Schrems II: French Conseil d’Etat provides insight into sufficient safeguards for EU personal data accessed from the US
Browse this blog post
Related news and insights
Blog Post: 26 October 2022
Blog Post: 17 May 2022
Blog Post: 09 May 2022
Blog Post: 19 April 2022
On 12 March 2021, the Conseil d’Etat, the highest administrative court of France, issued a decision that might have significant impact on personal data transfers to third countries in the aftermath of the Schrems II decision of the Court of Justice of the EU (CJEU).
The Counseil d’Etat dismissed an interim relief claim filed by healthcare professional associations and unions seeking to suspend the partnership between the French Ministry of Social Affairs and Health and Doctolib, on the grounds that Doctolib hosted the platform for making Covid-19 vaccination appointments on servers of AWS Sarl, an EU-based subsidiary of the US company Amazon Web Services.
In the opinion of the plaintiffs, hosting sensitive health data by a company located in the EU but subject to US law poses high risks of data access requests by US authorities, which is incompatible with the GDPR under Schrems II decision of the CJEU.
The Conseil d’Etat assessed the contract between Doctolib and AWS Sarl and noted that the contract does not stipulate data transfer to the US and provides that the data must be hosted on EU servers. Nevertheless, the court considered that AWS, as a subsidiary of US company, might be subject to access requests by US authorities under Executive Order 12333 or Article 702 FISA, and therefore examined the level of protection to personal data under the contract.
The Conseil d’Etat concluded that the parties had put contractual, technical and organisational measures in place that provided sufficient safeguards for the protection of personal data. It noted:
- the contract provides for a specific procedure in the case of access requests by a foreign authority, and includes an obligation on AWS to challenge any general request to access data or any request that might not respect the GDPR;
- the data are hosted on EU servers, are encrypted and the key is held by a trusted third party located in France;
- the appointment data is deleted automatically three months after the date of the appointment and can be deleted manually by the data subjects themselves at any time;
- the data collected during vaccination appointments does not constitute health data, as it does not state the medical grounds for eligibility for vaccination as a priority due to specific health issue. Only contact information necessary for the identification of individuals for making appointments is processed, and the data subjects simply confirm that they have priority for vaccination.
In this decision, the Conseil d’Etat seems to apply a more narrow definition of health data, compared to a broader concept adopted by the CNIL. According to the CNIL, health data should be assessed on a case-by-case basis, in view of the nature of the data collected. The practical guide on the protection of personal data, developed by the CNIL together with the French Medical Board (Ordre National des Médecins), states that grounds for medical consultation can give information about health conditions of the patients, as well as the mere knowledge of an individual having a consultation with a specialist could indicate existence of health conditions. We would expect that the mere information regarding an appointment for vaccination could be considered as health data for the CNIL. However, the CNIL has not commented on this decision yet.
It further appears that the characteristics of the data in question not being health data formed a significant basis for the decision of the Conseil d’Etat. The question remains whether the Conseil d’Etat would have adopted a different approach if health data were at stake and whether the safeguards that are put in place by the parties would be sufficient to mitigate the risks of access to special categories of data by foreign authorities.
A clear and practical guidance by the EDPB is needed to clarify the transfer situations as discussed in this case and in other typical processing situations. The final EDPB Recommendations on supplementary measures for international transfers are expected in the coming weeks. However, it remains to be seen how national courts will be applying the outcomes of the CJEU decision in Schrems II to cases at hand.