Publication of CNIL's opinion on the French “contact tracing” application known as "StopCovid"
On 25 May 2020, the CNIL issued an emergency opinion on a draft decree relating to "StopCovid", which is a mobile application of the Government aiming at alerting its users about a likely risk of contamination by the COVID-19. Following its opinion of 24 April on the principle of the use of such an application, the CNIL examined the concrete conditions for its implementation.
The essentials
- The CNIL issued an opinion on 25 May 2020 on a draft decree relating to the "StopCovid" mobile application. This application aims to inform users that they have been in close proximity to people who have been diagnosed or tested positive for COVID-19 and using the same application, this proximity inducing a risk of contamination.
- This submission follows the opinion issued by the CNIL on 24 April 2020 on the very principle of deploying such an application. Given the exceptional context of the health crisis, the CNIL had considered the implementation of "StopCovid" to be possible, provided that it is useful to the progressive lockdown exit strategy and that it is designed to protect the privacy of users.
- The application will use pseudonymized data, without the use of geolocation, and will not lead to the creation of a database of contaminated persons. The CNIL notes that its main recommendations have been taken into account and thus believes that this temporary and voluntary system can be legally implemented.
- However, in order to ensure full compliance with the general data protection regulation (GDPR), the CNIL made several observations on the draft decree and on the operational conditions for the deployment of the application.
The context
As part of the overall progressive lockdown exit strategy, the Government has planned the implementation of several digital devices. In particular, on 8 May, the CNIL delivered an opinion on two national information systems, "Contact Covid" and "SI-DEP", authorized by the law extending the state of health emergency and a decree dated 12 May 2020. The purpose of these information systems is to allow screening, the conduct of health investigations and the provision of health care for people contaminated with the virus or likely to be contaminated.
In addition, the Government wished to roll out a mobile application known as "StopCovid". Its objective is to inform users of a risk of contamination when they have been in close proximity to another user who has been diagnosed or tested positive for COVID-19. It is a "contact tracing" application, which is voluntary and based on Bluetooth technology.
On 24 April 2020, the CNIL delivered an opinion on the principle of implementing such an application and made a number of recommendations.
The CNIL's opinion on the conditions of implementation of "StopCovid"
A system which automatically records the contacts of its users constitutes an invasion of privacy which is only admissible under certain conditions. In addition, personal data concerning health will be processed.
The CNIL notes that the "StopCovid" application will not lead to the creation of a database of contaminated persons but simply a list of contacts, for which all data is pseudonymized. It thus respects the concept of data protection by design.
The main recommendations of the CNIL, made in its opinion of 24 April to supplement the guarantees initially provided by the Government, have been followed. In particular, they concern controllership which is entrusted to the ministry in charge of health policy, the absence of adverse legal consequences attached to the decision not to use the application, and the implementation of certain technical security measures.
The CNIL considers that the application can be legally deployed since it appears to be a complementary instrument to the manual health investigation system and that it allows for faster alerts in the event of contact with the contaminated person, including unknown contacts.
Nevertheless, the CNIL considers that the real usefulness of the system will have to be more precisely documented after its launch. The duration of implementation of the system should be subject to the results of this regular assessment.
The other observations of the CNIL
Given the sensitivity of the application, the CNIL has made several additional recommendations in this new opinion, including the following:
- The improvement of the information provided to users, in particular with regard to the use of the application and the deletion of personal data.
- The need to provide specific information for minors and their parents.
- Confirmation in the forthcoming decree of a right to object and a right to erasure of pseudonymised data stored.
- Access to the entire source code of the mobile application and server.