The Conseil d’État, France’s highest administrative court, recently ruled that personal data collected via a platform managed by Doctolib, and hosted by an EU subsidiary of a US-based company (subject to US surveillance laws), was compatible with the GDPR. The ruling is an important follow-up to Schrems II.
The servers of Doctolib, whose platform had been entrusted by the French government for booking Covid-19 vaccinations, were hosted by the Luxembourg subsidiary of Amazon Web Services (AWS), a U.S. company. In this case, AWS EMEA Sarl in the EU, stored the data in data centres located in France and Germany. The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among several French health professional associations and unions. They claimed that the hosting of health data relating to French citizens, by a company bound by U.S. surveillance laws, was incompatible with the GDPR, and the decision of the European Court of Justice of the European Union (CJEU) in Schrems II, due to the possibility of a transfer of the data to the U.S. Furthermore, even in the absence of data transfer, they argued there was a risk of access requests by U.S. law enforcement authorities to AWS.
The Conseil d’État refused to order the suspension of the partnership between the France’s Ministry of Social Affairs and Health and Doctolib. The judge found that the contract concluded between Doctolib and AWS EMEA Sarl in Luxembourg did not provide for the transfer of data to the U.S. However, there was a risk of access by U.S. law enforcement authorities to the data, because AWS EMEA Sarl is a subsidiary of a U.S. company subject to US surveillance laws that have extraterritorial effect.
In light of the CJEU’s decision in Schrems II, the Conseil d’État considered whether the level of protection provided for the processing of personal data was in line with the GDPR, taking into account the provisions of the contract signed between Doctolib and AWS EMEA Sarl. The judge found that the level of protection offered was sufficient due to the safeguards in place (including both legal and technical measures), to deal with a possible access request by U.S Law Enforcement Authorities.
Legal & Technical Safeguards
In regard to legal safeguards, the judge noted that the contract concluded between Doctolib and AWS EMEA Sarl provided for a specific procedure in the event of an access request by a foreign authority; notably AWS EMEA Sarl guaranteed in the contract that it would challenge any general access request from a public authority. As for technical safeguards, the judge noted that the data hosted by AWS EMEA Sarl is encrypted and the key is held by a trusted third party in France, not by AWS EMEA Sarl, to prevent the data from being read by third parties.
In addition, the Conseil d’État found that the data transmitted to Doctolib, and hosted by AWS EMEA Sarl, for the purposes of booking Covid-19 vaccinations did not contain health data. The personal data related only to the identification of individuals for the purpose of making appointments, and was deleted within three months of the vaccination appointment.
This ruling shows the importance of EU subsidiaries of non-EEA parent companies, that are subject to the extra-territorial reach of non-EEA law enforcement authorities, implementing appropriate safeguards (such as contractual and technical measures), even where the personal data is stored locally in Europe, and not transferred to the non-EEA parent company.