On March 12, 2021, the Conseil d’Etat — France's highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked for the suspension of the service because Doctolib referred to AWS for hosting the platform. The plaintiffs unsuccessfully argued that because the processor was a company bound by U.S. law, the risk of access by U.S. authorities was incompatible with the GDPR under the "Schrems II" decision by the Court of Justice of the European Union.

The facts of the case

Users who search online where to get vaccinated in France against COVID-19 can find a list of vaccination centers and make appointments directly online through the Doctolib platform. This stems from a partnership signed Jan. 11, 2021, between the France's Ministry of Social Affairs and Health and different providers, including Doctolib, a leading e-health service company in Europe. Doctolib was, therefore, entrusted within the framework of the vaccination campaign with the management of online vaccination appointments. For the purposes of hosting the data, Doctolib referred to AWS Sarl, based in Luxemburg, which is a subsidiary of Amazon Web Services in the U.S.

By summary proceedings, several health professional associations and unions, including the Federation of Doctors of France, National Union of Healthcare Workers, and League for Human Rights, asked the Conseil d’Etat to order the suspension of the partnership concluded between the Ministry of Social Affairs and Health and Doctolib, as well as order the Ministry of Social Affairs and Health to use another solution for the management of its vaccination campaign.

The plaintiffs claimed:

  • This was a matter of urgency, in view of the particularly sensitive nature of the data involved and the breach of the fundamental right to data protection, because data was hosted by a subsidiary of a U.S. company, i.e., Amazon Web Services, submitted to U.S. law and its extraterritorial effects, which therefore allowed for access by U.S. authorities.
  • The hosting of health data by a company bound by U.S. law was incompatible with the GDPR under "Schrems II" and violated the provisions of the GDPR, due on the one hand, to the possibility of a transfer to the U.S. of the data collected by Doctolib through its processor, and on the other hand, even in the absence of data transfer, to the risk of access requests by U.S. authorities to the processor, AWS. 

What the court said:

  • No transfer of data but nevertheless a risk of access by U.S. authorities because the EU-based processor is a subsidiary of a U.S. company.

The court noted for the purposes of hosting its data, Doctolib uses the services of the Luxemburg company AWS Sarl, the data is hosted in data centers located in France and in Germany, and the contract concluded between Doctolib and AWS Sarl does not provide for the transfer of data to the U.S. However, because it is a subsidiary of a company under U.S. law, the court considered AWS Sarl in Luxemburg may be subject to access requests by U.S. authorities in the framework of U.S. monitoring programs based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. 

The Conseil d’Etat, therefore, considered that in application of the "Schrems II" decision, it was necessary to check the level of protection provided for the processing of personal data, taking into account both the legal guarantees, i.e., the provisions of the contract signed between Doctolib and AWS Sarl in Luxemburg, and the technical safeguards, in consideration of the nature of the data involved. 

In this case, the Conseil d’Etat considered that the level of protection offered was not insufficient due to the many safeguards in place, which are the following.

  • Legal safeguards: The judge noted the contract concluded between Doctolib and AWS Sarl provides for a specific procedure in the event of an access request by a foreign authority; notably, AWS Sarl guarantees in its contract with Doctolib that it will challenge any general access request from a public authority.   
  • Technical safeguards: The judge also noted technically the data hosted by AWS Sarl is encrypted and the key is held by a trusted third party in France, not by AWS, to prevent data from being read by third parties.
  • Other guarantees taken:
    • No health data: The court also took into account that contrary to what was alleged by the plaintiffs, data transmitted to Doctolib within the framework of the vaccination campaign does not concern information on the reason why the person is eligible in priority for vaccination because of a specific pathology. The data hosted relates only to the identification of individuals for the purpose of making appointments.
    • Data is deleted after three months: Moreover, the court noted data is deleted at the latest after a period of three months from the date of the vaccination appointment meeting and individuals are also offered the possibility to delete their data directly online if they wish.

Under these conditions, the court ruled the level of protection of the data at stake is not manifestly insufficient with regard to the risk referred to by the plaintiffs and, therefore, rejected their request, thus refusing to stop the use of the platform. 

What does it bring to the debate on 'Schrems II'?

The case brings interesting developments to the "Schrems II" debate: 

It goes beyond "Schrems II" and, therefore, has huge implications for many companies: Unlike in the Facebook case that led to the CJEU decision on "Schrems II," what was at stake here was not the transfer of data to the U.S., but the fact that the processor in the EU is a subsidiary of a U.S. company. The ruling is based on "Schrems II" even though the data is held in France and Germany by a company established in Luxemburg. The Conseil d’Etat's decision was based on the fact that because AWS Sarl in Luxemburg is affiliated to AWS in the U.S., it is, therefore, submitted to U.S. law, and thus there is a risk of access to personal data in case there is a request by U.S. authorities. The court checked that sufficient safeguards, both legal and technical, were in place to prevent such access by authorities in the U.S., a country without sufficient protection under the "Schrems II" ruling. 

The ruling underlines the need to provide for supplementary legal safeguards: The court took into account the contract between Doctolib and AWS provides AWS will challenge requests for access by a public authority. It must be noted the new draft standard contractual clauses published by the European Commission contain similar provisions, but in view of the risks, it is recommended companies should anticipate the new SCCs by concluding a specific addendum providing for this type of legal guarantee. It is also recommended to do so even in case there is no transfer of personal data outside of the EU, but where data is entrusted to a processor that is a subsidiary of a non-EU company. 

There was a strict assessment of the technical guarantees offered: As already underlined, the difficulty of complying with "Schrems II" as interpreted by the European Data Protection Board’s guidelines results from the effectiveness of technical measures, such as encryption and pseudonymization, depends on the processor not having access to the re-identification key where the key is also susceptible to public authority access. This leaves a big gap for the many cases when the processor needs the data in clear. In this case, there are important technical measures in place since data is encrypted and, furthermore, the encryption key is entrusted to a third party in France.

Photo by Steven Cornfield on Unsplash