The Conseil d’État, France’s highest administrative court, recently ruled that personal data collected via a platform managed by Doctolib, and hosted by an EU subsidiary of a US-based company (subject to US surveillance laws), was in line with the GDPR. The ruling is an important follow-up to Schrems II.
The servers of Doctolib, whose platform had been entrusted by the French government for booking Covid-19 vaccinations, were hosted by the Luxembourg subsidiary of Amazon Web Services (AWS), a U.S. company. In this case, AWS EMEA Sarl in the EU, stored the data in data centres located in France and Germany. The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among several French health professional associations and unions. They claimed that the hosting of health data relating to French citizens, by a company bound by U.S. surveillance laws, was incompatible with the GDPR, and the decision of the European Court of Justice of the European Union (CJEU) in Schrems II, due to the possibility of a transfer of the data to the U.S. Furthermore, even in the absence of data transfer, they argued there was a risk of access requests by U.S. law enforcement authorities to the processor, AWS EMEA Sarl.
The Conseil d’État refused to order the suspension of the partnership between the France’s Ministry of Social Affairs and Health and Doctolib. The judge found that the contract concluded between Doctolib and AWS EMEA Sarl in Luxembourg did not provide for the transfer of data to the U.S. However, there was a risk of access by U.S. law enforcement authorities to the data, because the EU-based processor is a subsidiary of a U.S. company, and subject to US surveillance laws that have extraterritorial effect.
In light of the CJEU’s decision in Schrems II, the Conseil d’État considered whether the level of protection provided for the processing of personal data, taking into account the provisions of the contract signed between Doctolib and AWS Sarl in Luxemburg and the technical safeguards. The judge found that the level of protection offered was sufficient due to the safeguards in place (including both legal and technical measures), to deal with a possible access request by U.S Law Enforcement Authorities.
Legal & Technical Safeguards
In regard to legal safeguards, the judge noted that the contract concluded between Doctolib and AWS EMEA Sarl provided for a specific procedure in the event of an access request by a foreign authority; notably AWS EMEA Sarl guaranteed in the contract that it would challenge any general access request from a public authority. As for technical safeguards, the judge noted that the data hosted by AWS EMEA Sarl is encrypted and the key is held by a trusted third party in France, not by AWS, to prevent the data from being read by third parties.
In addition, the Conseil d’État found that the data transmitted to Doctolib, and hosted by AWS EMEA Sarl, for the purposes of booking Covid-19 vaccinations did not contain health data. The personal data related only to the identification of individuals for the purpose of making appointments, and was deleted within three months of the vaccination appointment.
Although this case did not concern the transfer of personal data to the US, nor reliance on the Standard Contractual Clauses to do so, it shows that, in the view of the highest French Court, Schrems II does not preclude EU companies using a US cloud services provider. The ruling also illustrates that it would be prudent, even in situations where there is no transfer of personal data outside of the EEA, for data controllers to include supplementary measures (such as legal and/or technical measures) in contracts where the data is entrusted to a EU-based processor that is subject to the extra-territorial reach of non-EEA law enforcement authorities.