France under fire for use of Amazon-hosted Doctolib for jab bookings

Doctolib is not the only company that the French state has partnered with to set up appointments for COVID-19 vaccinations online. The French companies Maiia and Keldoc are also involved, although Doctolib is taking the largest share. [Shutterstock/Sulastri Sulastri]

France’s health ministry will have to defend its decision to integrate the medical portal Doctolib, which uses Amazon’s hosting services, into its online booking system for COVID-19 vaccinations before France’s top court, EURACTIV France reports.

Last week, several collectives and associations of health professionals filed a request for summary proceedings for “serious and manifestly illegal infringement of personal data protection rights,” according to information confirmed to EURACTIV.

At a hearing before the Council of State on 8 March, the French health ministry will have to defend its use of Doctolib‘s services for its Sante.fr website. The Franco-German company delegates the hosting of its data to US tech giant Amazon and its subsidiary Amazon Web Services (AWS).

The claimants say using a service hosted by Amazon, which has a parent company  located on American soil, may place it beyond the remit of European laws on the protection of private data.

Of particular concern is the 2018 US Cloud Act, which grants US police and intelligence agencies access to information stored on the servers of telecommunications operators and providers of cloud-based services both in the US and abroad.

The French Council of State has previously said the risk of data being accessed “cannot be ruled out altogether” after the French data watchdog CNIL called on the government to find an alternative solution to the hosting of health data on the Health Data Hub (HDH) by US firm Microsoft.

French decision to have Microsoft host Health Data Hub still attracts criticism

The French government’s decision to have Microsoft host the country’s Health Data Hub is causing outrage in the French and European digital ecosystem, it is also worrying data protection advocates. EURACTIV France reports.

According to a 2020 ruling by the EU Court of Justice, known as the Schrems II ruling, the legislation currently in force in the US does not provide an adequate level of protection for Europeans data passing through the country.

“The idea is to create jurisprudence following the Schrems II judgement,” the lawyer who will represent the claimants, Juliette Alibert, told EURACTIV.

“The fight against COVID-19 is important, but it cannot be fought at all costs,” Alibert said, adding that the claimants are concerned with the proper protection of highly sensitive health data during the health emergency.

Doctolib is not the only company that the French state has partnered with to set up appointments for COVID-19 vaccinations online. The French companies Maiia and Keldoc are also involved, although Doctolib is taking the largest share.

Contacted by EURACTIV, Doctolib emphasised that “AWS complies with all French and European regulations,” including the General Data Protection Regulation (GDPR) and that additional measures have been taken to protect the data, including a French host of encryption and decryption keys on French soil.

The French Council of State is scheduled to hear the case on 8 March. The claimants are hoping to persuade the judge the partnership with Doctolib poses a serious and imminent infringement of fundamental freedoms and request its immediate suspension.

[Edited by Josie Le Blond]

Subscribe to our newsletters

Subscribe