Why this French court decision has far-reaching consequences for many businesses

Published

Mar 16 2021

Written By

I am a tech-friendly lawyer based in Paris, specialising in data protection, communications and satellites, with a commitment to providing business-oriented, sustainable advice.

Ariane Mole

Of Counsel
France

I am Global Chair of Data Protection. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.

Practices

Privacy and Data Protection

Regions

Western Europe

On March 12, 2021, the Conseil d’Etat — France's highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked for the suspension of the service because Doctolib referred to AWS for hosting the platform. The plaintiffs unsuccessfully argued that because the processor was a company bound by U.S. law, the risk of access by U.S. authorities was incompatible with the GDPR under the "Schrems II" decision by the Court of Justice of the European Union.