Doctolib, COVID vaccination appointment and GDRP

In order to facilitate and accelerate the Covid-19 vaccination campaign, the Ministry for Solidarity and Health has entrusted the management of vaccination appointments to three different companies, among which Doctolib. Said company’s data is hosted by AWS Sarl, a subsidiary of the American company Amazon Web Services Inc. incorporated in Luxembourg. AWS is a certified “health data host” in accordance with Article L. 1111-8 of the French Public Health Code.

The data it processes is hosted in data centres located in France and Germany. The contract concluded between Doctolib and AWS does not provide for the transfer of data to the United States for technical reasons. Furthermore, Doctolib and AWS have signed an addendum to said contract on data processing, which introduces a very specific procedure to follow if any request is made by a public authority to access the data processed on behalf of Doctolib. Said procedure provides, among other things, for the rejection of any request that does not comply with European regulations. Finally, to prevent third parties from accessing data, Doctolib has also secured the data hosted by AWS through an encryption procedure carried out by a trusted third party located in France.

Despite these precautions, several associations have brought the case before the interim judge of the Conseil d’État to ask for the suspension of the partnership with Doctolib, whose health data is hosted by an American company, on the grounds that it would be incompatible with the General Data Protection Regulation (Articles 44 to 48 of the GDPR). To support their claim, they invoked both on Regulation itself and the case law of the CJEU (Grand Chamber judgment C-311/18 of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems).

With regard to the GDPR, the data processed by the Doctolib platform is, according to the claimants, likely to give a precise indication of the user’s health and can therefore be considered as directly identifying information. They add that potential requests by the US government to access personal data cannot be opposed in practical way by American companies, that such access is unrestricted, indiscriminate, and not limited, and that it cannot be subject to any control or to the right to object by independent authorities. According to the claimants, said processing is therefore incompatible with Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data. The claimants point out that, because of its status as a subsidiary of a company incorporated in the United States, AWS could be subject to requests for access to certain health data by the American authorities, within the framework of surveillance programmes based on Section 702 of the American FISA law or on Executive Order (E.O.) 12333. To nullify the Privacy Shield, the CJEU had commented that the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable.

The Foreign Intelligence Surveillance Act (FISA) of 25 October 1978 controlled by the United States Foreign Intelligence Surveillance Court (FISC) authorises the monitoring programmes such as PRISM or UPSTREAM, which are certified annually by the U.S. Attorney General and the Director of National Intelligence (DNI). Under the PRISM programme, Internet service providers are required to supply the NSA with all communications to and from a “selector”, some of which are also transmitted to the FBI and the Central Intelligence Agency (CIA). As regards the UPSTREAM programme, telecommunication undertakings operating the ‘backbone’ of the Internet (network of underwater cables, switches, and routers) are required to allow the NSA to copy and filter Internet traffic flows in order to acquire communications from, to or about a non-US national associated with a “selector”. These flows include both metadata and the content.

The Executive Order 12333 allows the NSA to access data ‘in transit’ to the United States, by accessing underwater cables (specially those connecting Europe to the U.S.), and to collect and retain such data before they arrive in the United States, thus bypassing the FISA control measures. Activities conducted pursuant to E.O. 12333 are not governed by statute. While under the FISA, EU citizens have avenues of redress when they have been the subject of unlawful electronic surveillance for national security purposes, this is not the case with E.O. 12333. The NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable.

The Conseil d’État finds against the claimants: “The data at stake includes personal identification data and data relating to appointments, but no health data regarding the possible medical grounds for vaccination eligibility, since the persons concerned merely certify on their honour, when making an appointment, that they fall within the scope of the vaccination priority, which is likely to concern adults of all ages with no particular medical condition. […] the level of protection of appointment data in the context of the Covid-19 vaccination campaign cannot be regarded as manifestly inadequate in the light of the risk of infringement of the General Data Protection Regulation invoked by the claimants.”