Data transfer: the necessary assessment of foreign legislation?

by | Jul 9, 2021

Update November 2, 2022

 

The European Data Protection Board (EDPB) provides its framework for compliance with the GDPR in the event of data transfer outside the European Union.

Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with
the EU level of protection of personal data
Version 2.0
Adopted on 18 June 2021.

 https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_fr

It was expected that this framework would ease the contractual formalities for companies (Binding Corporate Rules or Standard Contractual Clauses) regarding data transfers outside the European Union.

Mais il ressort de ce cadre que l’examen minutieux des législations étrangères reste nécessaire, comme le préconise l’arrêt Schrems II (https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A62018CJ0311), dès qu’une zone territoriale est identifiée comme incertaine par les autorités européennes : https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde,

Unless they fall within the derogations provided for in Article 49 of the RGPD.

Indeed, a sovereign state may in any case access data upon specific request: only a general request for access to data could be challenged on principle.

As regards data transfers to the United States, there is still no adequacy decision by the European Commission, following the so-called Schrems I judgment of 6 October 2015 (C-362/14) (invalidation of Safe Harbour) and Schrems II judgment of 16 July 2020 (C-311/18) (invalidation of Privacy Shield). The US legislation reflects a conception of privacy centred on the protection of the American citizen, not including foreigners, which is not the universalist conception of the European Union.

The 4th Amendment to the United States Constitution provides: "The right of citizens to be secure in their person, domicile, papers and effects against search and seizure without reason shall not be violated nor shall it be issued no warrant except on serious presumption, corroborated by oath or solemn declaration and describing with precision the place to be searched and the persons or things to be seized. »

Despite efforts at approximation (see Joe Biden's recent executive order of 7 October 2022, which does provide for a delegate of the executive branch and even an independent court, but whose opinions are not binding), US law still provides for mass surveillance and the absence of effective remedies for the rights of data subjects.

It is therefore primarily up to the data exporter, in a perilous assessment exercise, to check foreign legislation. The Committee provides a list of data sources in Annex III of its recommendations.

The new Standard Contractual Clauses (“SCC”) (adopted by the European Commission on June 4, 2021 and published on June 7, 2021, which will enter into force on June 27, 2021, https://eur-lex.europa.eu/eli/ dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=fr) do not exempt from this exercise.

The Doctolib interim decision may give some clues as to how to secure a data transfer: location and encryption in France, obligation for the European subsidiary to contest the foreign "general" request, low sensitivity data, short data retention period: https://roquefeuil.avocat.fr/2021/04/transfert-de-donnees-sur-un-cloud.html 

Consult a lawyer specializing in computer law

Data transfer to a foreign cloud: the Doctolib decision

by | May 12, 2021

CE, ord. ref., March 12, 2021, Doctolib, req. No. 450163 – Interim interim decision

In its Doctolib decision, the Council of State recognizes the incompatibility of American law with the protection of personal data in the European Union

Concerning the United States, the Schrems II judgment (CJEU July 16, 2020, case C-311/18) invalidated the Privacy Shield, equivalent to an adequacy decision, which allowed companies submitting to it to export personal data to the United States. American law authorizes public authorities to access personal data without providing the persons concerned with effective remedies.

The Doctolib company, which offers an online medical appointment service, hosts its data on the servers of a subsidiary of Amazon Web Services (AWS), a company incorporated under US law. As part of the vaccination campaign against covid-19, Doctolib has been appointed by the Ministry of Solidarity and Health to manage the related appointments.

The judge in chambers of the Council of State was seized of a request for suspension of this partnership insofar as it would disregard the general regulation on data protection (EU) 2016/679 of April 27, 2016 (RGPD).

The judge rejects that:

AWS Sarl, a Luxembourg subsidiary of AWS Inc., is certified “health data host” (CSP, art. L. 1111-8). The data is hosted in centers located in France and in Germany and there is no provision in the contract for any transfer of data to the United States for technical reasons. Since AWS Sarl is a subsidiary of a US company, it may be subject to an access request by US public authorities, according to the applicants.

Data in question. – The Council of State notes that “the disputed data includes personal identification data and appointment data but no health data on any medical grounds for eligibility for vaccination”, people simply having to justify their eligibility with a sworn statement.

The duration of the conversation. – The data “ are deleted at the end of a period of three months at the latest from the date of making an appointment, each person concerned having created an account on the platform for the purposes of vaccination can delete it directly online”.

Request for access by US public authorities. – In order to secure their relations, it is stipulated in the contract thatAWS will have to contest “any request that is general or does not comply with European regulations ". This measure is accompanied by a "device for securing data hosted by the company AWS through a encryption procedure based on a trusted third party located in France in order to prevent the reading of the data by third parties”.

> the level of protection thus put in place by the parties “cannot be regarded as manifestly insufficient with regard to the risk of violation of the GDPR”.

 

The scope of the decision is relative in that it is a provisional interim decision sanctioning "manifestly unlawful" and could therefore be corrected. To be continued.

 
V.also
CNIL, delib. n° 2020-044 of Apr. 20, 2020 and press release of Oct. 14, 2020
CE, ord. ref., 13 Oct. 2020, n° 444937
 
 
fr_FRFrench
fr_FRFrench