GDPR compliance according to Schrems II ruling

I am concerned that doxy.me may no longer comply with GDPR due to the Schrems II July 2020 ruling determining that The Privacy Shield will no longer be sufficient for servers located in the US.

When inquiring with doxy.me staff on how this is going to be navigated, we were advised that the Privacy Shield is in place and no client information is saved on doxy.me servers (which are managed by Amazon based in the US).

  1. The privacy shield is no longer valid
  2. This is a detailed list, published by doxy.me, of all the client information collected by doxy.me: Privacy Policy - Doxy
  3. As calls are peer to peer IP address must be saved somewhere. If they are not, we need to know how client information is handled-deleted-encrypted

I am writing here because doxy.me US staff does not seem to be aware of the European legislation and our clinic staff has been going back and forth with doxy.me staff since July.
In order for our clinic to maintain a working contract with doxy.me the Schrems II ruling needs to be attended to with transparency. Please advise

EDIT: Also, doxy.me has been determined as non-GDPR compliant by European institutions.

This is cause for concern. Please advise, Doxy staff. Thank you. This will be very difficult for Doxy to navigate imo because of the “no patient data at stored” policy.

2 Likes

Please be aware that we are currently assessing the ruling and will get back to you shortly. While the privacy policy lists all possibilities of data collection, the Doxy.me Services only requires a name and email address. And patient data are not stored in the Services. Thank you for your patience.

As patient data such as IP address, device, browser and time in the call, would pass through servers based in the US, unfortunately, stating that “no client data is stored in the services” (I think you meant to say “servers”) is an incorrect and nontransparent response. This is concerns me. Doxy.me staff and websites stating that the platform is GDPR compliant when this is no longer true is also concerning.
As health, research and educational institutions in Europe are able to determine that doxy.me is no longer GDPR compliant at this point, you are able to do the same. I realize that 4 months is a fast turn around for your organization to attend to the new legislation, but it is not too fast to be honest regarding patient data safety and security.
I am disappointed, as pre- COVID19 your staff was informed and transparent. I realize that the growth of the organization was rapid and may have pains, however, I expect maintenance of the highest standards of safety and security as this was doxy.me’s best feature.

I implore you to act now so that the historically brilliantly safe platform that you built to increase access to care, remains safe for international use.

While I appreciate your concerns, please allow me to restate that we only store name/email of the provider–nothing else. And we do not store connection elements (such as IP address) in the Service (I was not referring to servers). Those connection elements, which are collected by every web site one visits, is only for log files and debugging purposes–they are incidental to providing the Doxy.me Service and cannot be traced back to a particular user. And if one desires to use filters and VPNs to block or obfuscate those elements, one can do so.

To state that we are not GDPR compliant due to invalidation of Privacy Shield is false. Our processes and security have only gotten better over time and would not, in any way, change for the worse due to an EU court ruling. We are presently working on a new information page that describes in detail how doxy.me continues to be GDPR compliant. When completed, I’ll post the link on this thread.

Rather than have a legal debate in this forum, please have your attorney contact me if more details are required. Alan Mark (legal@doxy.me)

As promised, an updated EU privacy statement is now available at:

Thank you for your patience.

So, it sounds like doxy.me is not making adjustments to attend to the Schrems II ruling and, instead, according to the document you just posted, you build an argument which contradicts the ruling that Privacy Shields are not sufficient.
“Doxy.me believes that transfers to the U.S. should not automatically be seen as constituting high risk processing under the GDPR. Instead, it should be determined whether such transfers could result in a high likelihood of harm”

This is a fair enough legal argument. Unfortunately, if the large European institutions disagree with your legal advisor, it doesn’t really matter what practitioners believe, and large European institutions have, already, determined that doxy.me is not GDPR compliant.

I am sad to hear that you to not plan to attend to this ruling or mount your platform on European servers.

I appreciate your prompt attention to updating your policy document with transparency.

Thank you for acknowledging that you do have connection elements stored for debugging purposes. I would encourage doxy.me to train support staff in this information so that more accurate information than “no client information is saved” may be provided.
I am on your team, and I want to continue to use doxy.me if possible. But you need to help me help you.

If you do not store connection elements such as IP address in the service, can you clarify how you ensure this information is not captured?
How do you ensure that incidental data cannot be tracked back to a particular user?

Using a VPN INCREASES risk in a peer-to-peer call and I am surprised and disappointed you would recommend this.

Also, I find statements such as the one in the image attached to be very misleading. You do store patient information, as discussed above. The fact that every website saves this information is irrelevant. It is exactly because of this information passing through US servers that makes doxy.me no longer GDPR compliant.

What doxy.me actually does is store much less patient information than any other platform out there that I can find to date. You don’t need to be dishonest to be loved. Just be you, own you and let’s work together.

We appreciate that you’re on our team, drlauren.

A VPN hides the sender’s IP address and routing information thus resulting in better privacy (assuming one is trying to hide that info).

As previously stated, connection information is stored in temporary log files for debugging purposes in end-point systems unrelated (and separate) to the servers that provide the Doxy.me Service.

And as the GDPR compliance (and other documents) state, no patient health information is stored. Not even a patient’s name is stored.

Thank you for being a customer. I believe this discussion has served its purpose with the conclusions above. Your attorney or privacy official is more than welcome to contact me.

Using a VPN may hide a sender’s ip address, but it invites a third party to a peer-to-peer connection/video call, which, would decrease security. I, sincerely, hope you are not encouraging your users to do this.

You are an important player in increasing access to care, internationally. Trust, can have the most impact on therapeutic outcome as it is the basis of the therapeutic relationship. It is essential, as you are who connects providers to individuals in need of care, that you maintain a trusting relationship with your providers so that they can ensure a trusting relationship with their service users. Transparency is essential to facilitate your service effectively.

You can, literally, resolve all of these issues if you just provide your service for European providers using a European server. Otherwise, large organizations may continue to determine that doxy.me is not GDPR compliant.
As a practitioner, choosing to use the doxy.me service could be a more risky decision to make than just using a European based organization (even if the European based organizations are designed to save more client client sensitive material)because European law is more protective of that data being captured than US law.

I agree with you, it is more ideal that only incidental information be captured, but a platform with this design and easy use across devices does not yet exist in Europe that I know of.

If you don’t mount yourselves in Europe, someone else will.

We appreciate the feedback. Indeed we are exploring options for servers worldwide (including, of course, Europe). Still, as I’ve stated previously, our present policies and procedures are effective and compliant for the GDPR–as well as for other country’s privacy laws.

As “incidental” information such as ip address, device, browser, etc pass through US servers, it is easy for large European institutions to determine/argue you are not, and it would be risky for practitioners to continue to use doxy.me until you mount servers in Europe. Do you have a timeline?

I would like to be clear that the structure of doxy.me, I still feel, is the safest (no download, peer-to-peer, no log-in, etc). I would choose to continue to use this platform due to the natural high confidentiality built into the structure of the platform. It is difficult for practitioners to choose between the safest model and the most “legal”. You should be supporting your practitioners in navigating this, not negating the reality and shadowing the full truth through lawyers.

Based upon professional legal advice and our experience, we are confident that our software and services are compliant with EU regulations. If you feel otherwise, you’re welcome to have your attorney contact me to discuss. Thank you.

Are you trying to make sure you are the last post with this obscure and non-transparent statement? Do you realize, with each statement you make like this you are losing trust and clients?
:rofl: