Data transfer: the necessary assessment of foreign legislation?

Update November 2, 2022


The European Data Protection Board (EDPB) provides its framework for compliance with the GDPR in the event of data transfer outside the European Union.

Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with
the EU level of protection of personal data
Version 2.0
Adopted on 18 June 2021.

It was to be expected that this framework would lighten the contractual formalities for companies (Binding Corporate Rules or standard contractual clauses) in terms of transferring data outside the European Union.

Mais il ressort de ce cadre que l’examen minutieux des législations étrangères reste nécessaire, comme le préconise l’arrêt Schrems II (, dès qu’une zone territoriale est identifiée comme incertaine par les autorités européennes :,

Except to fall within the derogations provided for by article 49 of the GDPR.

Indeed, a sovereign State can in all cases access the data, on specific request: only a general request for access to the data could be contested in terms of principles.

With regard to data transfers to the United States, there is still no adequacy decision by the European Commission, after the so-called Schrems I CJEU judgments of October 6, 2015 (C-362/14) (invalidation of the Safe Harbour) and Schrems II of July 16, 2020 (C-311/18) (invalidation of the Privacy Shield). US legislation indeed reflects a conception of privacy centered on the protection of American citizens, not including foreigners, which is not the universalist one of the European Union.

The 4th Amendment to the United States Constitution provides: "The right of citizens to be secure in their person, domicile, papers and effects against search and seizure without reason shall not be violated nor shall it be issued no warrant except on serious presumption, corroborated by oath or solemn declaration and describing with precision the place to be searched and the persons or things to be seized. »

Despite efforts at reconciliation (cf. Joe Biden's recent executive order of October 7, 2022 clearly providing for recourse to a delegate of the executive power and even to an independent court but whose opinions are not enforceable), the legislation US still provides for mass surveillance and the lack of effective remedies with regard to the rights of data subjects.

It is therefore first and foremost up to the data exporter, in a perilous exercise of evaluation, to check foreign legislation. The Committee provides a list of data sources in Annex III of its recommendations.

The new Standard Contractual Clauses (“SCC”) (adopted by the European Commission on June 4, 2021 and published on June 7, 2021, which will enter into force on June 27, 2021, dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=fr) do not exempt from this exercise.

The provisional Doctolib decision can give clues on how to secure a data transfer: location and encryption in France, obligation for the European subsidiary to contest the foreign “general” request, insensitive data, short data retention period: 

Consult a lawyer specializing in computer law

Data transfer to a foreign cloud: the Doctolib decision

CE, ord. ref., March 12, 2021, Doctolib, req. No. 450163 – Interim interim decision

In its Doctolib decision, the Council of State recognizes the incompatibility of American law with the protection of personal data in the European Union

Concerning the United States, the Schrems II judgment (CJEU July 16, 2020, case C-311/18) invalidated the Privacy Shield, equivalent to an adequacy decision, which allowed companies submitting to it to export personal data to the United States. American law authorizes public authorities to access personal data without providing the persons concerned with effective remedies.

The Doctolib company, which offers an online medical appointment service, hosts its data on the servers of a subsidiary of Amazon Web Services (AWS), a company incorporated under US law. As part of the vaccination campaign against covid-19, Doctolib has been appointed by the Ministry of Solidarity and Health to manage the related appointments.

The judge in chambers of the Council of State was seized of a request for suspension of this partnership insofar as it would disregard the general regulation on data protection (EU) 2016/679 of April 27, 2016 (RGPD).

The judge rejects that:

AWS Sarl, a Luxembourg subsidiary of AWS Inc., is certified “health data host” (CSP, art. L. 1111-8). The data is hosted in centers located in France and in Germany and there is no provision in the contract for any transfer of data to the United States for technical reasons. Since AWS Sarl is a subsidiary of a US company, it may be subject to an access request by US public authorities, according to the applicants.

Data in question. – The Council of State notes that “the disputed data includes personal identification data and appointment data but no health data on any medical grounds for eligibility for vaccination”, people simply having to justify their eligibility with a sworn statement.

The duration of the conversation. – The data “ are deleted at the end of a period of three months at the latest from the date of making an appointment, each person concerned having created an account on the platform for the purposes of vaccination can delete it directly online”.

Request for access by US public authorities. – In order to secure their relations, it is stipulated in the contract thatAWS will have to contest “any request that is general or does not comply with European regulations ". This measure is accompanied by a "device for securing data hosted by the company AWS through a encryption procedure based on a trusted third party located in France in order to prevent the reading of the data by third parties”.

> the level of protection thus put in place by the parties “cannot be regarded as manifestly insufficient with regard to the risk of violation of the GDPR”.


The scope of the decision is relative in that it is a provisional interim decision which penalizes the “manifestly unlawful” and which could therefore be corrected. To be continued.

CNIL, delib. n° 2020-044 of Apr. 20, 2020 and press release of Oct. 14, 2020
CE, ord. ref., 13 Oct. 2020, n° 444937