Last week in Privacy (Week 41)

CNIL tells French court that Microsoft should stop hosting the French health data


On October 5th 2020, an application for an interim relief was filed with the French Council of State (“Conceil d’Etat”) against the Microsoft hosted French Health Data Hub. In a memo dated on 8th of October 2020, CNIL provides the Conceil d’Etat with interesting observations:


US law, due to Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and the Executive Order 12333, does not provide an adequate level of data protection. Any recipient, such as Microsoft, will find implementing safeguards against the requests from US Intelligence authorities under these laws, difficult. Even if the recipient would not directly be subject to these laws, the data can still be subject to surveillance laws during transit to the recipient.


While the Health Data Hub has signed contractual amendments with Microsoft to limit transfers of personal data to the US, CNIL still finds it difficult to conclude with certainty that personal data will not be transferred. CNIL argues that Microsoft may still be legally obliged to provide the US intelligence authorities with data under the FISA and EO 12333 as they apply to data stored outside the territory of the United States. The agreement between the Health Data Hub and Microsoft also states that “Microsoft will not disclose or give access to any data processed to authorities, except if required by law”.


CNIL concludes that this situation should lead to a change of hosting provider of the Health Data Hub and other health data warehouses that are hosted by companies subject to US laws.


See CNIL’s memo here.


Amazon sued in Germany for unlawful data transfers to the US


In its press release, the Europäische Gesellschaft für Datenschutz (“EuGD”) tells its suing Amazon for unlawfully transferring personal data to the US under the recently invalidated transfer mechanism Privacy Shield and disregarding data subject’s request under the Article 15 of the GDPR.


This is yet another lawsuit where the data protection supervisory authority have been bypassed due to ‘slow processing time of complaints’. Thomas Bindl, the founder of EuGD had told the Politico that they had decided to go directly to court rather than file a complaint with the data protection supervisory authority as it takes too long with the regulators to handle complaints.


See Politico’s original article here.

See the EuGD’s press release here.


CJEU finds that even the EU ‘mass surveillance regimes’ must respect privacy


The Court of Justice of the European Union (“CJEU”) issued its judgement in case C-623/17 (Privacy International) and in joined cases C-511/18 (La Quadrature du Net and Others), C-512/18 (French Data Network and others) and C-520/18 (Ordre des barreaux francophones et germanophone and Others).


The CJEU confirms that the directive on privacy and electronic communications (“ePrivacy Directive”) does not authorise Member States to adopt, for the purposes of national security, legislative measures intended to restrict the scope of rights and obligations provided for in that directive, in particular the obligation to ensure the confidentiality of communications and traffic data, unless such measures comply with the general principles of EU law, including the principle of proportionality and the fundamental rights granted in the EU Charter of Fundamental Rights (“Charter”).


In the Privacy International case, the CJEU held that ePrivacy Directive read in the light of the Charter, percales national legislation requiring providers of electronic communications services to carry out the general and indiscriminate transmission of traffic and location data to the security and intelligence agencies for the purpose of safeguarding national security.


In the joined cases La Quadrature du Net and Others and Ordre des barreaux francophones et germanophone and Others the CJEU held that the ePrivacy Directive precludes national measures requiring providers of electronic communications services to carry out general and indiscriminate retention of traffic and location data as a preventative measure as it would constitute particularly serious interferences with the fundamental rights granted in the Charter.


See the CJEU's press release here.