Schrems II and Transfers of Personal Information: The Side Effect of the COVID-19 Vaccine

Since the decision of July 16, 2020 by the Court of Justice of the European Union to invalidate the Privacy Shield in the Data Protection Commissioner versus Facebook Ireland Ltd and Maximillian Schrems^[1] case, known as Schrems II, the transfer of personal information from the European Union to the United States or to any other country that does not benefit from an adequacy decision is a delicate matter. After the recommendations of the European Data Protection Board were released^[2], there was still not quite enough material to fully understand everything about the required impact assessments. How should they be conducted and, in practice, on what factors should they be based? How would the jurisdictions evaluate them? These are all questions that legal practitioners and companies engaging in commercial activities involving transfers of personal information have been asking themselves ever since.

We now have some partial clarification. A French jurisdiction applied the Schrems II criteria in the context of the French government’s COVID-19 vaccination campaign. While this is not the only such decision, given that Bavarian^[3] and Portuguese^[4] authorities had provided some leads, the French decision has the merit of going further by providing a detailed analysis grid that clarifies how the impact assessments are to be implemented.

The Vaccination Campaign: The Source of the Conseil d’Etat’s Decision

The French Ministry for Solidarity and Health entrusted the management of COVID-19 vaccination appointments to various providers, including Doctolib, and allowed users to make appointments in the health sector via an online platform.

The applicants^[5] asked the Conseil d’Etat (i.e. Council of State)^[6], the highest French administrative jurisdiction, through a summary request (i.e. an emergency procedure), to suspend the Ministry’s partnership with Doctolib because it was based on the hosting of health data by AWS Sarl (“AWS”), a Luxembourg subsidiary of U.S. company Amazon Web Services, Inc. This partnership would therefore be incompatible with the General Data Protection Regulation (GDPR).

The Conseil d’Etat first pointed out that, according to the Schrems II decision, before implementing a transfer of personal information subject to appropriate safeguards, it is necessary to ensure that “the rights of persons whose personal data is transferred to a third country on the basis of standard data protection clauses enjoy a level of protection substantially equivalent to that guaranteed within the European Union.”^[7]

The highest administrative jurisdiction continued by stating that, in assessing this level of protection, it is particularly necessary to take into account (i) the contractual stipulations agreed to between the exporter of personal information and the recipient of the transfer established in the third country concerned and (ii) the relevant elements of the legal system of the destination country, given that the public authorities of that third country may possibly have access to the transferred personal information.

The Conseil d’Etat then noted that the Schrems II decision invalidated the Privacy Shield that allowed the transfer of personal information from the European Union to U.S. companies adhering to this agreement.

In this instance, Doctolib used the services of AWS for its data hosting requirements.

The hosting service provider chosen by Doctolib made the following guarantees, namely that:

• it was a certified “health data host” within the meaning of the French Public Health Code;
• the processed data would be hosted in data centres located in France and Germany;
• the contract did not include any transfers to the U.S., including transfers for technical reasons.

Despite these safeguards, the applicants submitted that, as a subsidiary of a U.S. company, the host might be subject to requests for access to certain health data by U.S. authorities under surveillance programs based on section 702 of the Foreign Intelligence Surveillance Act Amendment Act (“FISA”) or on Executive Order 12333 – United States Intelligence Activities; as a result, such hosting would not meet the conditions set by Schrems II.

However, this was not the position taken by the Conseil d’Etat, which adopted the view that^[8]:

• The data involved consisted of personal identification data and appointment data. There was no health data on the possible medical grounds for eligibility for vaccination because, at the time of booking appointments, Doctolib users did nothing more than certify on their honour that they fell within the vaccine priority criteria.
• This data was deleted at the latest after a period of three months from the date of the appointment, and it was clearly stated that every user who had created an account on the platform could delete it directly online.
• Doctolib and the host company had signed a supplementary addendum on data processing, establishing a precise procedure for access requests by a public authority to data processed on behalf of Doctolib and containing in particular provisions for challenges concerning any general request or any request that did comply with European regulations. (The standardized version of this addendum is available online.)
• Doctolib had also set up a device for securing hosted data through an encryption procedure based on a trusted third party located in France in order to prevent data from being read by unauthorized persons.

Thus, the partnership between the French state and Doctolib does not constitute a serious and manifestly illegal infringement on the right to privacy and the right to protection of personal data.

A Decision with Major Consequences for Canadian Businesses

This decision is significant for Canadian businesses because it presents practical factors that need to be considered when conducting impact assessments, namely:

• What data is affected by the transfer?
• Is sensitive data involved? The less sensitive and more limited the data, the less risky the transfer.
• How long must the data involved be retained? Risks can be limited when the retention period is very short.
• What are the rights of the individuals in connection with this data? If the platform is accessible to the individuals, they need to have the capability to decide to delete their information.
• What contractual measures have been implemented? In this instance, AWS was contractually bound to follow a precise procedure in the event of an access request by a public authority, specifically requiring that it challenge access requests from public authorities in addition, of course, to informing Doctolib.
• What security measures have been implemented? In this case, the data in question was encrypted and the decrypting key had been entrusted to a third party located in France to prevent a third party from reading the data.

The requirement to implement additional measures is particularly important if the recipient is an electronic communications service provider within the meaning of FISA Section 702. This was pointed out by the Bavarian^[9] and Portuguese^[10] privacy protection authorities, who found that the person in charge of processing had not assessed whether additional measures were necessary when transferring personal data to providers located in the U.S., and the transfers of this personal information to the U.S. were therefore suspended. However, these authorities did not identify specific additional measures that would have been appropriate.

In summary, the French decision gives us an assessment grid for evaluating the risks associated with transfers. Let’s hope that more such decisions will be forthcoming.

In the meantime, we can hope that the final versions of the recommendations of the European Data Protection Board and the new standard contractual clauses of the European Commission (which are expected to be published in the near future) will shed some needed light on the uncertainties that continue to weigh on companies in the wake of Schrems II^[11]. Companies can expect increased oversight by customers and data protection authorities regarding transfers of personal information. Impact assessments will also need to be carried out effectively. Fasken is here to help you.