News
Encrypt data and hold keys allows Cross Border transfer under GDPR
June 2021 by Ulf Mattsson, Chief Security Strategist at Protegrity
On March 12, 2021, the Conseil d’Etat — France’s highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities.
Background
The hosting of health data by a company bound by U.S. law was incompatible with the GDPR under "Schrems II" and violated the provisions of the GDPR, due on the one hand, to the possibility of a transfer to the U.S. of the data collected by Doctolib through its processor, and on the other hand, even in the absence of data transfer, to the risk of access requests by U.S. authorities to the processor, AWS. AWS Sarl, is a Luxembourg registered company.
The level of protection offered was sufficient due to the many safeguards
The court noted for the purposes of hosting its data, Doctolib uses the services of the Luxemburg company AWS Sarl, the data is hosted in data centers located in France and in Germany, and the contract concluded between Doctolib and AWS Sarl does not provide for the transfer of data to the U.S. However, because it is a subsidiary of a company under U.S. law, the court considered AWS Sarl in Luxemburg may be subject to access requests by U.S. authorities in the framework of U.S. monitoring programs based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333.
• Legal safeguards: AWS Sarl guarantees in its contract with Doctolib, a French company, that it will challenge any general access request from a public authority.
• Technical safeguards: Technically the data hosted by AWS Sarl is encrypted. The key is held by a trusted third party in France, not by AWS.
• Other guarantees taken: No health data. The data hosted relates only to the identification of individuals for the purpose of making appointments. Data is deleted after three months.
Companies should consider implementing “additional safeguards” for transfer of personal data:
Cloudflare insufficient to protect the data
In April 2021, the Portuguese DPA ordered a public authority to suspend all transfers of personal data to the U.S. and other third countries. Portugal’s National Institute of Statistics (INE) gathers data from Portuguese residents and transfers it to Cloudflare in the U.S. Cloudflare were insufficient to protect the data (which included religious and health data), and the parties did not implement any supplementary measures to provide adequate protection for the data. They need to suspend the transfer of data to the U.S. or any other third country without first establishing adequate protection for the data.
Mailchimp failed supplementary measures
In March 2021, the Bavarian DPA found there was an unlawful transfer of personal data from a German controller to the e-mail marketing service Mailchimp in the U.S. The Bavarian DPA found that the controller failed to assess whether any supplementary measures were needed in relation to the transfer of personal data to Mailchimp.
