While the privacy world is waiting with baited breath for the European Commission's new standard contractual clauses (SCC) to get out of the headlock that the "Schrems II" decision by the Court of Justice of the European Union (Schrems II) has put many EU businesses in, the French Conseil d'Etat '(France's highest administrative court) has fired a shot across the bow that may have major repercussions on how those businesses deal with their international data transfers to the US.
And as always seems to be the case these days, the cause is Covid19.
On March 12, 2021, the Conseil d’Etat ruled that personal data on a platform used to book Covid19 vaccinations, managed by Doctolib and hosted by Amazon Web Services (on servers located in France and Germany), was sufficiently protected under the EU General Data Protection Regulation (GDPR) because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked for the suspension of the service because Doctolib referred to AWS for hosting the platform. The plaintiffs unsuccessfully argued that because the processor was a company bound by U.S. law, the risk of access by U.S. authorities was incompatible with the GDPR under Schrems II.
The importance of this French ruling is twofold.
On the one hand, it bursts the bubble of anyone convinced that locating data servers on EEA soil alone is sufficient to rule out any woes under Article 44 GDPR. France raises the bar considerably on data controllers and their US affiliated (though EU based) providers by mandating that they show healthy resistance to any undue data requests from across the pond, even if those data in principle are and remain located on EEA based servers.
On the other hand, the Conseil d'Etat shows that it is possible for enterprises to show, with proper data processing agreements including "resistance clauses" as well as appropriate technical and organisational measures, that their GDPR compliance is sound, also in dealing with US based (or affiliated) data processors.
Either way, the much anticipated new SCC are expected to bring more guidance to privacy professionals and businesses grappling with the fallout of Schrems II. But France sets the tone on what to expect and gives a solid indication on how supervisory authorities will deal with tranatlantic data transfers going forward... even when there is no actual transfer anticipated.