Aftermath Of Schrems II Decision In France: The French Council Of State Provides Significant Clarification On The U.S. Based Data Host To Provide Services In The French Health Care Sector

Published date31 March 2021
Subject MatterFood, Drugs, Healthcare, Life Sciences, Privacy, Data Protection
Law FirmReed Smith (Worldwide)
AuthorMr Daniel Kadar, Stéphanie Abdesselam and Laetitia Gaillard

On March 12, 2021, the French Council of State (Conseil d'Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.

In the present case, the servers of Doctolib - whose platform had been entrusted by the French government for booking COVID-19 vaccinations - were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).

The French government's decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies.

Even the French Data Protection Authority (the CNIL) reacted radically to this decision, finding that the French health data hub, which was hosted by a U.S.-based company, would need to be entrusted to a data host not subject to U.S. law in order to avoid any interference by U.S. surveillance laws.

This shaky regulatory context has led various French associations and trade unions of the health care sector to challenge the collaboration with Doctolib, alleging that this hosting scheme would undermine the security of French patients' health information. They filed urgent applications before the French Council of State seeking to suspend the partnership between the Ministry of Health and Doctolib.

This decision deserves careful attention, as the French Council of State provides significant clarification on what guarantees and criteria may be used to determine whether a U.S.-based company can host personal data under French regulations.

A wavering legal framework

The present decision should be read in light of precedents rendered by the courts of both France and other Member States in the wake of the Schrems II decision, which invalidated the Privacy Shield. The CJEU ruled in this decision that the mere hosting of data by a company subject to U.S. law poses risks with regard to access requests by U.S. authorities on the grounds of U.S...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT