Associations and trade unions asked the Conseil d'État’s urgent applications judge to suspend the partnership between the Ministry of Health and Doctolib, arguing that the hosting of vaccination appointment data by the subsidiary of an American company posed risks with regard to access requests by the American authorities. The Conseil d'État’s urgent applications judge rejected this request on the grounds that the data collected during vaccination appointments did not include health data about the medical reasons for vaccination eligibility and that safeguards had been put in place to deal with a possible request for access by the American authorities.
As part of the COVID-19 vaccination campaign, the French Ministry of Solidarity and Health has entrusted the management of vaccination appointments over the Internet to various service providers, including the company Doctolib. For the purposes of hosting its data, Doctolib uses the company AWS Sarl, which is a subsidiary of the American company Amazon Web Services Inc.
Associations and trade unions in the health sector asked the Conseil d'État’s urgent applications judge to suspend the partnership between the Ministry of Health and Doctolib. They considered that the hosting of Doctolib's data by the subsidiary of an American company posed risks with regard to access requests by the American authorities.
This challenge follows the "Schrems II" judgment of the Court of Justice of the European Union (CJEU)1, which ruled that the protection of data transferred to the United States by the "Privacy Shield" was insufficient under European law.
In order to meet the requirements of this ruling, the Conseil d'État’s urgent applications judge therefore verified the level of protection provided during data processing, taking into account the nature of the data in question and the provisions of the contract concluded between Doctolib and AWS Sarl and the law applicable to this company.
The data collected within the framework of vaccination appointments do not include information on the medical reasons for vaccination eligibility
The Conseil d'État’s urgent applications judge first observed that the data transmitted to Doctolib as part of the vaccination campaign did not include health data on the medical grounds for vaccination eligibility, but only concerned the identification of individuals and the making of appointments. This data is deleted at the latest three months after the date of the appointment, and the data subjects can also delete it directly online.
The urgent applications judge then observed that the contract concluded between Doctolib and AWS Sarl provides for a specific procedure in the event of access requests by a foreign authority, providing for the contestation of any request that does not comply with European regulations. Doctolib has also set up a security measure for the data hosted by AWS Sarl based on a trusted third party located in France in order to prevent third parties from reading the data.
Under these conditions, the Conseil d'État’s urgent applications judge found that the level of protection of the data concerned was not manifestly insufficient in light of the risk invoked by the applicant associations and trade unions, and given the nature of the data in question. The judge therefore rejected the request of the applicant associations and trade unions.
1 CJEU, 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, case C-311/18 (press release no. 91/20).