After the French Council of State in the Doctolib case, now also the Belgian Council of State confirms the possibility to transfer personal data to the United States. This can be regarded as an important confirmation since the Schrems II judgment of the Court of Justice of the European Union ("CJEU"). We will briefly explain below.
On 17 July 2020, in the Schrems II judgment, the CJEU declared the Privacy Shield invalid as a mechanism for the transfer of personal data from the EU to the United States. This had led to a lot of uncertainty and therefore the European Data Protection Board (EDPB) and the European Commission issued some initial practical recommendations and tools on 11 and 12 November 2020 respectively.
In summary, although the Privacy Shield was declared invalid, the European Commission's standard contractual clauses (SCCs) remained a valid transfer mechanism to transfer personal data to the United States, provided that sufficient additional technical and organizational measures were taken to ensure an adequate level of protection of personal data.
In the aftermath of the Schrems II judgment, some interest groups brought a case against the French government because Doctolib, a medical portal for making a vaccination appointment (against Covid-19), used the cloud services of Amazon (in this case the Luxembourg entity) for the hosting of its appointment system. The French Council of State had to decide in this case whether the measures taken by the French authorities were sufficient to guarantee the level of protection of personal data.
On 12 March 2021, the French Council of State ruled that there was no transfer of personal data, but that there would be a risk that the U.S. authorities would gain access to the data as it was hosted by a European subsidiary of a U.S. entity. Since the Schrems II judgment, the need for additional measures in such a case must be assessed. The French Council of State ruled that the technical, organisational and legal measures taken below were sufficient to guarantee an adequate level of protection:
On 19 August 2021, the Belgian Council of State rendered a similar judgment. On 16 July 2021, the Flemish Region awarded a public contract to ViaVan Technologies ("ViaVan") for the establishment and operation of the mobility centre provided for in the basic accessibility decree. Competitors of ViaVan ("Applicants") lodged a suspension appeal against this award decision.
As ViaVan is a subsidiary of a United States entity, the applicants argued that there is a transfer of personal data to the United States and claimed that no additional measure was conceivable which could remedy the inadequate level of protection in the United States.
However, on 19 August 2021, the Council of State rejected the applicants' plea that there was no valid data transfer mechanism. The Council of State referred to the Schrems II judgment to state that the standard contractual clauses are still valid, subject to additional measures if required to ensure an adequate level of protection. The Council of State concluded that the case file showed that ViaVan provided a comprehensive set of safeguards. It can be deduced from the judgment that it involved at least full encryption before the data were placed with the service provider, and that the encryption keys were kept in-house. Since confidential documents were submitted, the Council of State did not explain which extensive set of safeguards was involved.
The question is whether the debate on the transfer of personal data has been settled by the rulings of the French and Belgian Councils of State. Probably not.
Do you have a specific question or would you like support in this matter? We are happy to help. In that case, please contact a Timelex attorney.