On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.
In the present case, the servers of Doctolib – whose platform had been entrusted by the French government for booking COVID-19 vaccinations – were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).
The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies.
Even the French Data Protection Authority (the CNIL) reacted radically to this decision, finding that the French health data hub, which was hosted by a U.S.-based company, would need to be entrusted to a data host not subject to U.S. law in order to avoid any interference by U.S. surveillance laws.
This shaky regulatory context has led various French associations and trade unions of the health care sector to challenge the collaboration with Doctolib, alleging that this hosting scheme would undermine the security of French patients’ health information. They filed urgent applications before the French Council of State seeking to suspend the partnership between the Ministry of Health and Doctolib.
This decision deserves careful attention, as the French Council of State provides significant clarification on what guarantees and criteria may be used to determine whether a U.S.-based company can host personal data under French regulations.
A wavering legal framework
The present decision should be read in light of precedents rendered by the courts of both France and other Member States in the wake of the Schrems II decision, which invalidated the Privacy Shield. The CJEU ruled in this decision that the mere hosting of data by a company subject to U.S. law poses risks with regard to access requests by U.S. authorities on the grounds of U.S. surveillance laws.
In France, this decision has triggered several decisions and recommendations that emphasize the risks highlighted by the CJEU.
The invalidation of the Privacy Shield, as set forth in Schrems II, has led various associations to challenge before the French Council of State the hosting scheme of the French data hub – which is hosted by a U.S.-based company – because of the risk of interference by U.S. authorities.
On this occasion, the CNIL, which had been asked by the French Council of State to provide an advisory opinion, has taken a firm position: recourse to a U.S. host-based company does not appear to be compatible with the CJEU’s decision. On the basis of the risks involved by such a hosting scheme, the CNIL therefore recommended either using a hosting company subject to EU law (the CNIL‘s strongly preferred option) rather than providing specific guarantees.
The French Council of State moderated the CNIL’s position by refusing to suspend the operation of the French data hub. It acknowledged in its October 13, 2020, decision that interception of the data by U.S. authorities was a potential risk, which implied that it formally sought the implementation of supplemental safeguards in order to minimize that risk.
The unresolved concern was to determine what appropriate supplemental guarantees should be implemented. The Doctolib decision of March 12, 2021, provides interesting insight in that regard.
A clarification on the opportunity to use a U.S.-based cloud services provider subject to a case-by-case analysis
In its Doctolib decision, the French Council of State conducted a detailed analysis based on three aspects and safeguards enabling it to conclude that the security measures implemented by Doctolib and its U.S.-based cloud services provider were sufficient.
(i) The level of sensitivity of the hosted data and a tight data retention period
First, the French Council of State decided to base its decision on the level of sensitivity of the data at stake by deciding to deny the qualification of health data to the hosted data.
The French Council of State justifies its position as follows. Only data relating to the identification of individuals and the making of appointments were processed and hosted. It has considered that information related to the eligibility for vaccination (that is, health data), is not required to make an appointment on the platform since data subjects were only required to certify that they are priority cases based on a list of various preexisting conditions.
In addition to the above analysis on the type of data hosted, the French Council of State has considered that the applicable data retention measures were tightening the level of protection of the platform. In practice, the platform allows the automated deletion of the data three months after the date of the appointment (at the latest) and the possibility for users to delete their online account at any time.
This analysis has been criticized as it has been seen as a way to circumvent a frontal confrontation with a situation where health data would be at stake. In that respect, the question of whether information provided by an individual regarding preexisting conditions does not fall under applicable EU law under the definition of health data is currently debatable, to say the least.
To clarify, the French Council of State has determined what additional safeguards would be appropriate.
(ii) Contractual safeguards versus surveillance laws
As a second step, the French Council of State has emphasized contractual safeguards. In concrete terms, a supplemental addendum had been concluded between Doctolib and AWS by which the parties formally committed themselves to challenge any access requests by a foreign authority.
Drafted this way, the clause was considered sufficient by the jurisdiction from a contractual standpoint. Actually, the provisions are more demanding than the sole data host’s commitment not to transfer the data, to the extent that the supplemental addendum requires implementing both legal and financial means in order to oppose any access request to the data host by a foreign authority.
(iii) Technical safeguard – encryption
Finally, the technical safeguard relates to the data security mechanism chosen in the context of this data hosting. The implemented encryption mechanism, which was secured by a company located in France, was likely to prevent third parties and the data host itself from accessing the data in a readable format. Encryption has therefore been considered to be a sufficient safeguard by the French Council of State, especially regarding the “triangular scheme” implemented: the encryption key is held exclusively by a trusted third party subject to EU law.
Implications so far
The present decision confirms that using a U.S. cloud services provider can still ensure a satisfactory level of security with respect to EU requirements, and admittedly constitutes a step forward that will impact future cases despite the reluctance of the CNIL.
The first takeaway should be outlined here. There is no absolute prohibition to using a U.S. cloud services provider.
However, the reach of the present decision needs to be looked at with caution, for at least two reasons:
- First, the pressing stakes surrounding the vaccination campaign, underpinned by the crucial role that the platform plays, constitutes a factor that may weigh in favour of the solution reached by the French Council of State.
- Second, the French Council of State watered down the sensitivity of the data hosted on the platform by not applying the strict definition of health data in the meaning of EU law. In that respect, specific additional safeguards may be considered in the case of health data hosting – in particular by the CNIL – in a context in which its proposal to exclude per se U.S.-based cloud providers has now been rejected twice by the French Council of State.
The present decision still provides important direction on the nature of such supplemental safeguards. French judges are particularly mindful of contractual mechanisms. Therefore, the precision and compelling force of the contractual commitments agreed upon by the data host are important factors to take into consideration when assessing the level of protection of the hosting activity.
When it comes to the practical technical safeguards deemed necessary for ensuring the confidentiality and integrity of the data hosted, so far, no precise guidelines have been issued other than those generally applicable to any kind of data. Therefore, state-of-the-art technology needs to be part of the solution.
Finally, this decision also shows a structural trend in data protection compliance in France: courts continue to go on reviewing these issues in order to have their own word on applicable regulations.