By order of 12 March 2021, the Conseil d’Etat (the French supreme administrative court) dismissed the request of various associations, including the Syndicat de la Médecine Générale (SMG) and the Ligue des Droits de l’Homme (Human Rights League), asking the interim relief judge of the Conseil d’Etat to order the suspension of the partnership between the Ministry of Health and the company Doctolib as part of the plan to accelerate vaccination against COVID-19, insofar as its online appointment booking system involved the hosting of health data with an American company (AWS).
According to the plaintiffs, the use of this provider was contrary to the General Data Protection Regulation (GDPR) following the CJEU Schrems II decision which invalidated the Privacy Shield and implicitly made data transfers to the US illegal unless additional measures were taken (see here for more information).
The Conseil d’Etat dismissed the requests, stating on the one hand that (i) online appointment booking data did not involve the processing of health data on the possible medical grounds of eligibility for vaccination and (ii) on the other hand, that the company Doctoblib had taken sufficient measures to ensure compliance with the RGPD in the context of this transfer.
This decision is very interesting insofar as the Conseil d’Etat takes a position on the risk linked to online appointment data and the additional measures to be adopted when an organisation transfers data to the United States or any country with regulations contrary to the application of data transfer tools (e.g. BCR, standard contractual clauses etc.).
However, it is important to remember that the Conseil d’Etat could only grant the request if the plaintiffs proved a serious and manifestly illegal infringement. Thus, if the same case were to be judged on the merits, it is possible that the position would not be the same.
1. Is the data relating to the booking of an appointment for vaccination health data?
According to the decision, an appointment involves only the processing of the following data:
- personal identification data; and
- data relating to the appointment;
- certification on honour that they fall within the vaccination priority, which is likely to concern adults of all ages without any particular medical reason.
According to the Conseil d’Etat, making an appointment did not involve the processing of health data on the possible medical grounds for eligibility for vaccination. However, the Conseil d’Etat did not specify whether making an appointment constituted health data by itself.
Under the GDPR, health data is “personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveals information about that person’s state of health”.
Thus, it seems that the French Court did not want to take a position on the nature of the appointment data but focused only on the level of risk involved in processing each type of data.
It probably considered, in the context of this summary judgment, that the risks were less significant insofar as the details of the health reasons were not revealed.
In any case, concluding that appointment scheduling data do not fall into the category of health data on the basis of this decision would surely be a dangerous shortcut in the context of the vaccination campaign.
Indeed, the fact that an individual was vaccinated against COVID-19 on a specific date reveals his or her state of health, since it can be determined from which date the person concerned is immune to COVID-19. Therefore, the position of the Council of State will certainly be clarified in the future.
2. The measures taken by Doctolib are not manifestly insufficient with regard to the risk of violation of the RGPD concerning transfers to the United States
Perhaps the most interesting point of this decision is the position of the Conseil d’Etat regarding the measures taken by Doctolib to ensure the legality of the data transfers to the United States.
Following the Schrem II judgment, the CJEU, which had invalidated the Privacy Shield, had not specified the additional measures necessary to ensure compliance with the RGPD when an organisation wished to transfer data to the United States on the basis of the Standard Contractual Clauses and had left this delicate task to the data protection authorities, which had published recommendations a few months ago.
The high administrative court noted that :
- ‘The data relating to the appointment is deleted by default at the end of a period of three months from the date of the appointment, with each person concerned able to delete it directly online;
- Doctolib and AWS have concluded a complementary addendum on data processing establishing a precise procedure in the event of requests for access by a public authority to data processed on behalf of Doctolib, providing in particular for the contestation of any general request or one that does not comply with European regulations;
- Doctolib has also put in place a security system for the data hosted by AWS through an encryption procedure based on a trusted third party located in France in order to prevent the reading of data by third parties.
Thus, according to the Conseil d’Etat, the level of protection of the data for making appointments in the context of the vaccination campaign against Covid-19:
- cannot be regarded as manifestly inadequate in the light of the risk of infringement of the GDPR raised by the applicants;
- does not constitute a serious and manifestly unlawful interference with the right to respect for private life and the right to protection of personal data.
In conclusion, although this is not a definitive validation of these measures since the French Court only answers the question of whether the infringement is serious and manifestly illegal, this decision provides some legal certainty to organisations transferring personal data to the United States.