Launched on June 2, the French mobile tracing app for COVID-19, “StopCovid,” has been voluntarily downloaded by 1.9 million users within three weeks.
On June 3, the French Data Protection Authority (the CNIL) published its second opinion on StopCovid, relating to the implementation of the app and the related Executive Decree No. 2020-650 and to the Government’s data protection impact assessment.
Following its first opinion of April 24, on the principle of the use of a mobile contact tracing application, the CNIL examined the concrete conditions for its implementation and issued further recommendations. Since then, the implementation of StopCovid continues to raise issues and debates.
What does the CNIL’s opinion say about StopCovid’s implementation?
The Opinion recalls the inherent sensitivity of deploying a mobile contact tracing application such as StopCovid, and notes the plans to comply with the principle of data protection by design. The CNIL also reaffirms the adequacy of StopCovid must be demonstrated, in the context of France’s larger health policy. To this end, the CNIL notes that individuals who are exposed to the virus can also be taken care of by health professionals and be registered in the other data processing implemented by the French government (Contact Covid and SI-DEP).
The CNIL has also made several additional recommendations in this new opinion, including on:
- improvements of information disclosed to users, in particular with regard to the use of the application and the deletion of personal data;
- the need to provide specific information for minors and their parents;
- confirmation in the Decree of a right to object and a right to erasure of pseudonymised data stored;
- access to the entire source code of the mobile application and server.
Purposes of StopCovid
StopCovid will be implemented under the controllership of the Health Minister, with the primary purpose of informing StopCovid users that there is a risk they have been contaminated by the COVID-19 due to their being in proximity of another user who tested positive.
In its Opinion, the CNIL notes that the Government has excluded several purposes for StopCovid, such as the census of infected individuals, the identification of movements and geographic areas, the contact of alerted users or the control of the compliance with lockdown measures or health recommendations.
Security of the application and system
The Opinion reveals that the CNIL has carried out an extensive security review of StopCovid, noting in particular the following of its initial recommendation to switch to more secure cryptographic algorithms. StopCovid will also be subject to security audits by the French cybersecurity agency (“ANSSI”) and by third parties.
Interestingly, in its Opinion, the CNIL disputed the Government’s plan to restrict the publication of the source code only to certain portions of the system for reasons relating to security. While the CNIL accepted that details of the configuration or details of the security measures do not have to be published, the Commission insisted that the whole of the source code of the application or central server be published. Following this recommendation, Article 1(IV) of the Decree provides that the source code implemented in the context of StopCovid will be made public and accessible online from www.stopcovid.gouv.fr.
Rights of data subjects
The Opinion concurs with the Government’s plan to exclude the application of the rights of access, of rectification and to restriction of processing (Article 4 of the Decree).
For the CNIL, the right of access to the user’s keys and pseudo-identifiers associated with the application would be of limited value, and could also create security issues. The CNIL also notes that pseudonymisation is an essential part of the system to preserve the privacy of users, and therefore agrees that the Decree may exempt StopCovid from the right of access, pursuant to Articles 11, 15(4) and 23 of the GDPR.
Issues around data collection
As StopCovid continues to receive scrutiny from the IT security community and from the media, new issues have been raised in relation to the effective data collection performed by the application.
As the CNIL notes in its Opinion, the StopCovid processing must not enable tracking of social interactions of individuals, and the use of pseudo-identifiers in the centralised protocole “ROBERT” designed by the French computer science research institute (INRIA) aims to ensure that no connections are retained between contaminated users and the list of other users exposed.
In particular, Article 2(5°) of the Decree notes that the data processed include the “proximity history” of a user which consists of the list of pseudonyms from other users exposed for a limited amount of time at a certain distance. The Executive Order of 30 May 2020 provides that only data relating to users exposed within 1 meter and for at least 15 minutes will be collected as part of the “proximity history”.
However, news articles report that analysis of StopCovid show, according to a research at INRIA, that the data collection of StopCovid appears to be broader than the scope of data collection defined in the Decree.
The StopCovid processing will be limited in time, with a term set at six months from the end of the “health emergency state”.
Several developments are expected by the CNIL, in particular with regard to interoperability with other mobile tracing apps in the European Union.
Furthermore, the CNIL requests that the effectiveness of StopCovid be reviewed in the context of the global health strategy, independently of the Government’s evaluation report, which is expected no later than January 2021.