CNIL (France) - MED-2020-015

From GDPRhub
Revision as of 08:22, 5 August 2020 by AN (talk | contribs) (changed word "sanitary" (sanitaire) to "health")
CNIL - MED-2020-015
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(a) GDPR
Article 13 GDPR
Article 28 GDPR
Article 35 GDPR
Art. 2(5) of the national decree relating to the data processing carried out through "StopCovid"
Art. 82 of the national data protection law ("loi informatique et libertés")
Type: Investigation
Outcome: Violation Found
Started:
Decided: 15.07.2020
Published: 21.07.2020
Fine: None
Parties: French Ministry of Health
National Case Number/Name: MED-2020-015
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Maïlys Lemaître

Upon examining the national application "StopCovid", the French data protection authority (CNIL) found that the data processing was not fully compliant with the provisions of the GDPR and the national data protection law.

English Summary

Facts

In the context of the worldwide health crisis caused by Covid-19, the French Ministry of Health decided to make an application available to its citizens, aiming to improve the detection process of infections. The application "StopCovid" thus enables its users to inform their phone contacts, whom they have recently met or even only shortly been in contact with, if they have been infected with the virus. The users can also be informed by the application if they have encountered or found themselves at proximity of another user of the application who has declared having been infected. With regard to the nature of the data processing and the important number of users, the CNIL decided to investigate in order to make sure that the processing be carried out in accordance with the applicable provisions.

Dispute

Is the application "StopCovid" compliant with the applicable provisions of the GDPR and the national data protection law?

Holding

The CNIL held that, in the main, the application "StopCovid" complied with the applicable data protection laws. However, the authority revealed a failure to comply with some of the provisions of the GDPR and the "loi informatique et libertés". Regarding, on one hand, the violation of the GDPR, the CNIL reminded the Ministry of Health that data has to be processed lawfully, fairly and in a transparent manner in relation to the data subject (Art. 5(1)(e) GDPR). The fact that when the information given by the user, indicating they had been infected by the Covid-19, was transferred to all their contacts and not only to the contacts they had recently found themselves at proximity of, was a direct violation of the principle of lawfulness and the Art. 2(5) of the national decree relating to the data processing carried out through "StopCovid". Moreover, the privacy policy aiming to inform the users of the data processing lacked precision regarding categories of data being processed and recipients of the data. A data processor being involved in the processing, the authority also found that the contract required by Art. 28 GDPR was missing dispositions as to the rights and obligations of the Ministry, assistance with data subjects requests, security of processing, documentation of processing and audit. Furthermore, the data protection impact assessment was considered incomplete, the data processing caused by the use of the "Captcha" verification solution not having been part of the assessment. Regarding, on the other hand, the violation of the national data protection law, the CNIL pointed out that the Art. 82 of the "loi informatique et libertés" required that for any data processing resulting from the use of electronic services such as the Google Captcha solution, the user had to be informed and asked to give their consent prior to the processing. Yet neither were the users informed of the data processing by Google, nor were they asked to give their consent. That is why CNIL summoned the Ministry of Health to address those violations within a month and report back to confirm the implementation of all corrective measures.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


Decision n°MED-2020-015 of July 15, 2020
Decision n° MED-2020-015 of 15 July 2020 putting the Ministry of Solidarity and Health on notice
Status: EFFECTIVE

The President of the National Commission for Information Technology and Liberties,

Having regard to Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data ;

Having regard to Law No. 78-17 of 6 January 1978, as amended, relating to data processing, data files and liberties, in particular Article 20 thereof;

Having regard to decree n° 2019-536 of 29 May 2019 taken for the application of law n° 78-17 of 6 January 1978 relating to data processing, files and liberties;

Having regard to decree n° 2020-650 of 29 May 2020 relating to data processing called StopCovid ;

Having regard to the decree of 30 May 2020 defining the criteria of distance and duration of contact with regard to the risk of contamination by the covid-19 virus for the operation of the data processing called StopCovid;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Civil Liberties;

Having regard to deliberation n° 2020-046 of 24 April 2020 giving its opinion on a project for a mobile application called StopCovid;

Having regard to deliberation n° 2020-056 of 25 May 2020 giving its opinion on a draft decree relating to the mobile application called StopCovid;

Having regard to Decision No. 2020-097C of 28 May 2020 of the President of the National Commission for Information Technology and Civil Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the compliance of any processing accessible from the StopCovid France application, implemented by the Directorate General of Health of the Ministry of Solidarity and Health, or relating to personal data collected from this application, with the provisions of Regulation (EU) 2016/679 referred to above and Law No. 78-17 of 6 January 1978 as amended;

Considering the inspection reports n° 2020-097/1 of 9 June 2020, n° 2020-097/2 of 25 June 2020 and n° 2020-097/3 of 26 June 2020;

Considering the other documents of the file;

I-The context

In the context of the state of health emergency linked to the covid-19 epidemic, and more specifically the government's deconfinement strategy, the Ministry of Solidarity and Health has been offering an application called StopCovid France in application stores since 2 June 2020, available on smartphones. The processing of personal data known as StopCovid, for which the Minister of Health (Directorate General of Health) is responsible for processing, was created by Decree No. 2020-650 of 29 May 2020 on the processing of data known as StopCovid, supplemented by the Order of the Minister of Solidarity and Health of 30 May 2020, defining the criteria of distance and duration of contact with regard to the risk of contamination by the covid-19 virus for the operation of the data processing known as StopCovid.

Prior to the launch of the application, two requests for opinions on the terms and conditions of implementation of the application were submitted to the Commission nationale de l'informatique et des libertés (hereinafter the CNIL or the Commission).

In a first opinion dated 24 April 2020, the Commission ruled on the general compliance with personal data protection rules of the mobile contact tracking application project called StopCovid as envisaged by the government at the time. In a second opinion of 25 May 2020, the Commission gave its opinion on the draft decree on the same mobile application.

The StopCovid France application is a contact tracing application which allows each user to record a history of contacts with other users, i.e. information relating to the proximity between two mobile terminals. It allows the user to declare himself diagnosed or screened for the SARS-CoV-2 virus. It also allows users to be informed that they have been in the vicinity of at least one other user diagnosed or screened positive for the SARS-CoV-2 virus and, if necessary, to be invited to contact a health professional for treatment as quickly as possible and thus be integrated into the more general SARS-CoV-2 virus management system (SI-DEP and Contact Covid information systems).

The application, whose downloading and use is based on a voluntary approach by the user, works by preserving the proximity history, consisting of the pseudonyms emitted by the computers via Bluetooth technology with low power consumption.

In practice, once installed and features activated, the application sends and receives specific Bluetooth messages from other computers on which the StopCovid France application has been installed and activated.

If a user of the application is diagnosed or tested positive for the SARS-CoV-2 virus, they can declare it in the application using a code provided by the healthcare professional (via a 6-character code or QR Code). The use of this code by the user allows him/her to send his/her contact history to the central server, which then processes each of the contacts in the history, in order to estimate the risk of contamination with the SARS-CoV-2 virus. The server maintains a database where each record corresponds to a user and contains the risk score associated with that user.

The application contacts the server once a day to check the user's exposure status. Users who have been in contact (within 1 meter for at least 15 minutes) with the person diagnosed or tested positive are notified that they have been exposed to a risk of contamination with the SARS-CoV-2 virus. They are then invited to follow specific instructions related to the protection of their health and the fight against the spread of the virus (monitoring of symptoms, containment, contact with a health professional).

A new version of the StopCovid France application (version v1.1.*) was deployed at the end of June 2020, and constitutes an updated version of the StopCovid France version at its launch date (version v1.0.*). This new version of the application brings two major changes. Firstly, the captcha authentication method - which makes it possible to check during the initial activation of the application that it is used by a human being - which was based on the reCaptcha technology from the company GOOGLE, is now replaced by the captcha technology developed by the company ORANGE. In addition, a pre-filter function of the contact history of the user who tests positive for the SARS-CoV-2 virus, based on criteria of contact duration and distance from the contact, is activated to act on the user's phone.

To date, both versions of the application co-exist. Users who downloaded the application on or after June 25, 2020, or who have updated the application since that date have version v1.1.* on their computers. Users who downloaded the application before 25 June 2020 and have not updated it, still have the previous version v1.0.* on their computers.

On the day of the CNIL checks on 25 and 26 June 2020, the StopCovid France application in version v1.0.* had been downloaded approximately 1.9 million times and had been activated approximately 1.5 million times.

As version v1.1.* of the application had been deployed at the time of the checks carried out by the CNIL, the delegation was unable to ascertain during these missions the number of installations and activations of the latest version of the application. A request for information in this regard was therefore subsequently sent to the Ministry of Solidarity and Health. The Ministry replied on 10 July 2020 that the number of StopCovid France applications installed and activated after the release of v1.1.* was approximately 147,000.

II. The procedure

Pursuant to Decision No 2020-097C of 28 May 2020 of the President of the Commission, a CNIL delegation carried out an online inspection mission on 9 June 2020 and carried out two on-the-spot inspections on 25 and 26 June 2020, for the purpose of verifying the compliance of any processing of personal data carried out from the StopCovid France application or relating to personal data collected from this application, with the provisions of Regulation (EU) 2016/679 (hereinafter the Regulation or the RGPD) and Law No. 78-17 of 6 January 1978 as amended (hereinafter the Data Protection Act).

Subsequently, the Ministry of Solidarity and Health provided the delegation, by emails dated 19 June, 4, 7, 8 and 10 July 2020, with the additional documents requested during the inspections concerning, in particular, the impact analysis relating to the processing of personal data from the application, the contracts concluded between the Ministry of Solidarity and Health and INRIA for the development and operation of the application, the personal data processing register and the technical documentation relating to the operation of the application.

III-Examination of the conformity of the processing

In the context of these checks, the delegation noted that the operation of the StopCovid France application, in particular version v1.1.*, essentially complies with the applicable provisions on the protection of personal data.

Most of the recommendations made by the Commission in its opinions of 24 April and 25 May 2020 have been taken into account by the Ministry of Solidarity and Health.

However, the delegation noted certain breaches of the provisions of the RGPD and the Data Protection Act, which are the subject of this formal notice.

1. 1. Failures to comply with the provisions of the RGPD

Failure to comply with the obligation to process personal data in accordance with the terms of the decree of 29 May 2020, pursuant to Article 5-1-a) of the RGPD.

Article 5(1)(a) of the Regulation stipulates that: personal data must be processed in a lawful, fair and transparent manner with regard to the data subject (lawfulness, fairness, transparency).

The delegation was informed that, in the version of the StopCovid France application available on the day of the check (version v1.0.* of the application), when a user declares that he has been diagnosed or tested positive for the SARS-CoV-2 virus, his entire contact history is traced back to the central server managed on behalf of the Ministry of Solidarity and Health, without any prior data pre-filtering process based on criteria of distance and duration of contact with another user.

However, 5° of I of Article 2 of Decree No. 2020-650 of 29 May 2020 relating to data processing known as StopCovid provides that the proximity history of a user is limited to the user's contact data with other users who are, for a given period of time, at such a distance from his mobile phone that there is a sufficiently significant risk that a user who is positive for the covid-19 virus will contaminate the other user.

Moreover, the 6° of I of article 2 of the aforementioned decree specifies that the data of the proximity history of contacts at risk of contamination by the covid-19 virus (...) are transmitted by users diagnosed or tested positive for the covid-19 virus who wish to do so to the central server.

While the terms of the decree and the elements that had been transmitted to the Commission do not rule out the possibility of additional filtering at the central server level, it nevertheless follows from these provisions that the processing authorised by the decree of 29 May 2020, in accordance with what had been presented to the Commission, must carry out an initial filtering at the telephone level.

Consequently, the version of the StopCovid France application available on the day of the inspection (version v1.0.* of the application) is contrary to the provisions of the Decree of 29 May 2020.

The aforementioned facts constitute a breach of the obligations set out in Article 5-1-a) of the RGPD.

Moreover, it is noted that the design of the application described in the decree, which makes it possible to avoid having all the user's contact history sent back to the central server by pre-filtering the proximity history data directly from the computer, was a particularly relevant choice with regard to the objective of protecting personal data.

It is also observed that the latest available version of the application (version v1.1.*) - in which the pre-filtering of contact history data is active at the user's phone - is compliant with the decree in this respect and more protective of personal data.

The President of the CNIL therefore considers it necessary, in order to ensure that the processing fully complies with the provisions of the decree of 29 May 2020, that the data controller ceases to send all of the data from the user's contact history to the central server, for example by taking all appropriate measures to allow widespread use of the new version of the application.

Failure to inform the data subjects

Article 13 of the Regulation requires the controller to provide, at the time the data are collected, information relating to his or her identity and contact details, those of the Data Protection Officer, the purposes of the processing operation and its legal basis, the recipients or categories of recipients of the personal data, where applicable transfers of personal data outside the European Union, the period for which the personal data will be kept, the rights of individuals with regard to the processing of their data and the right to lodge a complaint with a supervisory authority.

The delegation noted that the personal data processing policy is provided to users of the StopCovid France application from a privacy section - accessible during the application's activation process - and from the web page https://bonjour.stopcovid.gouv.fr/privacy.html entitled Personal data - also accessible from several links in the application's activation process. The confidentiality section and the Personal Data page inform users of the application of the identity and contact details of the data controller and the data protection officer, the purposes of the processing and its legal basis, the duration of data retention, the rights of the persons concerned, in particular their right to lodge a complaint with the CNIL.

The Chair considers that the information provided is essentially in line with the DPMR. However, she considers that, on one point, the information provided on the categories of recipients of the data is incomplete.

Indeed, the confidentiality section only informs the user that the data are shared by [the] application with the server managed by the Ministry of Solidarity and Health, only if you are tested positive and with your agreement. Furthermore, the data recipient section of the Personal Data page contains only one paragraph regarding recipients, which reads as follows: Users identified by the application as contacts at risk of having contracted the COVID-19 virus are recipients of the information that they have been close to at least one other user diagnosed or tested positive for the COVID-19 virus .

The delegation was informed that INRIA, acting as assistant to the project manager of the Ministry of Solidarity and Health, processes personal data from the StopCovid France application on behalf of the Ministry of Solidarity and Health.

Therefore, the information provided to users of the StopCovid France application regarding the recipients or categories of recipients of personal data should mention the existence of a processor and is incomplete on this point.

These facts constitute a breach of Article 13 of the DPMR.

A failure to comply with the obligation to frame by a formalised legal act the processing operations carried out by processors on behalf of the controller.

Article 28 of the Regulation provides that where a processing operation is carried out by a processor, it shall be governed by a contract or other legal instrument which stipulates the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The contract shall also lay down the conditions under which the processor undertakes to carry out the processing operations on behalf of the controller.

The delegation noted that INRIA holds a contract for project management assistance on behalf of the Ministry of Solidarity and Health, in particular for the deployment, facilities management, operation, hosting and scalable maintenance of the StopCovid application. In this context, INRIA acts as a subcontractor for the processing of personal data on behalf of the Ministry of Solidarity and Health.

The delegation noted that the contract between INRIA and the Ministry of Solidarity and Health contains most of the information required by Article 28 of the RGPD. In particular, it specifies the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data processed and the categories of persons concerned.

However, the Delegation has noted that the clauses of the contractual documents of the contract for assistance to the project manager which were sent to it at the end of its monitoring missions, and in response to the request made in this context, are incomplete as regards the obligations and rights of the controller and the conditions under which the processor undertakes to carry out the processing operations on behalf of the controller, in particular, do not specify that the processor shall assist the controller in fulfilling his obligation to comply with requests made by data subjects to exercise their rights, that the processor shall assist the controller in ensuring compliance with the obligations provided for in Articles 32 to 36 of the DPMR and that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations provided for in Article 28 and to allow audits to be carried out.

These facts constitute a breach of section 28 of the GDR.

A failure to carry out a full impact assessment

Article 35(7)(a) of the Regulation requires the data protection impact assessment to contain at least a systematic description of the proposed processing operations and the purposes of the processing, including, where appropriate, the legitimate interest pursued by the controller.

The delegation noted that since the launch of the StopCovid France application, the Ministry of Solidarity and Health has updated its impact assessment on the protection of personal data resulting from the application. The Ministry of Solidarity and Health has thus provided the delegation with an updated version of the impact assessment as of 3 July 2020. The impact studies carried out are generally in line with the provisions of Article 35-7-a) and essentially follow the Commission's recommendations.

However, the delegation noted that the latest version of the AIPD does not specify that the anti DDOS solution (solution to prevent denial of service attacks) proposed by the ORANGE company and implemented in the application for the purpose of securing the system involves the collection of the IP (internet protocol) addresses of the application's users.

However, the delegation noted that when a user connects to the StopCovid France application, the IP address of the computer is collected as part of the anti DDOS solution of the company ORANGE.

It was also found that the collection of this personal data has no other purpose, in this case, than to ensure the security of the device.

The Chairperson stated that, since the anti-DDOS solution was a security solution, it did not need to be included in the decree of 29 May 2020. Consequently, the data processed by this solution did not have to be included in the decree either. The collection of IP addresses in this context is therefore not irregular.

On the other hand, since this security solution involves the collection of personal data, the description of this processing operation must appear in the impact assessment carried out by the data controller.

Similarly, the delegation noted that the collection of data present on the user's connected equipment in the context of the reCaptcha technology of the company GOOGLE deployed in the initial version of the application (v1.0.* of the application), is not specified in the impact assessment.

By not describing all the personal data processing operations in connection with the StopCovid France application and the measures to limit the risks, the impact assessment prepared by the Ministry of Solidarity and Health does not fully meet the requirements of Article 35 of the RGPD.

These facts constitute a failure to comply with Article 35 of the RGPD.

2. Failure to comply with the provisions of the French Data Protection Act (Loi Informatique et Libertés).

Failure to inform the user and obtain the user's consent before entering and reading information on his or her electronic communication terminal equipment

Article 82 of the law of 6 January 1978 as amended provides that :

Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed by the data controller or his representative :

1° Of the purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment ;

2° The means at his disposal to oppose it.

Such registered accesses may only take place on condition that the subscriber or user has expressed, after receiving this information, his consent, which may result from the appropriate parameters of his connection device or any other device under his control.

(…)

The delegation was informed that both versions of the StopCovid France application contain a captcha solution designed to assess whether or not the behaviour of a user of the application corresponds to that of a human.

The delegation was informed that the latest version of the StopCovid France application (version v.1.1.*) is based on captcha technology developed by the company ORANGE, which does not require any reading or writing operation on the user's computer.

On the other hand, the initial version of the StopCovid France application (version v1.0.*) contains the reCaptcha technology, in its invisible version, developed by the company GOOGLE.

The delegation noted that GOOGLE informs the developers of the reCaptcha technology that the reCAPTCHA API works by collecting hardware and software information (such as device and application data) and that this data is sent to Google for analysis.... It is your responsibility to inform users and to seek their permission to collect and share this data with Google. For users in the European Union, you and the API customer(s) must comply with the EU User Consent Rules ( ).

As a result of the information GOOGLE provides to the developers, the collection of information about the user's computer is not only for the purpose of securing the application, but also for analysis by GOOGLE. The company itself informs the developers that the use of this solution is subject to the requirements set by Article 82 of the Data Protection Act, namely the information and consent of the persons concerned for these operations.

However, the delegation noted that users of the StopCovid France application in its version v1.0.* are at no time informed, in particular through a consent window at the time of activation of the application, of the collection of information stored on their mobile equipment nor of the means to refuse this collection.

The user's consent to access information stored on their mobile equipment or to register information on their mobile equipment is not collected at any time during the activation of the StopCovid France application.

These facts constitute a breach of Article 82 of the French Data Protection Act.

In addition, given the state of the information available to her, the President of the CNIL cannot rule out the possibility that the Google reCaptcha may still be used by people who have downloaded version 1.0.* of the application but have not yet activated it.

IV. Additional comment

The fight against the covid-19 epidemic, which comes under the constitutionally valid objective of health protection, is a major imperative which may justify, under certain conditions, infringements of the right to protection of privacy and personal data.

It is nevertheless recalled that the infringement of privacy is admissible in the present case only if the government can rely on sufficient evidence to have reasonable assurance that the StopCovid France application is useful in managing the crisis. The Commission had therefore requested, in its opinion of 25 May 2020, that the actual impact of the device on the overall health strategy be studied and documented by the government on a regular basis throughout its period of use.

It was noted on the day of the inspections that the formal assessment of the effectiveness of the application had not yet started and that the timetable for the assessment work had not yet been established by the Ministry.

The President of the CNIL therefore invites the Ministry of Solidarity and Health to begin this evaluation process as soon as possible and to report to her on the results.

In view of the aforementioned shortcomings, and in view of the information she received from the Ministry of Solidarity and Health concerning the number of applications still installed in version v.1, the CNIL President invites the Ministry of Solidarity and Health to undertake this evaluation process as soon as possible and to report back to her on the results. .0.* after the release of version v1.1.* of the application, the President of the CNIL gives formal notice to the Ministry of Solidarity and Health, located at 14 avenue Duquesne 75007, within one (1) month of notification of this decision and subject to any measures it may have already adopted, to :

- cease to upload all data from the user's contact history to the central server in breach of the legal framework defined by the provisions of Decree No. 2020-650 of 29 May 2020, for example by forcing the update of the StopCovid France application to the new version v1.1.* by blocking the application in its version v1.0.* ;

- supplement the information provided to users of the StopCovid France application under the conditions set out in Article 13 of the Regulation, by providing users with full information on the recipients or categories of recipients of personal data from the application ;

- ensure that subcontracting contracts concluded in connection with the operation of the StopCovid France application contain the information provided for in Article 28 of the Regulation;



- complete the impact assessment relating to the protection of personal data from the StopCovid France application in accordance with Article 35 of the Regulation,

o by mentioning the collection of the IP address of the application user's mobile equipment as part of the security measures of the system based on the anti DDOS solution from the ORANGE company,

o by mentioning the collection of information present on the user's mobile equipment as part of the reCaptcha technology of the company GOOGLE deployed as part of version v1.0.* of the application, in the event that this data is still collected;

- to ensure, if necessary, to inform and collect the consent of the persons concerned to the actions of reading and writing information present on the electronic communication terminals by the GOOGLE company within the framework of the reCaptcha technology (version v1.0.* of the application), in accordance with the provisions of article 82 of the Data-processing law and Freedoms.

This injunction applies to users who have downloaded the version v1.0.* of the application and have not yet activated it for the first time.

- justify to the CNIL that all the above-mentioned requests have been respected, within the time limit.

At the end of this deadline, if the Ministry of Solidarity and Health has complied with this formal notice, it will be considered that this procedure is closed and a letter will be sent to it to this effect.

Conversely, if the Ministry of Solidarity and Health has not complied with this formal notice, a rapporteur will be appointed who may ask the restricted formation to take one of the measures provided for in Article 20 of the Act of 6 January 1978 as amended.

The President

Marie-Laure DENIS

Date of publication on legifrance: 21 July 2020