Virus tech draws scrutiny from European privacy advocates

Some complaints focus on large technology providers that have contracted with health authorities. In France, members of a nonprofit association plan to meet next Monday with officials at an administrative court after petitioning the court to weigh in on a vaccine-scheduling website run by the French company Doctolib SAS. Medical unions, open-source software organizations and human rights groups support the petition.

Doctolib uses Amazon.com Inc.’s Amazon Web Services to host data, and supporters of the petition argue that using a U.S.-based cloud service provider violates Europe’s 2018 General Data Protection Regulation because Europeans’ data can be exposed to U.S. government surveillance.

“It’s difficult to put Europeans’ data on U.S. clouds,” said Adrien Parrot, president of Interhop, the association that started the petition, which promotes using open-source software in healthcare. “It’s like a no man’s land of justice for European citizens.”

The EU’s highest court ruled last July that companies can send personal data to the U.S. only if those firms provide special safeguards for exporting data. Doctolib stores data from its vaccine-scheduling service in Germany and France, Chief Executive Officer Stanislas Niox-Chateau said in a blog post published Tuesday.

Mr. Parrot said Europeans’ privacy is still at risk even if U.S. cloud companies store data in Europe. Privacy advocacy groups have filed complaints since the court ruling last summer, arguing that the ruling means that some U.S.-based companies such as cloud providers could be required to share information with American authorities under U.S. laws.

Two other websites that provide vaccine-scheduling services in France, Docavenue’s Maiia and SAS Nehs Digital’s KelDoc, use French cloud providers, according to privacy statements on their websites.

A spokeswoman for Doctolib didn’t respond to a request for further information. An Amazon spokeswoman didn’t respond to a request for comment.

Regulators or courts could order technology companies to change their data practices, or they could issue fines or suspend the services.

In the U.K., the nonprofit media outlet openDemocracy and Foxglove, a technology rights advocacy group, sued the National Health Service after it extended a contract with technology firm Palantir Technologies Inc., the two organizations said in a statement published by openDemocracy on Feb. 24.

The NHS contracted Palantir last year to provide a data analytics platform for health information during the pandemic, and extended the contract in December. The groups behind the lawsuit argue the contract extension wasn’t transparent and say it isn’t clear what data Palantir will process.

“It’s very important this doesn’t become the new normal, that we don’t move into the post-Covid world where the government feels it’s acceptable not to be transparent about how they use public money,” said Mary Fitzgerald, openDemocracy’s editor in chief.

The NHS and Palantir didn’t respond to requests for comment.

Scrutiny of relatively new technology built in the effort to contain the coronavirus shows the effect of European legal restrictions on companies’ handling of data, said Nathalie Moreno, a partner in the London office of law firm Addleshaw Goddard LLP.

In the U.S., the Department of Health and Human Services said in January it won’t sanction companies providing online coronavirus vaccine-scheduling services if they violate privacy rules in the Health Insurance Portability and Accountability Act. The agency made a similar statement last year that it won’t penalize telehealth services for privacy breaches during the pandemic.

American pharmacy chains CVS Health Corp. and Walgreens-Boots Alliance, Inc. are collecting data from customers who receive vaccines and creating profiles with their data.

European privacy regulators last year issued warnings and ordered some companies to stop building coronavirus contact-tracing mobile apps after determining their data-collection methods would violate the GDPR. Lithuania’s privacy regulator on Feb. 26 fined the country’s National Public Health Center €12,000, or around $14,000, over its contact-tracing app, and also fined a company that helped build the app €3,000. The app processed data in Europe as well as in the U.S., India and other countries, the regulator said in a statement.

Ms. Moreno said there was some uncertainty after the coronavirus hit about how strictly GDPR rules would be enforced during the pandemic, but regulators have continued enforcing the rules and issuing fines.

“There’s no more leniency. It’s about full compliance,” Ms. Moreno said.

European authorities are also assessing complaints about how websites for scheduling vaccinations and coronavirus tests collect data through cookies, which many advertisers and analytics services use to track people’s browsing activity.

The Czech privacy regulator said in a statement in January that it is investigating a vaccine-scheduling website because it used cookies that collected individuals’ insurance numbers and shared it with Alphabet Inc.’s Google. A spokesman for the regulator declined to comment and said the investigation is ongoing.

Noyb, a Vienna-based nonprofit law firm focused on privacy, submitted a case in January on behalf of lawmakers over a virus test-scheduling website for the European Parliament. The complaint alleged that cookies on the website shared personal data from individuals with Google and fintech firm Stripe Inc.

A spokeswoman for the European Parliament said officials contacted the website provider after hearing about the data collection. The website didn’t transfer any data outside of Europe, she said. A spokesman for the European Data Protection Supervisor, who oversees EU institutions, said the authority is still investigating.

This story has been published from a wire agency feed without modifications to the text.