France’s health ministry will have to defend its decision to integrate the medical portal Doctolib, which uses Amazon’s hosting services, into its online booking system for COVID-19 vaccinations before France’s top court, EURACTIV France reports.
Last week, several collectives and associations of health professionals filed a request for summary proceedings for “serious and manifestly illegal infringement of personal data protection rights,” according to information confirmed to EURACTIV.
At a hearing before the Council of State on 8 March, the French health ministry will have to defend its use of Doctolib‘s services for its Sante.fr website. The Franco-German company delegates the hosting of its data to US tech giant Amazon and its subsidiary Amazon Web Services (AWS).
The claimants say using a service hosted by Amazon, which has a parent company located on American soil, may place it beyond the remit of European laws on the protection of private data.
Of particular concern is the 2018 US Cloud Act, which grants US police and intelligence agencies access to information stored on the servers of telecommunications operators and providers of cloud-based services both in the US and abroad.
The French Council of State has previously said the risk of data being accessed “cannot be ruled out altogether” after the French data watchdog CNIL called on the government to find an alternative solution to the hosting of health data on the Health Data Hub (HDH) by US firm Microsoft.
According to a 2020 ruling by the EU Court of Justice, known as the Schrems II ruling, the legislation currently in force in the US does not provide an adequate level of protection for Europeans data passing through the country.
“The idea is to create jurisprudence following the Schrems II judgement,” the lawyer who will represent the claimants, Juliette Alibert, told EURACTIV.
“The fight against COVID-19 is important, but it cannot be fought at all costs,” Alibert said, adding that the claimants are concerned with the proper protection of highly sensitive health data during the health emergency.
Doctolib is not the only company that the French state has partnered with to set up appointments for COVID-19 vaccinations online. The French companies Maiia and Keldoc are also involved, although Doctolib is taking the largest share.
Contacted by EURACTIV, Doctolib emphasised that “AWS complies with all French and European regulations,” including the General Data Protection Regulation (GDPR) and that additional measures have been taken to protect the data, including a French host of encryption and decryption keys on French soil.
The French Council of State is scheduled to hear the case on 8 March. The claimants are hoping to persuade the judge the partnership with Doctolib poses a serious and imminent infringement of fundamental freedoms and request its immediate suspension.
[Edited by Josie Le Blond]