CE, ord. ref., March 12, 2021, Doctolib, req. No. 450163 – Interim interim decision
In its Doctolib decision, the Council of State recognizes the incompatibility of American law with the protection of personal data in the European Union
Concerning the United States, the Schrems II judgment (CJEU July 16, 2020, case C-311/18) invalidated the Privacy Shield, equivalent to an adequacy decision, which allowed companies submitting to it to export personal data to the United States. American law authorizes public authorities to access personal data without providing the persons concerned with effective remedies.
The Doctolib company, which offers an online medical appointment service, hosts its data on the servers of a subsidiary of Amazon Web Services (AWS), a company incorporated under US law. As part of the vaccination campaign against covid-19, Doctolib has been appointed by the Ministry of Solidarity and Health to manage the related appointments.
The judge in chambers of the Council of State was seized of a request for suspension of this partnership insofar as it would disregard the general regulation on data protection (EU) 2016/679 of April 27, 2016 (RGPD).
The judge rejects that:
AWS Sarl, a Luxembourg subsidiary of AWS Inc., is certified “health data host” (CSP, art. L. 1111-8). The data is hosted in centers located in France and in Germany and there is no provision in the contract for any transfer of data to the United States for technical reasons. Since AWS Sarl is a subsidiary of a US company, it may be subject to an access request by US public authorities, according to the applicants.
Data in question. – The Council of State notes that “the disputed data includes personal identification data and appointment data but no health data on any medical grounds for eligibility for vaccination”, people simply having to justify their eligibility with a sworn statement.
The duration of the conversation. – The data “ are deleted at the end of a period of three months at the latest from the date of making an appointment, each person concerned having created an account on the platform for the purposes of vaccination can delete it directly online”.
Request for access by US public authorities. – In order to secure their relations, it is stipulated in the contract thatAWS will have to contest “any request that is general or does not comply with European regulations ". This measure is accompanied by a "device for securing data hosted by the company AWS through a encryption procedure based on a trusted third party located in France in order to prevent the reading of the data by third parties”.
> the level of protection thus put in place by the parties “cannot be regarded as manifestly insufficient with regard to the risk of violation of the GDPR”.
The scope of the decision is relative in that it is a provisional interim decision which penalizes the “manifestly unlawful” and which could therefore be corrected. To be continued.
CE, ord. ref., 13 Oct. 2020, n° 444937
The condemnation of Meta to 1.2 billion euros
The Irish Data Protection Authority condemned, on May 12, 2023, the American Meta (Facebook network) for an illegal transfer of European user data to the United States.
Metae was ordered to pay 1.2 billion euros, an exceptional fine, for having continued to transfer data from European users of Facebook to servers located in the United States, and was ordered to "suspend any transfer of personal data to the United States within five months» following the notification of its decision and to comply with the GDPR within six months. Meta will appeal.
It is in a way the culmination of the famous Max Schrems litigation, the Austrian Facebook user who complained that his data was at the mercy of US government authorities, since US law allows them access to personal data.
European justice had invalidated a first agreement governing the transfer of data between Europe and the United States, the "Safe Harbor" in 2015, then a second agreement, the "Privacy Shield" in 2020. The European Commission hopes to finalize a data transfer pact with the United States this year.
Meta's violations of the GDPR "are very serious since they are systematic, repetitive and continuous transfers" (Andrea Jelinek, president of the EDPB (the meeting of the CNILs of the EU). 'a strong signal to organizations that serious breaches have serious consequences,' she added.
The initial reluctance of the Irish authority
Ireland's data protection authority, the Irish Data Protection Commission (DPC), has come under fire. In a report published on May 15, 2023, the Irish Council for Civil Liberties (ICCL) accuses the DPC of being a hindrance in the application of the European Data Protection Regulation (GDPR). The organization asks for the intervention of the European Commission to reform the DPC, but the Irish government refuses an independent audit.
The DPC is in high demand because of its key role in the application of the GDPR within the European Union. Several large technology companies, such as Google, Meta (formerly Facebook), Apple, Microsoft, TikTok, Airbnb and Twitter, have established their European headquarters in Ireland to benefit from tax advantages. The DPC is therefore the competent authority to supervise these companies with regard to data protection.
Additionally, the GDPR introduced a “one-stop-shop” mechanism that allows businesses operating in multiple EU countries to deal with only one supervisory authority. As a one-stop-shop, the DPC is responsible for co-ordinating investigations and compliance actions in relation to these companies based in Ireland, even if they operate in other EU countries.
However, this increased demand has also prompted criticism of the effectiveness and independence of the DPC in enforcing the GDPR. The ICCL report accuses the Irish Data Protection Authority of being an obstacle to the application of the GDPR. According to the report, Europe is still unable to control the use of data by big technology companies.
European authorities examined nearly 400 GDPR-related cases between May 2018 and December 2022, but only 28 fines were imposed and 49 formal notices were issued. The ICCL regrets that most cases end in simple reprimands. The emblematic case concerns the practices of Meta (formerly Facebook) concerning the consent of users for the use of their data for advertising purposes.
Initially, the DPC considered a fine of 28 to 36 million euros, but the European Data Protection Board (EDPB) eventually imposed a fine of 390 million euros on Meta. The DPC defended its record by pointing out that two-thirds of fines in Europe were issued after thorough investigations. In 2022, the DPC concluded 17 major investigations, resulting in five fines totaling €1.1 billion, mainly against Meta.
In sum, the DPC is under pressure to improve its efficiency and independence in the application of the GDPR. Big tech companies need to follow data protection rules and face penalties for non-compliance. The European Commission will need to take action to ensure that data protection authorities across Europe are able to enforce data protection rules.