Marie CITRINI in her capacity as user representative on the AP-HP Supervisory Board – Court Ruling (France, 2021)

In the emergency context of COVID-19 vaccination, the Ministry of Solidarity and Health entrusted the management of vaccine appointments on the Internet to various service providers, including the company Doctolib. Several associations including Interhop asked the interim relief judge to suspend the partnership with the Doctolib company insofar as the data collected was stored on an American company (Amazon Web Services or AWS), transfering data outside the EU non compliant with the GDPR. *Does Doctolib provide an adequate level of data protection when using Amazon Web Services? *Has the state sufficiently fulfilled its duty of care for the health data of the data subjects? It was held that no health data was provided other than certifying being eligible for priority vaccination. Additionally, it was considered by the Court the fact that Doctolib using the hosting services of AWS Luxembourg, whose data centres are based in France and in Germany. Considering the existence of legal safeguards, an addendum to AWS Ireland contract that no data would be transferred to the US and requests of access would be denied, and a technical safeguards entailing encryption of the data with a key held by a trusted third party in France, so that AWS does not have access to the data and the data being deleted after three months or at any time at the request of individuals, the Court considered that the level of protection in this context could not be regarded as manifestly inadequate. The Court therefore considered that in this specific context, data are not being transferred to the US. The application is therefore rejected by the Conseil d'État.