Facts of the Case
French COVID-19 vaccination appointments are processed through a platform called Doctolib. Doctolib hosts the relevant data on Amazon Webservices (AWS). The applicable contract is between Doctolib and AWS Sarl, which is a Luxembourg subsidiary of Amazon in the US.
By way of summary proceedings, claimants alleged that Doctolib's hosting setup was incompatible with the GDPR, as interpreted in light of the ECJ's Schrems II ruling, because there was a risk of access to that data by US authorities. Claimants asked the French Conseil d'Etat, which acts as the country's top administrative court, to order the suspension of the processing as a matter of urgency.
The court declined the request on the following grounds (para. 8 of the decision):
- COVID-19 vaccination appointments are not health data for the purposes of the GDPR if they do not include information about the eligibility for vaccination (e.g., medical risk factors).
- On his profile, the user can request the immediate deletion of the personal data concerned. In any event, the personal data is automatically deleted three months from the vaccination appointment.
- In the applicable data protection addendum, AWS Sarl committed to challenge any US authority access request that is general in nature or otherwise infringing the GDPR.
- The data hosted on AWS is encrypted and the key is held by a fiduciary in France.
Against this background, the technical and organizational measures were not "manifestly insufficient", which was the threshold test the court had to apply to determine whether to order to suspend the processing as a matter of urgency.
This decision provides valuable judicial guidance on how to apply the Schrems II principles in practice. Still, uncertainties remain where the processor needs clear text access to the personal data. Indeed, encryption that effectively prevents access to the data by the processor might not always be feasible, e.g., where the processor has a maintenance obligation in relation to the service in question and fulfills that obligation through remote access from the US.
Furthermore, the court is correct when it refuses to qualify COVID-19 vaccination appointments as health data. The fact whether someone is taking the vaccination does not disclose anything about his or her current or future health status, which would be required under the pertinent definition in Article 4(16) GDPR.
The decision is available here in French.