French court ruling provides further guidance as to the application of “Schrems II”, as data hosted by subsidiary of US company is found to be protected.
France’s highest administrative court ruled earlier this month that the hosting of a booking platform for COVID-19 vaccinations on Amazon Web Service, also known as AWS, was indeed sufficiently protected under the EU GDPR. Initially there was some question as to whether using Amazon Web services as a hosting platform was compatible with the GDPR under the “Schrems II” ruling, due to the fact that the processor was a company bound by US law. The final ruling in this case was based on the fact that the court believes that enough legal and technical safeguards are in place in the event that US authorities ever request data access. This gives quite a bit of context and has big implications for many companies, underscoring the need for supplementary legal safeguards when data is entrusted to a subsidiary of a non-EU company.
Health data hosted by a company bound by US law, while a cause of concern for many, was found to be sufficiently protected under the GDPR.
The plaintiffs in this case worried that the hosting of health data by a company which is bound by US law presented various risks including not just the transfer of data to the US, but also access to that data being granted to US authorities if requested from the processor. Due to the level of perceived risk, the plaintiff deemed this a sensitive and urgent matter. However, what was thought to be a violation of the provisions of the GDPR under “Schrems II”, under further investigation and reflection, turned out to be sufficiently protected under the GDPR, due to the several legal and technical safeguards put in place by the defendant, Doctolib. The judge in this case ruled against the claim filed to have this service suspended.
This French court ruling was the result of careful assessment of the technical and legal safeguards provided for in this agreement.
The French court ruling came after careful consideration and assessment of the legal and technical safeguards and other guarantees provided for between Doctolib and Amazon Web Services. The assessment found that distinct provisions had been made within the contract between the two, for a specific procedure in the event of access requests by a foreign authority. The legal guarantee in this case is that access requests from public authorities to the processor will be challenged. The judge also noted that the data would be encrypted with the key being held by a trusted third-party within funds and not by Amazon Web Services. Furthermore, it was found that data transmitted to Doctolib through the vaccination campaign contained no sensitive health data specifying, for example, that a user is a priority candidate for vaccination due to a certain pre-existing condition. As an additional step any data entered by users for the purpose of identification for scheduling a vaccination appointment, is deleted at most within three months of their vaccination appointment.
“The ruling signals that there is room for the rule of reason in the application of Schrems II, and should generally be seem as good news for the online industry,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.
“It is paramount that companies carry out an assessment covering their data flows, the countries involved and the safeguards that should be applied based on the risk identified, what is known as ‘Data Transfer Impact Assessment’”, states Cristina Contero Almagro, Aphaia’s Partner.
This telling highlights the need for legal and technical safeguards, which are recommended even when data is not being transferred outside the EU.
A key part of complying with “Schrems II” rests on technical measures like pseudonymization and encryption, and ensuring that the processor has no way of accessing the re-identification key, particularly when the key may possibly be accessed by a public authority. Legal safeguards, like those taken by Doctolib are also essential. While the new draft standard contractual clauses recently published by the European Commission do make similar provisions, it is recommended, in anticipation of these new SCCs, that companies make provisions for this type of guarantee in a specific addendum, even in cases where there is no transfer of data outside the EU.
Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing. Contact us today.