France gets green light to use Amazon-hosted Doctolib for jab bookings

The lawyer representing the claimants, Juliette Alibert, regretted that an "extremely dangerous opening" had been created. [Shutterstock/Postmodern Studio]

France’s health ministry did not infringe privacy rights by integrating Amazon-hosted medical portal Doctolib into its online COVID-19 vaccination booking system, the country’s top court has ruled. EURACTIV France reports.

The Council of State ruling from Friday (12 March) follows complaints by a number of non-profit groups about the integration of Doctolib into the vaccine platform Santé.fr, given the hosting of data by US tech giant Amazon and subsidiary Amazon Web Services (AWS).

Beyond GDPR 

The court ruled the platform’s collection of health data does not fall under the remit of the  European Union’s General Data Protection Regulation (GDPR) because it did not include “health data on the possible medical grounds for eligibility for vaccination.”

Instead, “the people booking appointments via the platform certify on their honour that they fall within the vaccination priority,” meaning the details collected by the site were not considered sensitive.

France under fire for use of Amazon-hosted Doctolib for jab bookings

France’s health ministry will have to defend its decision to integrate the medical portal Doctolib, which uses Amazon’s hosting services, into its online booking system for COVID-19 vaccinations before France’s top court, EURACTIV France reports.

However, claimants say the information recorded when people make an appointment can give indications, even indirectly, on their state of health.

“We are beginning to erode the protection of health data,” said Juliette Alibert, the lawyer representing the claimants, adding that a “extremely dangerous opening” had been created.

The claimants argue that privacy risks have become even greater since the European Court of Justice invalidated the Privacy Shield agreement governing data exchanges between the EU and US last July.

The 2018 Cloud Act, which grants US police and intelligence agencies access to information stored by any company based in the US, was a further source of worry.

In an earlier ruling, the Council of State previously found that the risk of data being accessed by US authorities “cannot be totally ruled out.”

French decision to have Microsoft host Health Data Hub still attracts criticism

The French government’s decision to have Microsoft host the country’s Health Data Hub is causing outrage in the French and European digital ecosystem, it is also worrying data protection advocates. EURACTIV France reports.

An ongoing saga

Doctolib has given additional contractual guarantees and pledged complete end-to-end encryption of all health data.

However, broadcaster FranceInter reported last week that it had found a number of weaknesses in the system just last week. France’s data protection authority CNIL has also not been asked to rule on these issues despite repeated requests from the applicants.

Alibert told EURACTIV that the claimants intend to pursue the claims, without elaborating on what form this might take.

[Edited by Josie Le Blond]

Subscribe to our newsletters

Subscribe