CE - 450163

From GDPRhub
CE - 450163
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 28 GDPR
Article 44 GDPR
Article 45(3) GDPR
Article 46(1) GDPR
Article 46(1) GDPR
Article 46(2)(c) GDPR
Article 52 CFR
Article L1111-8 Code de la santé publique
Decided: 12.03.2021
Published:
Parties: Marie CITRINI in her capacity as user representative on the AP-HP Supervisory Board, Actions Traitements, Actup santé sud ouest, Association Constances, Fédération SUD Santé Sociaux
National Case Number/Name: 450163
European Case Law Identifier: ECLI:FR:CEORD:2021:450163.20210312
Appeal from:
Appeal to:
Original Language(s): French
Original Source: Legifrance (in French)
Initial Contributor: n/a

The applicants asked the French Conseil d'État for an interim measure to stop the processing of COVID-19 vaccination appointment management data through the online platform Doctolib, using Amazon Web Services. The Conseil d'État rejected the application.

English Summary[edit | edit source]

Facts[edit | edit source]

In the emergency context of COVID-19 vaccination, the Ministry of Solidarity and Health entrusted the management of vaccine appointments on the Internet to various service providers, including the company Doctolib. Several associations including Interhop asked the interim relief judge to suspend the partnership with the Doctolib company insofar as the data collected was stored on an American company (Amazon Web Services or AWS), transfering data outside the EU non compliant with the GDPR.

Dispute[edit | edit source]

  • Does Doctolib provide an adequate level of data protection when using Amazon Web Services ?
  • Has the state sufficiently fulfilled its duty of care for the health data of the data subjects?

Holding[edit | edit source]

It was held that no health data was provided other than certifying being eligible for priority vaccination. Additionally, it was considered by the Court the fact that Doctolib using the hosting services of AWS Luxembourg, whose data centres are based in France and in Germany.

Considering the existence of legal safeguards, an addendum to AWS Ireland contract that no data would be transferred to the US and requests of access would be denied, and a technical safeguards entailing encryption of the data with a key held by a trusted third party in France, so that AWS does not have access to the data and the data being deleted after three months or at any time at the request of individuals, the Court considered that the level of protection in this context could not be regarded as manifestly inadequate.

The Court therefore considered that in this specific context, data are not being transferred to the US.

The application is therefore rejected by the Conseil d'État.

Comment[edit | edit source]

In principle, data is considered transferred outside the EU as long as the foreign organisation is subject to request to access by a foreign government, regardless of the localisation of the data servers. Since Schrems-II ECJ decision and in view of Snowden revelations on FISA Section 702, EO 12333 and long arm of the US government, transfer of data to the US is prohibited unless supplementary measures have been taken to ensure a level of protection equivalent to the GDPR. The use of US electronic communication organisations is therefore subject to careful consideration. Encryption of data with key in secure hands and agreement assuring data would not be disclosed are required to enforce the rights of data subjects.

Further Resources[edit | edit source]

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

COUNCIL OF STATE
adjudicating on the dispute
N° 450163
__________
ASSOCIATION INTERHOP and others
__________
Order of 12 March 2021
FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE
THE INTERIM RELIEF JUDGE


Having regard to the following procedure:

By a petition, two supplementary briefs, a reply brief and a new brief, registered on 26 and 27 February, and on 1, 5 and 7 March 2021 at the Secretariat of the Litigation Division of the Council of State, the InterHop association, the Constances association, the Actions Traitement, the Actupiennes association, the Actup santé sud ouest association, the syndicat de la Médecine générale (SMG), the Union française pour une médecine libre (UFML), the Sndicat national des jeunes médecins généralistes (SNJMG), the Fédération des médecins de France (FMF), Mrs A. .. D..., in her capacity as user representative on the AP-HP Supervisory Board, Mr B... C..., the Fédération SUD santé sociaux and the Ligue des droits de l'Homme asked the judge of the Conseil d'Etat for interim measures, ruling on the basis of Article L. 521-2 of the Code of Administrative Justice:

1°) order the suspension of the partnership with the company Doctolib insofar as it is based on the hosting of health data with an American company, making it incompatible with the General Data Protection Regulation (GDPR);

2°) to order the Minister of Health and Solidarity to use other solutions for managing the appointment booking for the Covid-19 vaccination campaign that comply with the requirements of data protection law

3°) in the alternative, to request an opinion from the Commission nationale de l'informatique et des libertés (CNIL) in order to rule on the implications of the use of the partnership with the company Doctolib for the management of appointments for the Covid-19 vaccination campaign, in that it is based on the hosting of health data with an American company, making it incompatible with the RGPD ; 

4°) to order all necessary measures to ensure that there is no serious and manifestly unlawful infringement of the right to privacy and the protection of personal data in connection with the choice of partnership for the management of appointments in the context of the Covid-19 vaccination campaign;

5°) to charge the State the sum of 5,000 euros under Article L. 761-1 of the Administrative Justice Code.

They argue that :
- they have an interest in acting;
- the condition of urgency is satisfied in view of the state of health emergency recently extended by the law of 15 February 2021, the fact that the health data of millions of people may not benefit from an adequate protection regime given the dominant nature of the Doctolib solution in the offer of online appointment booking the particularly sensitive nature of the data in question, the impossibility for the State to guarantee the protection of health data within the framework of the contract concluded between Doctolib and Amazon Web Services and the infringements of the right to data protection made possible by American law and its extraterritorial effects;
- the contested measure seriously and manifestly infringes several fundamental freedoms;
- it seriously infringes the right to respect for private life and the right to protection of personal data since, on the one hand, the data processed by the Doctolib platform as part of the management of the Covid-19 vaccination policy are likely to give a precise indication of the person's state of health and constitute directly identifying information and, secondly, that potential requests for access to personal data by the US authorities cannot be opposed in practice by the US companies, that such access is massive, indiscriminate and not minimised, and that it cannot be subject to checks or to a right of opposition by independent authorities;
- it infringes the right to data protection in a manifestly unlawful manner, since the hosting of personal data collected by the Doctolib platform on servers belonging to an American company subject to American law is incompatible with the GDPR in that the state of American legislation does not allow for an appropriate level of protection of personal data with regard to this regulation;
- it disregards the provisions of the GDPR in view of, on the one hand, the possibility of a transfer to the United States of the data collected by Doctolib through the subcontractor hosting this data, Amazon Web Services, and, on the other hand, even in the absence of a data transfer, the risk of access requests by the American authorities to the company Amazon Web Services;
- it is neither necessary, proportionate nor appropriate given that other alternative digital solutions exist, based on data hosting by companies under French law.

By a statement of defence, registered on 5 March 2021, the Minister for Solidarity and Health concluded that the application should be rejected. It argued that there was no serious and manifestly unlawful infringement of the fundamental freedoms invoked and that there was a public interest in allowing the continued use of Doctolib's vaccination appointment management services for the purposes of managing the health emergency and combating the SARS-CoV-2 pandemic.

By a statement of defence and a new statement of case, registered on 5 and 7 March 2021, the company Doctolib concluded that the application should be rejected. It argued that there was no serious and manifestly illegal infringement of the right to protection of personal data.

 Having regard to the other documents in the file;

Having regard to :
- the Charter of Fundamental Rights of the European Union;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
- the public health code;
- law n°78-17 of 6 January 1978;
- the code of administrative justice;

 Having summoned to a public hearing, on the one hand, the association Interhop and the other applicants and, on the other hand, the Minister of Solidarity and Health and the company Doctolib;

The following were heard at the public hearing on 8 March 2021, at 10.30 a.m:

- the representatives of the applicants;

- Mr Piwnica, lawyer at the Council of State and the Court of Cassation, lawyer for the company Doctolib;

- the representatives of the company Doctolib;

- the representatives of the Minister for Solidarity and Health;

at the end of which the interim relief judge closed the investigation.

Having regard to the note for deliberation, registered on 11 March 2021, presented by the association InterHop et al;

Considering the following:

1. Under the terms of Article L. 521-2 of the Code of Justice: "Upon receipt of a request in this regard justified by the urgency of the matter, the interim relief judge may order all measures necessary to safeguard a fundamental freedom which a legal person governed by public law or a body governed by private law entrusted with the management of a public service would have infringed, in the exercise of one of its powers, in a serious and manifestly illegal manner. The interim relief judge shall give a ruling within forty-eight hours.

2. In the context of the vaccination campaign against covid-19, the Ministry of Solidarity and Health entrusted the management of vaccination appointments on the Internet to various service providers, including the company Doctolib. The InterHop association and the other applicants asked the interim relief judge, ruling on the basis of Article L. 521-2 of the Administrative Justice Code, to suspend the partnership with the Doctolib company insofar as it was based on hosting health data with an American company, making it incompatible with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data.

On the legal framework :

3. On the one hand, according to Article 44 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, or General Data Protection Regulation: "A transfer to a third country (. ..., of personal data which are being or are intended to be processed after that transfer may take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and the processor (...). All the provisions of this Chapter shall be applied in such a way as to ensure that the level of protection of natural persons guaranteed by this Regulation is not compromised. Article 45 of this Regulation provides that: "1. a transfer of personal data to a third country (...) may take place where the Commission has determined by decision that the third country, a territory or one or more specified sectors within that third country (...) ensures an adequate level of protection. Such a transfer does not require a specific authorisation. / 2. When assessing the adequacy of the level of protection, the Commission shall take into account, in particular, the following elements: / (a) the rule of law, respect for human rights and fundamental freedoms, (...) access to personal data by public authorities, as well as the implementation of such legislation, data protection rules, (... The Commission, after having assessed the adequacy of the level of protection, may decide, by means of implementing acts, that a third country, a territory or one or more specified sectors within a third country (...) ensures an adequate level of protection (...)". According to Article 46 of the Regulation: "1. In the absence of a decision pursuant to Article 45(3), the controller or processor may transfer personal data to a third country or to an international organisation only if he has provided appropriate safeguards and on condition that the data subjects have enforceable rights and effective legal remedies. / 2. The appropriate safeguards referred to in paragraph 1 may be provided, without the need for specific authorisation by a supervisory authority, by : / (...) / (c) standard data protection clauses adopted by the Commission in accordance with the review procedure referred to in Article 93(2) (...)".

4. On the other hand, according to Article 48 of the same Regulation: "Any decision by a court or administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may be recognised or given effect in any way only if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer under this Chapter". Article 28 of that Regulation provides that: "1. Where processing is to be carried out on behalf of a controller, the controller shall only use processors providing sufficient guarantees as to the implementation of appropriate technical and organisational measures to ensure that the processing operation complies with the requirements of this Regulation and guarantees the protection of the rights of the data subject / (...) / 3. ) provides, inter alia, that the processor shall: / a) process personal data only on the basis of documented instructions from the controller, including transfers of personal data to a third country or to an international organisation, unless the processor is required to do so by Union law or the law of the Member State to which the processor is subject; in that case, the processor shall inform the controller of this legal obligation prior to the processing, except where such information is prohibited by the law concerned on important public interest grounds (...) ".

5. By a Grand Chamber judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, C-311/18, the Court of Justice of the European Union ruled that Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, the enforceable rights and effective remedies required by those provisions must ensure that the rights of persons whose personal data are transferred to a third country on the basis of standard data protection clauses enjoy a level of protection substantially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To this end, the assessment of the level of protection provided must, in particular, take into account both the contractual stipulations agreed between the controller or its processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards possible access by the public authorities of that third country to the personal data thus transferred, the relevant elements of the legal system of that country, in particular those set out in Article 45(2) of the Regulation.

6. By this judgment, the Court of Justice also ruled that the Commission's Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Data Protection Shield, taken on the basis of Directive 95/46 and constituting an adequacy decision within the meaning of Article 45, of the General Data Protection Regulation, was invalid on the grounds that, even in that framework, the United States did not ensure an adequate level of protection for personal data transferred from the Union to organisations established in that country. It found that the fundamental rights of the individuals whose personal data are transferred in this way were interfered with by the possibility of access to and use of such data by the US public authorities in the context of surveillance programmes based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333, which are not limited to what is strictly necessary. Section 702 of FISA does not limit the authority it contains and the US Foreign Intelligence Surveillance Court only reviews whether these programmes are consistent with the purpose of obtaining foreign intelligence information, but not whether individuals are properly targeted for that purpose. As for EO 12333, it must be implemented in compliance with Presidential Policy Directive 28 (PPD-28), which nevertheless allows for the "bulk" collection of a relatively large volume of information or data where intelligence agencies cannot use an identifier associated with a specific target to direct the collection, making it possible to access data in transit to the United States without sufficient judicial oversight or guidance. Finally, for these various surveillance programmes, there is no text conferring rights on the persons concerned that can be enforced against the US authorities before the courts, allowing them to benefit from an effective right of appeal. Under these conditions, the limitations on the protection of personal data resulting from the internal regulations of the United States are not framed in such a way as to meet requirements that are substantially equivalent to those required by the Charter of Fundamental Rights of the European Union, Article 52 of which allows limitations on the exercise of the rights and freedoms it recognises only if they are necessary and effectively meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

On the application for interim relief :

7. For the purposes of hosting its data, Doctolib uses the services of the Luxembourg company AWS Sarl, a subsidiary of the American company Amazon Web Services Inc. InterHop and the other applicants point out the risks that this situation entails with regard to the right to privacy, given the possibility of data being transferred to the United States. If AWS is certified as a "health data host" pursuant to Article L. 1111-8 of the Public Health Code, that the data processed by AWS is hosted in data centres located in France and Germany and that the contract concluded between Doctolib and AWS does not provide for the transfer of data to the United States for technical reasons, InterHop and the other applicants argue that, because it is a subsidiary of a company incorporated in the United States, AWS may be subject to requests for access to certain health data by the American authorities, in the context of surveillance programmes based on section 702 of FISA or EO 12333. In applying the criteria applied by the Court of Justice in its judgment of 16 July 2020 to the relationship between controller and processor, the level of protection provided during the processing of data should be verified by taking into account not only the contractual stipulations agreed between the controller and his processor, but also, in the event of the processor being subject to the law of a third country, the relevant elements of the legal system of that country.

8. It is clear from the investigation that, in order to speed up the Covid-19 vaccination campaign, three different companies, including Doctolib, are responsible for managing the scheduling of vaccination appointments. The data at issue include personal identification data and data relating to appointments, but no health data on the possible medical reasons for eligibility for vaccination, since the persons concerned simply certify on their honour, when making the appointment, that they fall within the vaccination priority, which is likely to concern adults of all ages without any particular medical reason. This data is deleted at the latest at the end of a period of three months from the date of the appointment, and each person concerned who has created an account on the platform for the purposes of the vaccination may delete it directly online. Doctolib and AWS have concluded a complementary addendum on data processing establishing a specific procedure in the event of requests for access by a public authority to data processed on behalf of Doctolib, providing in particular for the contestation of any general request or one that does not comply with European regulations. Doctolib has also set up a security system for data hosted by AWS through an encryption procedure based on a trusted third party located in France in order to prevent the reading of data by third parties. Having regard to those safeguards and to the data concerned, the level of protection of the data relating to appointments made in the context of the Covid-19 vaccination campaign cannot be regarded as manifestly inadequate in the light of the risk of infringement of the General Data Protection Regulation invoked by the applicants. Although the applicant association also invoked the risks associated with the use of service providers other than AWS, it does not appear from the investigation that those service providers were involved in hosting the data at issue. Thus, and without the need to submit a request for an opinion to the Commission nationale de l'informatique et des libertés, it does not appear from the investigation that the decision of the Minister of Solidarity and Health to entrust the company Doctolib, among other possible ways of booking appointments, with the management of Covid-19 vaccination appointments seriously and manifestly illegally infringes the right to respect for private life and the right to protection of personal data.

9. It follows from the above that the application of InterHop et al. must be rejected.

10. The provisions of Article L. 761-1 of the Code of Administrative Justice prevent the State, which is not the losing party in the present proceedings, from being charged with a sum.

ORDERS :
------------------

Article 1: The application of the InterHop association and others is rejected.
Article 2: The present order shall be notified to the InterHop association, first named, for all the applicants, as well as to the Minister of Solidarity and Health and the company Doctolib.