Council of State confirms possibility of transferring data to the United States

After the French Council of State in the Doctolib case, now also the Belgian Council of State confirms the possibility to transfer personal data to the United States. This can be regarded as an important confirmation since the Schrems II judgment of the Court of Justice of the European Union ("CJEU"). We will briefly explain below.

It started with the Schrems II case

On 17 July 2020, in the Schrems II judgment, the CJEU declared the Privacy Shield invalid as a mechanism for the transfer of personal data from the EU to the United States. This had led to a lot of uncertainty and therefore the European Data Protection Board (EDPB) and the European Commission issued some initial practical recommendations and tools on 11 and 12 November 2020 respectively.

In summary, although the Privacy Shield was declared invalid, the European Commission's standard contractual clauses (SCCs) remained a valid transfer mechanism to transfer personal data to the United States, provided that sufficient additional technical and organizational measures were taken to ensure an adequate level of protection of personal data.

French Council of State: Doctolib case

In the aftermath of the Schrems II judgment, some interest groups brought a case against the French government because Doctolib, a medical portal for making a vaccination appointment (against Covid-19), used the cloud services of Amazon (in this case the Luxembourg entity) for the hosting of its appointment system. The French Council of State had to decide in this case whether the measures taken by the French authorities were sufficient to guarantee the level of protection of personal data.

On 12 March 2021, the French Council of State ruled that there was no transfer of personal data, but that there would be a risk that the U.S. authorities would gain access to the data as it was hosted by a European subsidiary of a U.S. entity. Since the Schrems II judgment, the need for additional measures in such a case must be assessed. The French Council of State ruled that the technical, organisational and legal measures taken below were sufficient to guarantee an adequate level of protection:

• It was only about appointment information and not medical records.
• The data was only kept for three months.
• Data subjects could delete the data themselves.
• Amazon had an addendum on access requests by government agencies that stated it would challenge any request by governments.
• Encryption of the data by Atos, a French service provider, with the keys not getting into Amazon's hands.

Belgian Council of State: Mobility Centre case

On 19 August 2021, the Belgian Council of State rendered a similar judgment. On 16 July 2021, the Flemish Region awarded a public contract to ViaVan Technologies ("ViaVan") for the establishment and operation of the mobility centre provided for in the basic accessibility decree. Competitors of ViaVan ("Applicants") lodged a suspension appeal against this award decision.

As ViaVan is a subsidiary of a United States entity, the applicants argued that there is a transfer of personal data to the United States and claimed that no additional measure was conceivable which could remedy the inadequate level of protection in the United States.

However, on 19 August 2021, the Council of State rejected the applicants' plea that there was no valid data transfer mechanism. The Council of State referred to the Schrems II judgment to state that the standard contractual clauses are still valid, subject to additional measures if required to ensure an adequate level of protection. The Council of State concluded that the case file showed that ViaVan provided a comprehensive set of safeguards. It can be deduced from the judgment that it involved at least full encryption before the data were placed with the service provider, and that the encryption keys were kept in-house. Since confidential documents were submitted, the Council of State did not explain which extensive set of safeguards was involved.

Concluding remarks

The question is whether the debate on the transfer of personal data has been settled by the rulings of the French and Belgian Councils of State. Probably not.

• What we do know is (1) that if the government chooses to award the contract to a (subsidiary of a) U.S. entity, this does not necessarily mean that the award decision should be suspended and (2) that full encryption before the data is placed with the service provider and the encryption keys are kept in-house may be one of the possible safeguards.
• What we do not know is whether the Belgian Data Protection Authority (BDPA) and the Market Court would rule in the same way as the Council of State on the guarantees taken. Indeed, it is not excluded that at a later stage a complaint will be filed against this processing and that the BDPA will have to rule on the concrete guarantees in question.

Useful resources:

• The EDPB adopted on 21 June 2021 the final version of the recommendation01/2020 on additional technical and organizational measures.
• On 10 November 2020, the EDPB published Recommendation 02/2020 on European Essential Safeguards for Surveillance Measures.
• The judgment of the French Council of State in the Doctolib case.
• The judgment of the Belgian Council of State in the Mobility Centre case.

Do you have a specific question or would you like support in this matter? We are happy to help. In that case, please contact a Timelex attorney.