France’s health ministry did not infringe privacy rights by integrating Amazon-hosted medical portal Doctolib into its online COVID-19 vaccination booking system, the country’s top court has ruled. EURACTIV France reports.
The Council of State ruling from Friday (12 March) follows complaints by a number of non-profit groups about the integration of Doctolib into the vaccine platform Santé.fr, given the hosting of data by US tech giant Amazon and subsidiary Amazon Web Services (AWS).
The court ruled the platform’s collection of health data does not fall under the remit of the European Union’s General Data Protection Regulation (GDPR) because it did not include “health data on the possible medical grounds for eligibility for vaccination.”
Instead, “the people booking appointments via the platform certify on their honour that they fall within the vaccination priority,” meaning the details collected by the site were not considered sensitive.
However, claimants say the information recorded when people make an appointment can give indications, even indirectly, on their state of health.
“We are beginning to erode the protection of health data,” said Juliette Alibert, the lawyer representing the claimants, adding that a “extremely dangerous opening” had been created.
The claimants argue that privacy risks have become even greater since the European Court of Justice invalidated the Privacy Shield agreement governing data exchanges between the EU and US last July.
The 2018 Cloud Act, which grants US police and intelligence agencies access to information stored by any company based in the US, was a further source of worry.
In an earlier ruling, the Council of State previously found that the risk of data being accessed by US authorities “cannot be totally ruled out.”
An ongoing saga
Doctolib has given additional contractual guarantees and pledged complete end-to-end encryption of all health data.
However, broadcaster FranceInter reported last week that it had found a number of weaknesses in the system just last week. France’s data protection authority CNIL has also not been asked to rule on these issues despite repeated requests from the applicants.
Alibert told EURACTIV that the claimants intend to pursue the claims, without elaborating on what form this might take.
[Edited by Josie Le Blond]