The CNIL and the protection of personal data in the face of the health crisis of Covid-19
Deliberation n°2020-056 of 25 May 2020 giving its opinion on a draft decree relating to the mobile application called "StopCovid"
In response to the impact of the health crisis, the CNIL has published a number of fact sheets and recommendations to guide professionals and the people concerned on issues relating to the protection of personal data.
In order to clarify the issues relating to the protection of personal data both in the context of the implementation of new containment measures and in the context of the government's strategy of progressive deconfinement, the CNIL, the French data protection authority, has published numerous guidance and recommendations.
As a public and independent control authority, the CNIL is responsible for overseeing the application of the General Data Protection Regulation (hereafter "GDPR") in order to protect the fundamental rights and freedoms of individuals with regard to the processing of their personal data.
In accordance with recital 46 of the GDPR, it should be reminded that "certain types of processing may be justified both on important public interest grounds and by the vital interests of the data subject, for example where processing is necessary for humanitarian purposes, including the monitoring of epidemics and their spread".
In this unprecedented context, the CNIL is a major player in the implementation of health policy and research on Covid-19 and the possible deployment of processing based on these exceptional purposes. The control authority thus assists government players in their testing and health investigation policy, health players wishing to initiate research projects on Covid-19, as well as professionals and individuals in the pursuit of their activities.
Firstly, the CNIL pointed out that the health authorities were responsible for collecting information on the symptoms of Covid-19 and geolocation information as part of the fight against the epidemic.
The CNIL was asked for advice by the Secretary of State in charge of digital technology on the possible implementation of a voluntary contact monitoring application called "StopCovid". On 24 April 2020, the CNIL called for vigilance in the deployment of such a system. In a deliberation dated 25 May 2020, the CNIL gave its opinion on the concrete conditions for the implementation of this application and considered that it could be legally deployed. The authority noted that the application, which is temporary and designed on a voluntary basis, will not lead to the creation of a file of contaminated persons but to a list of contacts for whom all data will be pseudonymized. Nevertheless, the supervisory authority makes additional recommendations such as improving the information provided to users and providing specific information relating to minors and their parents, or free access to the entire source code of the mobile application and server.
It should be noted that on 8 May 2020, the CNIL gave its opinion on the draft decree relating to two other projects, the SI-DEP and Contact Covid devices. While the SI-DEP file allows, among other things, the centralisation of test results at Covid-19, the Contact Covid file collects information on the chains of contamination. The purpose of these systems is to ensure the health care and support of people infected with the virus or likely to be infected. Among the personal data processed by these systems are in particular health data or travel data accessible to many actors and in particular health investigators.
Although these files are necessary for the implementation of the government's health policy, according to the CNIL, the CNIL requests that this necessity be regularly monitored. In a similar line to the StopCovid application, the CNIL calls for vigilance and asks for additional guarantees. In particular, the supervisory authority requires that the security of the systems and the accountability of persons having access to the files be guaranteed.
Secondly, the CNIL gave its opinion on the research projects and indicated that for internal research, no formalities were required beyond the entry of the processing operation in the register of processing activities. In addition, it is specified that a declaration of compliance with the corresponding reference methodology is required. In the event of non-compliance with the said methodology, it is specified that a request for "research" authorisation is required. To this end, the CNIL publishes a dedicated procedure to facilitate the urgent processing of this request.
Although the CNIL has opted to prioritize the files related to the Covid-19 epidemic, the investigation of other requests is likely to be carried out under the usual conditions despite an extension of the deadlines in certain cases.
Indeed, in accordance with the order of 25 March 2020 on the extension of time limits during the health emergency period, certain procedures initiated by the CNIL have been subject to an extension of time limits. This is the case for formal notices for which the deadline did not expire before 12 March 2020 or for those sent after 12 March 2020. If in the first case, the deadlines for compliance are suspended until 24 June 2020, in the second case, the starting point for compliance is postponed to the same date. In addition, the said order allows organizations implicated by complaints to respond to the CNIL's requests by August 24, 2020 at the latest.
It should be noted that the CNIL has published general recommendations in the context of work organization for employers and employees, but also for teachers in order to support business continuity. The purpose of this approach is to help management, in this unprecedented context, with the security of information systems and personal data processed.
In addition to these recommendations dedicated to business continuity, the CNIL has published observations concerning the measures designed to ensure the gradual resumption of activity. Indeed, while the employer is responsible for the health and safety of its employees/agents, the CNIL reminds that each employee/agent must also take care to preserve the health and safety of persons with whom he or she may come into contact in the course of his or her professional activity.
In this context, the employer may question the appropriateness and lawfulness of processing reports of possible contamination with the virus, it being understood that the processing of health data is prohibited in principle because of its sensitivity. Employers are reminded that they may only process data that is strictly necessary to meet their obligations in terms of employment law, social security or social protection. In this context, the CNIL advises employers who wish to carry out treatments aimed at ensuring the state of health of their employees to contact the health services at work. This applies in particular to serological tests that only competent health personnel can collect and implement.
It should be noted that all of these recommendations are regularly updated in the light of the unprecedented current context and are accompanied by links redirecting to exhaustive content from the CNIL and the authorities concerned for each of the topics addressed.