For the first time in Europe, a case relating to the "Schrems II" ruling was brought before a higher court, namely the Conseil d’État (French Supreme Administrative Court). Remarkably, the French data protection authority originally had a different view on the case compared to that of the court itself. This creates legal uncertainty across Europe about the scope of the Schrems II ruling.
In September 2020, various associations, trade unions and individual plaintiffs have requested to the summary proceedings judge of the French Conseil d’État to suspend the processing of health data through the centralised French health data platform called Health Data Hub (HDH). The platform is a public body established in November 2019 by the French Government to facilitate the exchange of all health data of people receiving medical care in France for research purposes.
The concerns related to a contract signed in April 2020 between HDH and Microsoft’s Irish subsidiary for the hosting of health data in data centres in the European Union. However, despite Microsoft and HDH agreed that health data would not be transferred to countries outside the EU, the plaintiffs feared that hosting data by a company which is subject to US laws would threaten data protection risks due to the possible monitoring by US national surveillance laws (as was outlined and highlighted in the Schrems II ruling).
Legal discussions and decision
As part of the court proceedings, the French data protection authority (CNIL) commented on the case too. It argued that, notwithstanding all technical and organisational measures, Microsoft could still be able to access all the data it processes on behalf of HDH. Hence it could, in theory, still be subject to requests by US intelligence services – which would justify an application of Schrems II and a suspension of the procession of health data.
In contrast to the statement of the CNIL, the Conseil d’État considered that the contract between HDH and Microsoft for the exclusive processing of health data was sufficient. Even though, it acknowledged that there was a residual risk of transfer to the US authorities indeed, it argued, however, that the Schrems II ruling related only to personal data effectively transferred to the US. Thus, contrary to the CNIL’s argumentation, the Conseil d’État denied the application of the Schrems II ruling on the case.
Consequences for European and Swiss companies
The different opinions of the court and the data protection authority exemplarily show that authorities – so far – hardly agree on a common position on the scope of the Schrems II ruling. It remains unclear whether courts in other EU member states might interpret it differently and thus follow CNIL's view. Unfortunately, the French court decision creates more questions than it answers. For example, it is now even unclear whether the sole theoretical possibility of data access by US intelligence services could contradict Schrems II – and would therefore be forbidden.
Swiss and European companies are advised to monitor the developments: Firstly, measures should be taken if courts in other states should decide in a different way. Secondly, safeguards should be implemented to prevent access by US intelligence services as far as possible. Thirdly, as a last resort, it is advisable to consider switching to European providers for the hosting and other processing activities of personal data.
The developments show that the jurisdiction on Schrems II may change in completely opposite directions within various EU member states. Both, Swiss and international companies are therefore well advised to monitor the situation and inherent risks closely and to take mitigation measures.