Schrems II and the Decision of the French Court on SaaS

Written by Stephen Ragan, Principal Privacy Consultant at Wrangu

On 12 March 2021, France’s highest administrative court ruled that personal data on a platform managed by Doctolib and hosted by Amazon Web Services had sufficient safeguards in place to manage access requests from US authorities. This is a key decision following the Court of Justice of the European Union’s Schrems II decision on the suitable safeguards for data hosted on services provided by Amazon, an American company.

The plaintiffs argued that the processor (Amazon) was a company bound by US law and the risk of access by US authorities was incompatible with the requirements of the GDPR and Schrems II decision.

Doctolib is a leading e-health service company in Europe. When online users in France searched where to get a vaccine against COVID-19, they could make an appointment on the Doctolib platform. The agreement between the French Ministry of Social Affairs and Health and Doctolib stems from an agreement signed on 11 January 2021. To host its data, Doctolib used AWS Sarl, based in Luxemburg and a subsidiary of Amazon Web Services in the United States.

A number of associations and unions asked the Conseil d’Etat to order a suspension of the partnership and an order to the Ministry to use another solution to manage its vaccine campaign. The plaintiffs argued the matter was urgent as it concerned sensitive health data and was hosted by a subsidiary of an American company, subject to US National Security law which meant potential access by US authorities in violation of the Schrems II decision. The plaintiffs also argued that the possibility that sensitive data would be transferred to the US violated Schrems II. Even in absence of a data transfer, AWS was subject to data access requests from the US intelligence community.

What the Court Said

The court found that there had been no data transfers from the EU to US, but nevertheless concluded that there was a risk of access by US authorities as the EU based processor was a subsidiary of an American company. Thus, the court found it necessary to check the level of protection provided for the processing of personal data and whether it satisfied the requirements of suitable safeguards in the provisions of the contract and the technical safeguards. In concluding in favour of Doctolib, the court found the safeguards sufficient:

  1. Legal Safeguards: The court reasoned that the contract included specific procedures in the event of an access request and that AWS Sarl guaranteed to Doctolib it would challenge any general access request by public authorities
  2. Technical Safeguards: The court also noted the data hosted by AWS Sarl was encrypted and the key held by a third party in France, not by AWS

The court was also satisfied that no health data was transferred to Doctolib. Instead, Doctolib only hosted data related to the identification of an individual but not the reason the person was eligible for a vaccine. The court additionally noted the principle of data

minimization and retention limitations as the data was deleted three months from the date of the vaccination appointment and individuals could also delete their data directly online.

This case provides an interesting development following the CJEU decision in the Schrems II case. The role of precedent is not formally recognised by the civil law tradition of the EU’s founding states, nor by international law. This means decisions of the CJEU are binding only to the case addressed. However, in order to know how to apply laws of the EU, the decisions of the CJEU must be consulted. What has developed is a system in which the CJEU has based much of its reasoning on the principle that its decisions have binding force on all national courts as well as other authorities justifying its jurisdiction under Treaty on the Functioning of the European Union Art. 267 and the need to ensure the uniform application of EU law.

In Schrems II, the CJEU was concerned about data transfers from the EU to the US. This case is a little different in that services provided were rendered by a subsidiary of an American company. Again, the court found that the subsidiary was subject to US law, and this made the data potentially subject to access requests by US authorities. But the court found that there were sufficient legal and technical safeguards in place to prevent access requests.

Even when there is no data transfer, the ruling underlies the importance of contractual supplementary safeguards, modelled on the draft standard contractual clauses published by the European Commission. Another point of emphasis is on the technical measures taken. In particular, encryption where the processor (AWS) did not have access to the re-identification key and therefore neither did US intelligence authorities.

This case leaves a big gap on the question of supplementary measures for instances where the processor processing the data does more than just store the data locally. As we await negotiations between the US and the EU on an update to the Privacy Shield, invalidated as a transfer mechanism in Schrems II, SCCs; BCRs; and Article 49 derogations are being used to solve business and legal challenges. In this new regulatory environment, a little creativity is necessary.

Wrangu will continue to monitor the situation and help you and your organisation stay on top of new privacy regulations.

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights:

Searching for Guidance on Data Transfers (Still)

Following “Schrems II,” privacy professionals have been waiting for a conclusive answer to the issue of data flows. The European Commission unveiled its draft implementing decision for the new SCCs last November and negotiations over an updated Privacy Shield have been “intensifying.”

Read more »