Doctolib Ruling: Does Schrems II Now Apply to Inter-EU Transfers?
French court ruling says vaccine-booking platform’s contract with Amazon is lawful. But this case isn’t as clear-cut as it seems.
I’m drawing my analysis here from the IAPP’s summary of the case.
Here’s the background
The French Conseil d’Etat looked at a data processing agreement between Doctolib, whose platform is used for booking vaccinations, and AWS Sarl, a Luxembourg-based subsidiary of Amazon Web Services.
Doctolib used AWS to process health data. The claimants asked the court to suspend transfers of personal data between Doctolib and AWS.
The case was significant, in part, because so many EU data controllers use AWS — or another U.S. subsidiary — as a data processor. The case could have invalidated a lot of data processing agreements and caused a lot of companies serious issues.
Why would the agreement with AWS have been a problem?
It all comes back to Schrems II. Because AWS Sarl is a subsidiary of Amazon, the claimants argued that the personal data in its care was at risk of interception under U.S. laws.
Even though AWS Sarl is storing the data in the EU?
Yes — U.S. surveillance laws like FISA 702 and EO 12333 affect certain U.S. companies even when operating overseas. This means that AWS Sarl might be obliged to submit personal data to U.S. intelligence services.
So Schrems II applies despite there being no third-country transfer of personal data?
In a sense, yes. Controllers always need to take appropriate safeguards when disclosing personal data to a processor — and the risk of access by intelligence services is a relevant consideration.
The Conseil d’Etat examined the data processing agreement between Doctolib and AWS Sarl to determine whether there were sufficient safeguards to protect the personal data — just as the CJEU examined transfers the safeguards provided by Privacy Shield in Schrems II.
What did the court decide?
The Conseil d’Etat said that the data processing agreement was valid and that it would not suspend transfers between Doctolib and AWS Sarl.
Phew! So all processing agreements with AWS Sarl are safe?
No. This case has been reported in these terms, but in my view, this isn’t the right takeaway.
The court found that the transfers to AWS Sarl were valid because of the safeguards Doctolib and AWS Sarl had put in place. These included:
- AWS was contractually bound to challenge access requests by foreign authorities (NB: I’m not sure such challenges would much difference).
- The data was encrypted and the key was held by a “trusted third-party” in France.
- There was a relatively short retention period of three months.
There are a couple of points here that might be open to challenge. The court also found that the data about vaccinations was not “health data” under the GDPR. I was surprised by this part.
Controllers should consider whether their processors and subprocessors are subject to interception under surveillance law — regardless of where their servers are actually based.
The point of the international transfer provisions is to safeguard personal data, and it’s worth thinking about any transfer or processing agreements — third-country or otherwise — in these fundamental terms.
(This, of course, is not legal advice.)