French Administrative Supreme Court rejects the suspension of the platform established in partnership between the French State and Doctolib and hosted by Amazon
In an order dated March 12, 2021, the Conseil d’Etat (French Administrative Supreme Court) refused to suspend the partnership between the French State and Doctolib in the context of the COVID-19 vaccination campaign.
The plaintiffs had requested this suspension in summary proceedings, arguing that the safeguards provided by Amazon Web Services (AWS) for data hosting were insufficient.
As part of the COVID-19 vaccination campaign, the French Government has entrusted the management of online vaccination appointments to various service providers, including the company Doctolib.
Doctolib is a French company that offers online consultation management services for health professionals and an online appointment booking service for patients. For the purposes of hosting its data, it uses the services of a Luxembourg-based company, AWS Sarl, a subsidiary of the American company AWS Inc.
The plaintiffs asked the Summary Judge of the Conseil d’Etat, ruling on the basis of Article L. 521-2 of the French Code of Administrative Justice[1], to suspend the French State’s partnership with Doctolib on the grounds that it relies on the hosting of health data with an American company, thereby making it incompatible with Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation (GDPR).
Under the GDPR, data controllers and processors may transfer data outside the European Union (EU) and the European Economic Area (EEA) provided that a sufficient and appropriate level of data protection is ensured.
Specifically, they must manage these transfers using the various legal tools defined in Chapter V of the GDPR:
- transfers outside the EU may be based on an adequacy decision by the European Commission concerning certain countries that ensure an adequate level of protection;
- in the absence of such a decision, transfers may be based on appropriate safeguards, such as the European Commission’s standard contractual clauses (SCCs), binding corporate rule (BCRs) or specific contractual clauses.
Yet, on July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision[2] concerning transfers of data between the EU and the USA in the so-called “Schrems II” case[3].
In this ruling, the CJEU invalidated the “Privacy Shield” adequacy decision adopted in 2016 by the European Commission following the invalidation of the “Safe Harbor”, which allowed the transfer of data between the EU and U.S. operators that adhered to its data protection principles without the need for any further formality.
It is in this context that the plaintiffs requested the suspension of the partnership with Doctolib, because of the risks that this situation entails with regard to the right to privacy, given the possibility of data transfers to the USA.
The Summary Judge of the Conseil d’Etat decided to rule on the issue even though (i) AWS Sarl is a company organized and operating under Luxembourg law, (ii) AWS Sarl is certified as a “health data host” pursuant to Article L. 1111-8 of the French Public Health Code, (iii) the data are hosted in data centers located in France and Germany, and (iv) the contract between Doctolib and AWS Sarl does not provide for the transfer of data to the USA for technical reasons. In his opinion, because it is a subsidiary of a company incorporated in the USA, AWS Sarl may be subject to requests for access to certain health data by US authorities, in the context of surveillance programs. This justified verifying the level of protection provided during data processing. This is a very extensive application of post-Schrems II European law.
In order to answer this question, he had to determine whether the level of protection provided during the processing of the data – taking into account, in particular, the contractual provisions agreed between Doctolib and AWS Sarl – was actually sufficient. He concluded that the “level of protection of the data when making appointments in the context of the COVID-19 vaccination campaign cannot be regarded as manifestly insufficient in light of the risk of infringement of the general data protection regulation” for the following reasons:
- Data at issue: “The controversial data include personal identification data and data relating to appointments, but no health data on the possible medical reasons for eligibility for vaccination, with data subjects merely certifying solemnly that they are eligible for priority vaccination when making an appointment, which is likely to concern adults of all ages without any particular medical reason”;
- Data retention: “These data are deleted at the latest after a period of three months from the date of the vaccination appointment, and each data subject who has created an account on the platform for the purposes of the vaccination may delete it directly online“;
- management of access requests by US authorities: Doctolib and AWS Sarl have concluded an additional addendum providing inter alia for “the challenge of any general request to access data or any request that does not comply with European regulation”;
- safety measures: Doctolib has “implemented a security system for data hosted by AWS through an encryption procedure where the key is held by a trusted third party located in France in order to prevent the reading of data by third parties”.
For all of these reasons, the Summary Judge of the Conseil d’Etat concluded that there was no “serious and manifestly unlawful interference with the right to privacy and the right to protection of personal data”.
[1] The emergency relief procedure called “référé liberté” makes it possible to ask the judge to take an urgent measure necessary to safeguard a fundamental freedom if the administrative authorities infringe such freedom in a serious and unlawful way
[2] https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf
[3] See our article entitled International data transfers to the USA: The Privacy Shield invalidated by the CJEU published on our Blog in August 2020