Judgement of the French Conseil d’Etat of 12 March 2021: continued impact of Schrems II
On 12 March 2021, France’s highest administrative court, the Conseil d’Etat, ruled on a complaint filed by professional associations and unions with regards to the partnership concluded between the French Ministry of Health and Doctolib, an e-health services company whose platform, among others, was employed for the management of bookings for COVID-19 vaccinations. The plaintiffs argued for the suspension of the partnership due to Doctolib’s use of data hosting services by Amazon Web Services Sarl (“AWS Sarl”, Luxembourgish subsidiary of the related American company). In their view, this entailed risks of access requests by US authorities.
The plaintiffs stressed the following aspects:
- The urgency of the request due to the sensitive nature of the data collected and the breach of the GDPR, as the data was hosted by AWS, a subsidiary of a US company submitted to US law, implying the possibility of access by US authorities.
- The reasoning of the EU Court of Justice in its Schrems II judgment, arguing that the hosting of health data by a company bound by US law was incompatible with the Court of Justice’s ruling and violated the GDPR.
Ruling of the Conseil d’Etat
Ultimately, the Conseil d’Etat rejected the complaint on grounds that personal data hosted by AWS Sarl was sufficiently protected under the GDPR.
Nonetheless, the Conseil d’Etat held, among others, the following:
- No transfer of data to the US occurred. The contract signed between the two companies did not provide for transfers of data outside of the EU and the data centers used were located in France and Germany. Nevertheless, a risk remained due to the fact that AWS Sarl is a subsidiary of a US company and may thus be subject to access based on US surveillance programs.
The Conseil d’Etat consequently proceeded with a Schrems II analysis of legal and technical guarantees applied to the processing operation. It found that (i) the contract provides for a specific procedure in case of governmental data access requests and that AWS Sarl committed to challenging any requests of general nature; and (ii) the data hosted by AWS Sarl is encrypted and the re-identification key held by a trusted third party in France, not by AWS, therefore subtracted to the authorities’ availability.
Based on the above, and other elements, including the fact that the data transmitted to Doctolib did not constitute health data, but rather identification data for the purpose of setting vaccination appointments, the Conseil d’Etat found that the technical and legal safeguards provided were sufficient.
Regardless of the fact that the Conseil d’Etat ultimately rejected the claim and found that the level of protection provided in this case was sufficient, the continuous and far-reaching impact of Schrems II is noteworthy. What was at stake in this case was not a data transfer to the United States by way of a US-based processor, but rather, the mere fact that the processor engaged is a subsidiary of a US company, despite the data not leaving EU territory. Moreover, the analysis of the legal and technical safeguards employed in the processing operation proved essential and remains the best approach for data controllers and processors.
Further to the developments of this judgment, it is recommended to minimize risks by providing supplementary measures, both legal and technical, in any case of engagement of processors which are subsidiaries of non-EU based companies, regardless of whether data transfers outside the EU/EEA take place.