A recent decision of the Belgian Council of State shines a first light on the enforcement of the Schrems II ruling of the European Court of Justice (“ECJ”) in Belgium.
The Schrems II ruling of July 2020 severely increased the burden for data exporters transferring personal data to countries outside the European Economic Area, as we already discussed here. The decision leaves open the door for transfers to the U.S. and follows the line of reasoning already established by the French Council of State in March 2021.
The facts - transfer of personal data to the U.S.
The Council of State decision of 19 August 2021 constitutes a first indication of how the Schrems II ruling will be enforced. The decision relates to the award of a public contract to ViaVan Technologies BV (“ViaVan”) by the Flemish government. ViaVan is a Dutch company specialized in public mobility services. Particularly relevant is that ViaVan is fully owned by a U.S. company. Through its U.S. parent, ViaVan relies on Amazon Warehousing Services (“AWS”) to process its personal data. As a result of the public contract, ViaVan would run a digital mobility centre for the Flemish government, thereby processing personal data of individuals using the centre.
Two competitors of ViaVan sought the suspension of the award of the public contract to ViaVan. The applicants’ grounds for the appeal were primarily based on the applicable rules on international data transfers following Schrems II. The applicants argued that the Flemish government, as data controller, would transfer personal data to the U.S. via ViaVan’s parent company, which would ultimately be processed by AWS in the U.S. In doing so, the transferred personal data could be subject to the U.S. FISA-legislation allowing public authorities to access data from U.S. companies. The applicants concluded that as a consequence of Schrems II, data exporters could no longer rely on standard contractual clauses as a mechanism to transfer personal data to the U.S. In addition, the applicants referred to the advice of the Flemish Supervisory Commission (Vlaamse Toezichtscommissie – VTC) of 8 September 2020, which adopted a stringent position towards the remaining possibility of relying on U.S. cloud service providers such as AWS.
The Council of State leaves door open for transfers to U.S.
In its considerations, the Council of State refused the applicants’ arguments by stating that the Schrems II ruling does not exclude standard contractual clauses from being a mechanism providing sufficient safeguards for transfers to the U.S. In doing so, the Council of State refuses to accept the automatic illegality of personal data transfers to the U.S. The Council does note that, as a result of the Schrems II decision, supplementary measures are required to mitigate the lack of protection of personal data under U.S. surveillance laws. In the case of ViaVan, the Council argued that sufficient measures were implemented without considering what precise measures the Flemish government and Viavan undertook.
Interestingly, the Council of State specifies that the scope of the Flemish Supervisory Commission advice on cloud service providers should be interpreted restrictively, as it only applies to the specific use cases described in the advice. Such use cases only relate to the processing of personal data related to education and schools.
Similar enforcement abroad: the French Doctolib case
The French Council of State was confronted with similar factual circumstances in the Doctolib case, already in March 2021. The French government awarded a public contract to Doctolib for the provision of a medical portal for processing vaccination appointment data. Similar to ViaVan, Doctolib relied on sub-processor AWS by virtue of a sub-processing agreement with Amazon Luxembourg. The plaintiffs argued that the hosting of health data by a company potentially subject to U.S. surveillance laws violated the provisions of the GDPR pursuant the Schrems II case law.
While the Council of State acknowledged that a transfer to Luxembourg did not constitute a transfer to a third country, it did confirm there was a risk of U.S. public authorities accessing the personal data through the Luxembourg AWS subsidiary. Yet, it dismissed the complaint, arguing sufficient measures were taken to ensure a sufficient level of protection. As opposed to the Belgian Council of State, the French Council did provide details on which measures it deems adequate to mitigate the risks. These among others included:
- The contractual commitment from AWS Luxembourg to challenge any access requests it would receive;
- The encryption of the personal data, whereby the key to de-encrypt is held by trusted third party Atos;
- The short data retention period of three months;
- The fact that the personal data did not qualify as a special category of personal data (i.e. health data), since it merely related to the identification of individuals for the purpose of vaccination appointments.
What do we learn from these first cases?
First and foremost, both cases confirm the remaining options for organizations to transfer personal data to organizations located in the U.S. The Schrems II ruling cannot be interpreted as a per se prohibition on transfers to the U.S., or to European subsidiaries of U.S. companies for that matter.
Yet, the consideration of supplementary measures is key. In particular, as a result of the Doctolib case, it appears that organizations should implement such measures even when personal data is stored within the EU by an EU subsidiary of an U.S. company. Encryption through a trusted third party can be a solution to be examined for many organizations, yet will not be feasible if the data importer requires the personal data “in the clear”.
We happily assist in examining your options to comply with the governing rules on international data transfers.
Written by Jan Joos and Erik Valgaeren