Beyond Schrems II: A recent French decision considers data transfer rules where personal data is hosted by a subsidiary of a US company in the EU
Request for order suspending transfer of vaccine appointment data to AWS subsidiary in EU
Several applicants (including doctors’ organisations and a human rights group) recently challenged the storage of vaccine appointment data on a platform hosted in France and Germany by AWS Sarl (based in Luxembourg), which is a subsidiary of Amazon Web Services Inc. (based in the US). They sought an urgent order to suspend the transfer of data from Doctolib (a French company contracted by the French government to provide a platform for vaccine appointments) to AWS Sarl.
The applicants argued:
- there was a possibility that data (which they argued was health data) would be transferred to the US without sufficient safeguards;
- even if there was no possibility of the data being transferred to the US that there was still a risk of the data being accessed by the US authorities, who have the power to request data from US companies; and
- in either case, this possibility or risk made the hosting agreement between Doctolib and AWS Sarl incompatible with the GDPR.
For context, this challenge follows the Schrems II decision of the Court of Justice of the European Union which invalidated the EU-US Data Privacy Shield and emphasised the requirement for data exporters to verify on a case-by-case basis that personal data being transferred subject to standard contractual clauses will be subject to an “essentially equivalent” level of protection in the destination third country in line with the requirements of the GDPR. This decision is discussed in a previous briefing here.
French court does not uphold challenge and finds sufficient safeguards are in place
The decision by the highest administrative court in France did not uphold the challenge. It found:
- no transfer to the US – that under the contractual arrangement there was no possibility that vaccine appointment data (which it found was not health data) would be transferred by AWS Sarl to the US;
- risk of access by US authorities – nevertheless, there still was a risk that data could be subject to access from the US through requests made under the much discussed US surveillance laws, Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333;
- appropriate safeguards in place – but appropriate technical and organisational measures were in place to ensure that the personal data was provided with GDPR equivalent protection.
The court found that the following safeguards and mitigating factors ensured that the transfers were GDPR compatible:
- contractual commitment to challenge legal requests – the contract between Doctolib and AWS Sarl contained a precise procedure requiring AWS Sarl to challenge any general access request from a US public authority;
- encryption – the data hosted by AWS Sarl was not accessible by AWS Sarl or any third party since it was encrypted and the key was held by a trusted third party in France at the direction of the data controller, Doctolib;
- short retention period – the data was deleted three months after the vaccination appointment and data subjects had the ability to delete their personal data directly at an earlier date if they wished.
- Consider widening the scope of transfer risk assessments to include transfers to EU or adequate countries – This decision suggests EU data controllers must not only undertake a transfer risk assessment for data flows from the EU to outside the EU but also transfers within the EU where there is a risk that, higher up the corporate chain of an organisation, there may be governmental access through a non-EU parent company.
- Contractual provisions and encryption are strong safeguards – This decision provides a helpful use case for what measures are considered sufficient safeguards to ensure essentially equivalent protection under the GDPR. Organisations may wish to consider including specific procedures for challenging legal requests in all data processing agreements as opposed to only data transfer agreements (similar provisions are contained in the most recent draft of the standard contractual clauses available here). We discuss the European Data Protection Board’s draft recommendations on supplementary measures to ensure an “essentially equivalent” level of protection to that afforded to personal data by the GDPR here.
- Transfer of non-encrypted data must be examined closely – This case may have been decided differently if the data was not encrypted (the European Data Protection Board refers to non-encrypted data as ‘data in the clear’). For example, a recent decision of the Bavarian Data Protection Authority declared the use of US-based marketing platform Mailchimp by a fashion magazine to send newsletters to customers to be incompatible with the GDPR in light of the ruling in Schrems II. The fashion magazine relied on the European Commission’s standard contractual clauses to transfer email addresses to Mailchimp in the US but had failed to assess whether any supplementary measures were required to protect the data from being accessed by US authorities.