only be transferred outside the EU under strict conditions. The Cloud Act creates a conflict of laws: the US host is caught between a US obligation (to deliver) and a European prohibition (not to transfer).

The CJEU invalidated Privacy Shield in 2020 (Schrems II ruling), precisely because US surveillance laws (including the Cloud Act) were deemed incompatible with European protection standards.

Practical consequence. Using AWS or Azure to host French health data, even in a European region, remains legally fragile. The platforms that do it know this. Many accept it, betting no US prosecutor will take interest in anonymous French medical records.

SecNumCloud, the French antidote

SecNumCloud is a qualification issued by ANSSI (the French National Cybersecurity Agency) to cloud providers meeting strict criteria:

  • French or European jurisdiction — the company operating the cloud is not subject to the Cloud Act
  • Majority European capital — no control by an entity subject to extra-European law
  • Physical infrastructure in France or EU — no storage or processing outside the EU
  • Authorised personnel — people with technical access to the data are European and security-cleared
  • High security requirements — based on ISO 27001 standards, with SecNumCloud being stricter

In France, only a handful of providers are currently SecNumCloud-qualified: primarily OVHcloud, Outscale (Dassault group) and Scaleway.

SecNumCloud is not "just" a French host

Many French health platforms host with a French provider that resells AWS: technically in France, legally subject to US law through subcontracting. SecNumCloud explicitly forbids this configuration.

The qualification also requires the provider to refuse any foreign injunction, document all judicial requests received, and be audited regularly by ANSSI.

The comparison table

  • AWS / Azure / Google Cloud Europe: subject to the Cloud Act, US prosecutors can compel
  • French provider reselling AWS/Azure: same constraint by ricochet
  • Standard HDS provider: hosting in France, but not necessarily SecNumCloud (may have US dependencies)
  • SecNumCloud provider: Cloud Act immunity guaranteed by ANSSI

Where do French digital health players stand?

The picture is mixed:

  • Mon Espace Santé / DMP: hosted on Atos (today Eviden), sovereign infrastructure
  • Doctolib: hosting in France but partially AWS — a friction point during the 2021 Senate hearing
  • WEDA, Maiia, some LGC software: variable hosting, often with French providers
  • Many health startups: AWS or Azure by default, for time-to-market reasons

How to check where your health data is hosted

You have the right to know. Here's how to exercise that right:

  • Read the legal notices of the app or site — the host's identity is mandatory
  • Email their DPO — a response must come within 1 month (GDPR article 15)
  • Check HDS certification — mandatory for any health data, verifiable on the ANS website
  • Look for SecNumCloud mention — if absent, explicitly ask about Cloud Act compliance

MDMC's commitment

My Data My Care chose hosting with a French provider certified HDS, with SecNumCloud qualification in progress. Our zero-knowledge architecture adds an extra layer: even in the event of an injunction, we do not hold the decryption keys. Your data is unreadable without your cryptographic consent.

It's written in our Terms of Sale, verifiable in our architecture, and is among our commitments in the manifesto.

Key takeaway

The hosting choice is not a technical detail. It determines who, anywhere in the world, can lawfully access your health data. SecNumCloud + zero-knowledge encryption is today the highest level of digital sovereignty in Europe. The other options all involve, to varying degrees, compromises on your medical privacy.

Ready to take control of your data?

Create your free health passport. 5 minutes to get set up, a lifetime to benefit.

Create my free passport

Read next

Healthcare cyberattacks 2025

The sector's darkest year.

MDMC security

Sovereign architecture.

GDPR and health: your 6 rights

The European framework.