In his address to the nation on Monday 13 April, the President of the French Republic confirmed the government’s plan to roll out an app, capable of detecting if people have been in contact with someone infected with Covid-19, to support the deconfinement phase.
This “digital tracking” method has already been adopted by multiple countries such as China and South Korea, but also Germany, Belgium, Spain and Italy.
While receiving that initial text message from the government on the first day of confinement certainly raised a number of questions (1), the implementation of a digital tracking app raises even more.
Health and personal data
Under the terms of Article 67 of the French Data Protection Act (2), government authorities may process personal medical data where the sole purpose is to respond to a health crisis and manage the consequences, in the event of emergency. Unlike the general set of obligations imposed by the General Data Protection Regulation (“GDPR”), this type of data processing falls under the scope of a simplified exceptional scheme insofar as, for GDPR compliance purposes the data controller is only required to conduct an impact analysis (3).
In principle, there is no legal basis against individual digital tracking in the interest of protecting public health. That being said, the more intrusive the technology, the greater the need for safeguards.
According to the information provided thus far, the CovidStop app will not have access to the phone’s geolocation data, as opposed to the technology used in South Korea and China.
The French app is said to use bluetooth technology to warn people if they have been in close proximity to someone who has tested positive for Covid-19 (and who has installed the app on their phone). That way, those people can get themselves tested and self-isolate if necessary.
The objective of Project CovidStop is to study how the virus is transmitted in order to track it more effectively as it spreads.
As stated by the European Data Protection Board (4), use of a data tracking application is perfectly lawful if, as announced, the following conditions are met:
The President of the French Republic stipulated that the application will be used “on a voluntary basis.”
With respect to GPDR provisions, such data processing is lawful when founded on one of the legal bases listed. The consent of the data subject constitutes one such basis where it meets the following conditions: it is freely given, informed and incurs no negative consequences if the data subject does not give consent.
2. Anonymous data
Data is said to be anonymous under the GDPR where it cannot be used to identify the data subject.
If the measures are based on strictly anonymous data, then the data processing operation falls outside the scope of the GDPR. In such case, not all the provisions relating to personal data protection will apply.
The matter is set to be discussed by the French National Assembly and the final draft submitted to the CNIL (French Data Protection Agency). Any forthcoming clarifications will provide an opportunity to assess the proposed tracking mechanism.
(1) Pursuant to the provisions of Article L.33-1 of the French Postal and Electronic Communications Code, telecom operators are required to convey to their subscribers any government messages aimed at warning the population of an imminent danger or major disaster. The government is not provided with any telephone numbers to that end. Rather, telecom operators simply forward the message issued by the government to the subscribers in their database.
(2) Act No. 78-17 of 16 January 1978 (Loi relative à l’informatique, aux fichiers et aux libertés).
(3) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
(4) Statement on the processing of personal data in the context of the COVID-19 outbreak adopted on 19 March 2020 – European Data Protection Board.