French GDPR ruling addresses US surveillance powers

The court confirmed that personal data processing operations subject to the US surveillance framework can comply with the General Data Protection Regulation (GDPR) in a case in which it was asked to consider a legal challenge concerning the data hosting arrangements relating to the French vaccination programme for Covid-19.

The ruling is an important follow-up to the judgment provided by the Court of Justice of the European Union (CJEU) in the 'Schrems II' case in 2020, said data protection law experts Annabelle Richard and Andre Walter of Pinsent Masons, the law firm behind Out-Law.

To facilitate the organisation of its country’s vaccination scheme, and ease citizens’ access to vaccination appointments, the French government partnered with online platform Doctolib in January this year. Doctolib is an appointment-scheduling platform which links up patients with health professionals for a range of consultations and operations. The company hosts user data pertaining to Covid-19 vaccination appointments on the French and German servers of AWS Sarl, a Luxemburg-based subsidiary of US cloud computing provider Amazon Web Services.

A group of 13 health syndicates and associations claimed that the use of AWS’s services was problematic for the data security of French patients. They pointed to the fact that Amazon Web Services is subject to US surveillance regulations that have extraterritorial effect, and said that this could compel AWS to hand over the patient data belonging to Doctolib to US authorities upon their request.

The group contested the partnership between Doctolib and the French state before the Conseil d’Etat, which is France’s highest administrative court, querying whether the arrangements were in line with the GDPR. The court has now ruled that they were.

"The recent Conseil d’Etat decision seems to provide reassurance to data controllers that make use of EU-based data processors, subject to the extraterritorial reach of US surveillance agencies," said Paris-based Richard of Pinsent Masons.

"The court ruled that, in the case at hand, certain additional technical and legal safeguards taken by these data controllers may be sufficient to comply with the GDPR – in particular through an agreement to contest US authorities’ access requests and the use of a trusted third party to secure data encryption," she said.

Amsterdam-based Walter, also of Pinsent Masons, said: "It is possible that other courts around Europe will follow the Conseil d’Etat's decision in other cases, and further expand on the case law established by the CJEU in the Schrems II case. This would establish a cohesive understanding of supplementary measures requirements and enforcement for internal data transfer. In the meantime, data controllers contracting EU data processors subject to extraterritorial reach of non-EEA public agencies are strongly advised to review what types of data they process."

"As part of that process, they should assess which supplementary technical safeguards should be implemented and what legal controls should be added to their contractual data transfer agreements. This assessment should be documented in order to comply with the GDPR accountability principle," he said.

In the Schrems II case, the CJEU was asked to assess the validity of the EU-US Privacy Shield, a framework established by the EU and US to facilitate the trans-Atlantic transfer of personal data between the jurisdictions. The Privacy Shield was endorsed by the European Commission in an 'adequacy decision', which acknowledged that the US legal framework provided data protection essentially equivalent to EU standards.

In considering the case, the CJEU had to evaluate the impact of the US surveillance framework, and notably Article 702 of the Foreign Intelligence Surveillance Act (FISA) according to which the United States Foreign Intelligence Surveillance Court (FISC) may authorise warrantless electronic surveillance targeting groups of foreign citizens, on the grounds of an executive order that bolsters the powers of US intelligence agencies and permits "collection, retention and dissemination" of a range of information, including "information obtained in the course of lawful foreign intelligence". The CJEU determined that the decision endorsing the Privacy Shield was invalid because of the extent of encroachment of those US surveillance powers on EU data protection standards.

The CJEU also ruled on the validity of two other legal mechanisms used to facilitate the transfer of personal data outside of the EU – standard contractual clauses (SCCs) and binding corporate rules – in its Schrems II judgment.

On SCCs, which are the most popular mechanism for providing data protection law-compliant safeguarding around data transfers from the EU, the court deemed that the use of the clauses on their own may not be sufficient to guarantee equivalence in data protection. For EU-US data transfers and for transfers to other jurisdictions with known invasive surveillance regimes, further countervailing safeguards need to be put in place to ensure a necessary level of protection.

The European Data Protection Board has subsequently issued recommendations in relation to the supplementary measures organisations can apply to ensure compliance in relation to data transfers. In addition, the European Commission opened a consultation on draft new SCCs.

In the case before the Conseil d’Etat, Doctolib, supported by the French health minister, successfully demonstrated that the partnership provided guarantees in respect of the rights of data subjects and data protection.

The court observed that the data concerned is limited to identification and appointment data, which Doctolib retains for three months before erasure. It also took account of the fact that AWS has contractually agreed to contest access requests from a country’s authorities when these requests do not comply with EU data protection law, and further acknowledged that Doctolib secures its data using a trusted third-party based in France which prevents other third parties from accessing their data, by means of encryption.

Given those factors, the Conseil d’Etat ruled that the data protection level provided for in the arrangements between the French state and Doctolib were not obviously inadequate in respect of the risks at stake.