Editing CNIL - Délibération 2020-056

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 18: Line 18:
 
|Outcome=
 
|Outcome=
 
|Date_Decided=25.05.2020
 
|Date_Decided=25.05.2020
|Date_Published=03.06.2020
+
|Date_Published=25.05.2020
 
|Year=2020
 
|Year=2020
 
|Fine=None
 
|Fine=None
Line 72: Line 72:
 
The Commission Nationale de l'Informatique et des Libertés (CNIL) delivered its opinion on the Draft Decree relating to the "StopCovid" app and provided some specific comments on the conditions of its implementation in the light of the General Data Protection Regulation (GDPR). It welcomed the temporary and voluntary character of the app and provided some recommendations in order for the app to be more privacy friendly. The final version of the Decree having regard on this deliberation is [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000041936881&categorieLien=id décret n° 2020-650 du 29 mai 2020].
 
The Commission Nationale de l'Informatique et des Libertés (CNIL) delivered its opinion on the Draft Decree relating to the "StopCovid" app and provided some specific comments on the conditions of its implementation in the light of the General Data Protection Regulation (GDPR). It welcomed the temporary and voluntary character of the app and provided some recommendations in order for the app to be more privacy friendly. The final version of the Decree having regard on this deliberation is [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000041936881&categorieLien=id décret n° 2020-650 du 29 mai 2020].
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
 
The French government was considering to implement an application called "StopCovid" in the context of the fight against COVID-19, and more particularly, the progressive "lockdown exit strategy". The "StopCovid" app is a contact tracing app whose objective is to alert the users that they have been in close proximity with other people that have been diagnosed or tested positive to COVID-19 and use the same app. It aims to achieve faster information and alert of contacts who have been exposed to COVID-19 even if they are not aware of it. The use of the app is voluntary and the contact tracing is achieved through the use of bluetooth instead of geolocation technology. The data is pseudonymised and no database of infected people is created. Following CNIL's opinion on the general compliance of the app with GDPR and the national law on 24 April 2020, the Ministry of Solidarity and Health urgently requested the Commission to deliver an opinion on the Draft Decree relating to "StopCovid" app and examine the specific conditions for its implementation.  
 
The French government was considering to implement an application called "StopCovid" in the context of the fight against COVID-19, and more particularly, the progressive "lockdown exit strategy". The "StopCovid" app is a contact tracing app whose objective is to alert the users that they have been in close proximity with other people that have been diagnosed or tested positive to COVID-19 and use the same app. It aims to achieve faster information and alert of contacts who have been exposed to COVID-19 even if they are not aware of it. The use of the app is voluntary and the contact tracing is achieved through the use of bluetooth instead of geolocation technology. The data is pseudonymised and no database of infected people is created. Following CNIL's opinion on the general compliance of the app with GDPR and the national law on 24 April 2020, the Ministry of Solidarity and Health urgently requested the Commission to deliver an opinion on the Draft Decree relating to "StopCovid" app and examine the specific conditions for its implementation.  
  
  
===Dispute===
+
=== Dispute ===
  
  
===Holding===
+
=== Holding ===
 
CNIL acknowledged the necessity, the usefulness and the proportionality of the “StopCovid” app. Although it recognised that the proposed app contributes to faster information and alert of contact cases, it stressed that its impact should be assessed regularly during its operation in order to ensure its usefulness. Furthermore, it held that “StopCovid” is proportionate as the rights to privacy and protection of personal data will be affected only for the strictly necessary time and substantial safeguards have been guaranteed. In that context, CNIL welcomed among others the precise determination of the purposes of the processing and the fact that the Ministry of Solidarity and Health will undertake the data controllership. The Commission also embraced the decision of the government not to attach any adverse legal consequences to the individuals that choose not to use the app. It stressed though that the six-month duration since the end of the health emergency should be set as a maximum.  
 
CNIL acknowledged the necessity, the usefulness and the proportionality of the “StopCovid” app. Although it recognised that the proposed app contributes to faster information and alert of contact cases, it stressed that its impact should be assessed regularly during its operation in order to ensure its usefulness. Furthermore, it held that “StopCovid” is proportionate as the rights to privacy and protection of personal data will be affected only for the strictly necessary time and substantial safeguards have been guaranteed. In that context, CNIL welcomed among others the precise determination of the purposes of the processing and the fact that the Ministry of Solidarity and Health will undertake the data controllership. The Commission also embraced the decision of the government not to attach any adverse legal consequences to the individuals that choose not to use the app. It stressed though that the six-month duration since the end of the health emergency should be set as a maximum.  
 
CNIL made several more specific observations. It mentioned that the referral of the contacts at risk to competent health actors should be discretionary, and not direct. In the context of data accuracy (art. 5§1d GDPR), CNIL recommended that the app should allow the user to define certain time periods where the contact is not risky, such as in cases where the user is a health professional, in order to minimise the generation of false positives. It also welcomed the choice to limit the storage period of local histories of the users who have been diagnosed or tested positive to fifteen days since their emission. CNIL further drew the attention of the government on transparency (art. 5§1a, 12-14 GDPR), and more particularly the obligation to provide accessible and easily understandable information. In particular, it recommended the provision of specific information, which will be customised to the needs of the minor users and their parents. Furthermore, CNIL called the Ministry to amend the Decree, by prescribing that the right of erasure and the right of opposition are applicable. Moreover, it welcomed the adoption of a series of security measures, such as the use of encryption, the establishment of a committee of several entities which will be entrusted with fragments of encryption keys, the limited access to the data of the central server and the planning of security audits. Last, it called the Ministry to make the entire source code public and change the Decree accordingly.  
 
CNIL made several more specific observations. It mentioned that the referral of the contacts at risk to competent health actors should be discretionary, and not direct. In the context of data accuracy (art. 5§1d GDPR), CNIL recommended that the app should allow the user to define certain time periods where the contact is not risky, such as in cases where the user is a health professional, in order to minimise the generation of false positives. It also welcomed the choice to limit the storage period of local histories of the users who have been diagnosed or tested positive to fifteen days since their emission. CNIL further drew the attention of the government on transparency (art. 5§1a, 12-14 GDPR), and more particularly the obligation to provide accessible and easily understandable information. In particular, it recommended the provision of specific information, which will be customised to the needs of the minor users and their parents. Furthermore, CNIL called the Ministry to amend the Decree, by prescribing that the right of erasure and the right of opposition are applicable. Moreover, it welcomed the adoption of a series of security measures, such as the use of encryption, the establishment of a committee of several entities which will be entrusted with fragments of encryption keys, the limited access to the data of the central server and the planning of security audits. Last, it called the Ministry to make the entire source code public and change the Decree accordingly.  
  
==Comment==
+
== Comment ==
  
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the French original. Please refer to the French original for more details.
 
The decision below is a machine translation of the French original. Please refer to the French original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: