Major impact for everyone in EU-non EU partnerships.
After the Schrems II judgement, privacy pros around the world were at a loss what to do. Now, a judgement by the Conseil d’Etat — France's highest administrative court — seems to have shed light on the situation.
What was the situation?
With the ECJ invalidating EU-US PrivacyShield, and the extensive hurdles for using its most obvious alternative, Standard Contractual Clauses (SCC), a lot of EU-US data transfers were deemed non-compliant overnight. Solutions rose to the occasion, but a lot of work still had to be done in a short amount of time by privacy teams across the world.
The subsequent clarifications by the EDPB on how to ensure compliance with the EU level of protection of personal data during international transfer of personal data remained somewhat vague and restrictive. Working with non-EU organisations could imply a lot of work, and/or an inherent risk.
Now, the Conseil d’Etat has put forward a ruling that, if left standing, will have major effects on everyone working with such non-EU parties because it is the first time an authority gave an indication of what compliance with Schrems II could look like in practice.
What is the judgement?
In France, citizens can use a platform by Doctolib to search online where to get vaccinated and they can make an appointment. AWS Sarl (based in Luxemburg, a subsidiary of Amazon Web Services U.S.) hosts the platform and acts as the data processor.
Sparking discussions in France, on March 12, 2021, the Court ruled that personal data on the platform used to book COVID-19 vaccinations, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards were put in place in case of an access request from U.S. authorities. Now with this judgment, companies finally can have some inkling as to how to safeguard business cooperations with non-EU parties in practice.
What’s the impact?
As always, it remains to be seen whether a general rule can be distilled from the ruling. However, organisations using AWS, or that have assets using the service can be more certain than others that the facts of the case are similar to their own. AWS Sarl is a subsidiary of an American company, meaning that if your organisation is a subsidiary of a U.S. company, or has assets that are provided by such subsidiaries (e.g. Microsoft, Google), the case might have a significant impact on you.
What were the safeguards?
The court ruled that there was no transfer of data but nevertheless a risk of access by U.S. authorities (via Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333) because the EU-based processor is a subsidiary of a U.S. company.
This was mitigated by the following safeguards:
- Legal safeguards: the contract provides for a specific procedure in the event of an access request by a foreign authority - AWS Sarl guarantees in its contract with Doctolib that it will challenge any general access request from a public authority.
- Technical safeguards: the data hosted by AWS Sarl is encrypted and the key is held by a trusted third party in France, not by AWS, to prevent data from being read by third parties. This might be hard to do when the processor needs the personal data
- No health data: data transmitted to Doctolib for the vaccination campaign does not concern information on the reason why the person is eligible in priority for vaccination because of a specific pathology. It only concerned indentification data.
- Short data retention period: data is deleted at the latest after a period of three months from the date of the vaccination appointment.
- Right of deletion: individuals can delete their data directly online
What can we learn from the judgement?
If we take the judgement as is, the safeguards mentioned give us a strong indication on how compliant collaboration with our non-European partners will look.
Leaving out situations where processing concerns health, or other sensitive data, there is still a broad range of processing activities that might use the safeguards as taken by Doctolib. Including clauses that hamper the disclosure of personal data to authorities can be implemented within a relatively short timeframe. Encryption combined with key storage by a local third party might not be possible, or acceptable to some however.