Have the French solved the cloud problems?
By Eva Jarbekk
Maybe or maybe not. In any case, the recent ruling from the highest administrative court in France has attracted much attention. The case clearly shows a risk-based approach to the legality of potential access requests from third country governments.
This kind of approach is wanted by very many, because it could make more cloud set-ups legal to use. However, it is not obviously in line with the present draft EDPB Guidelines on transfer of personal data to third countries.
The court rejected a request for the suspension of the partnership between the Ministry of Health and a provider of online medical consultations called Doctolib. Interestingly, it was a competitor of Doctolib that filed the complaint.
They claimed that the service was not compliant with GDPR due to that they used AWS Sarl as data processor, a Luxembourg affiliate of AWS Inc.
The argument was that hosting the data in this setup could open for possible access requests from US public authorities through US surveillance programs. This, of course, refers to the Schrems II case that put much weight on FISA Section 702 and Executive Order 12333.
Legal reasoning by the court
The court acknowledged a risk that the data could be accessed by US public authorities. However, it found the actual level of protection for the personal data was sufficient. In this assessment, the court gave weight to three elements: 1) the type of the data in question and 2) the implemented contractual safeguards and 3) technological safeguards.
And importantly, the court pointed to that the agreement between Doctolib and AWS did not open for data transfers to the US for technical purposes.
The case therefore does base itself on the assumption that there would be no transfer of personal data – in which case the situation set out in Schrems II would actually not apply. This would entail that the reasoning of the case can hardly be applied on cloud set-ups that do transfer personal data to third countries for technical (or other) purposes.
It would have be interesting to see the actual agreement, but that has not been made public. From experience, many cloud agreements do open for transfer of data for technical or analytical purposes, so it would have be relevant to see the phrasing in the agreement.
The court, for other legal reasons, nevertheless stated that it had to examine the lawfulness of the situation where a service provider, processing personal data in the EU and may be met with administrative or judicial order from US public authorities simply because it is an EU affiliate of a US company. This is a clear reference to the US Cloud Act. In this assessment, the court gave weight both to the contractual safeguards and the relevant US legislation.
As regards contractual safeguards, it put weight on that the agreement provided for a specific procedure for handling access requests from a foreign authority. AWS guaranteed that it would challenge such requests. But challenging a request does not necessarily imply that the request will not be carried through. The judgement does not elaborate on whether AWS was able to guarantee that they could avoid such access.
As regards technical safeguards, it put weight on that the data was encrypted and the key was held by a trusted third party in France (not AWS). It would have been useful if the court had clarified more in what sort of encryption this was.
Interestingly, the court also put weight on what type of personal data that was processed. It concluded that the data was not health data (it was identification data and information on Covid-19 vaccination appointments, but no information on the reason why an individual prioritized for vaccination). It is not put clearly, but the judgement renders the impression that the pressing situation of Covid-19 vaccination may have played a role in the assessment as well.
It also put weight on that the data was deleted after three months and that individuals could delete the data directly if they wanted to.
What is the impact of the judgement?
The result of the judgement may be surprising to many, as it is not clearly in line with how the data protection authorities have worded themselves on third country transfers after Schrems II.
It would also have been clarifying if the decision had been more detailed on the wording in the agreement and on what kind of encryption was put in place.
The revised guidelines on third country transfers from the EDPB is said to be published before summer 2021. If they choose a more risk-based approach, the elements in this judgement will most likely be relevant. One will then have to assess the sensitivity of the data involved, as well as contractual obligations to contest access requirements and encryption options. Not many boring moments in privacy, these days.