Indeed, in the context of the Covid-19 crisis, some concerns have been raised about the extraterritorial effects of US surveillance laws on such vendors. In particular about article 702 of the US Foreign Intelligence Surveillance Act (FISA), which authorizes the acquisition by US authorities from electronic communications service providers of foreign intelligence information about non-US persons located outside the USA. And about Executive Order 12333, which allows US authorities to collect foreign "signals intelligence" information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means.
EPISODE 1 THE FRENCH HEALTH DATA HUB CASE (Conseil d’Etat, 13 October 2020, n° 444937)
The Health Data Hub is a platform run by a French public interest group, gathering health data of the population in France, so as to promote medical research and projects. The hosting of the data has been entrusted by the Health Data Hub to the Irish affiliate of one of the GAFAMs, Microsoft, which hosts the data in the Netherlands, soon in France. Based on their fear that health data could be transferred to the USA, several associations filed a summary proceeding before the Conseil d’Etat.
After instruction of the case, the Conseil d’Etat found out that:
- the services provided by Microsoft Ireland to the Health Data Hub did not require health data to be transferred to the USA for processing purposes;
- in case Microsoft Ireland would further request the authorization from the Health Data Hub to transfer the data, both the contract and a ministerial order would anyway prevent them from accepting any such transfer;
- the health data is highly pseudonymized before being incorporated into the Health Data Hub and is encrypted;
- there is an important public interest at stake in managing the Covid-19 crisis and better knowing the virus for which the platform should be operational without further delay.
Accordingly, the Conseil d’Etat ruled that the balance between the (quite theoretical) risk raised by the claimants and the supplementary measures in place in order to reduce such risk did not justify the immediate suspension of the heath data processing within the platform as it was requested.
EPISODE 2 THE DOCTOLIB CASE (Conseil d’Etat, 12 March 2021, n°450163)
Doctolib is one of the three online private medical appointment platforms which was chosen by the French government in order to organize the scheduling of patients for the Covid-19 vaccine. The Luxembourg affiliate of another GAFAM, Amazon Web Services Inc., was entrusted by Doctolib with hosting services which are provided in France and in Germany.
Several associations (among which some of the applicants in the Health Data Hub case) filed a summary proceeding before the Conseil d’Etat based on the risks linked to the fact that the data is hosted in Europe, but by a subsidiary of a US company, subject to US laws on surveillance which have extraterritorial effects.
On 12 March 2021, the Conseil d’Etat decided again that there was no ground for ordering the suspension of the partnership concluded between the government and Doctolib, even though Doctolib had engaged a European subprocessor which is a subsidiary of a US company.
Such decision was also based on a balance test, considering that:
- No health data was processed within the scheduling service provided by Doctolib. Which is quite interesting as the Conseil d’Etat ruled that the mere scheduling of an appointment for vaccination is not a health data, as long as it does not contain information relating to the health of the patient justifying that he or she was eligible to the vaccination (at the time of the decision, only certain types of patients were eligible based on their age or comorbidity);
- The data would be deleted 3 months after the vaccination;
- The contract between Doctolib and Amazon Luxembourg contained an addendum in which the latter would object to any access request by US authorities;
- The data was encrypted and secured by a trusted third-party located in France.
MORAL OF THE STORY
The Conseil d’Etat refused to mechanically apply the “Schrems II” case law to the situation where no data transfer to the USA is forecasted by the European affiliate of a US company. According to the supreme administrative court in the Health Data Hub case, it also recalled that “the Court of Justice only decided, in its judgment of 16 July 2020, on the conditions under which transfers of personal data to the United States may take place and not on the conditions under which such data may be processed, on the territory of the European Union, by companies incorporated under American law or their subsidiaries".
But, in the same vein as decided by the European Court of Justice, it actually applied a balance test between the risks for privacy and the supplementary measures, which happened to be satisfactory in its opinion in those two cases.
According to the Conseil d’Etat, the mere fact to use European vendors with tie links with the USA does not therefore constitute per se a ground for manifest illegality nor a breach of the GDPR.
Nonetheless, the French supervisory authority, the Commission nationale de l’informatique et des libertés (CNIL) disclosed in February 2021 that it had obtained from the government that Microsoft should be replaced by another hosting provider for which there would be guarantees that the health data used by the Health Data Hub could not be exposed to US surveillance. Later, in May 2021, the CNIL publicly recommended to avoid using collaborative suites for education provided by US-originating providers.
The use of those providers, among which GAFAMs, by French companies, even where personal data is hosted in Europe as this is more and more often the case, therefore remains subject to a huge legal uncertainty. What was all the fuss about?
Article provided by: Marie-Hélène Tonnellier and Charlotte Barraco-David (Latournerie Wolfrom Avocats, France)
Dr. Tobias Höllwarth (Managing Director INPLP)