Why this French court decision has far-reaching consequences for many businesses
Written By
Partner
France
I am a tech-friendly lawyer based in Paris, specialising in data protection, communications and satellites, with a commitment to providing business-oriented, sustainable advice.
Of Counsel
France
I am Global Chair of Data Protection. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.
On March 12, 2021, the Conseil d’Etat — France's highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked for the suspension of the service because Doctolib referred to AWS for hosting the platform. The plaintiffs unsuccessfully argued that because the processor was a company bound by U.S. law, the risk of access by U.S. authorities was incompatible with the GDPR under the "Schrems II" decision by the Court of Justice of the European Union.
*This article has been previously published on the IAPP website and shared with its members.
