Why this French court decision has far-reaching consequences for many businesses

Written By

willy mikalef module
Willy Mikalef

Partner
France

I am a tech-friendly lawyer based in Paris, specialising in data protection, communications and satellites, with a commitment to providing business-oriented, sustainable advice.

ariane mole module
Ariane Mole

Of Counsel
France

I am Global Chair of Data Protection. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.

On March 12, 2021, the Conseil d’Etat — France's highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked for the suspension of the service because Doctolib referred to AWS for hosting the platform. The plaintiffs unsuccessfully argued that because the processor was a company bound by U.S. law, the risk of access by U.S. authorities was incompatible with the GDPR under the "Schrems II" decision by the Court of Justice of the European Union.

Read more here >

*This article has been previously published on the IAPP website and shared with its members.

Latest insights

More Insights
Curiosity line pink background

An In-depth Analysis of China’s Network Data Security Regime Part III: Cross-Border Data Transfer and Platform Data Protection

Aug 14 2025

Read More
Curiosity line green background

ASIC Takes Action Against Fortnum Private Wealth Over Cybersecurity Failures

Aug 11 2025

Read More
Curiosity line teal background

China Cybersecurity and Data Protection: Monthly Update - July 2025 Issue

Aug 07 2025

Read More