Publication of the CNIL's opinion on the "StopCovid" mobile application project

30 April 2020

In the context of the state of health emergency linked to the COVID-19 pandemic, and more particularly the overall "lockdown-lifting" strategy, the CNIL was consulted by the Secretary of State for Digital Affairs on the possible implementation of "StopCovid": a voluntary contact tracing application. The members of the CNIL adopted their opinion on 24 April 2020.

In the exceptional context of crisis management, the CNIL considers the system to be compliant with the General Data Protection Regulation (GDPR) if certain conditions are met. It notes that a number of safeguards are provided by the government's plan, including the use of pseudonyms.

However, the CNIL calls for vigilance and underlines that implementation can only be deployed if its usefulness is sufficiently proven and if it is integrated into an overall health strategy. It calls for certain additional safeguards. It highlights certain aspects related to security, and makes technical recommendations.

The CNIL asked to be consulted again after the debate in the French Parliament, should the project be implemented, in order to examine the proposed implementation of the application.

A voluntary warning system

Developed in exceptional circumstances, the StopCovid application is designed to alert its users that they have been in close proximity to people who have been tested positive for COVID-19 and who use the same application. The application is based on a voluntary use, and allows "contact tracing", using Bluetooth technology, without geolocating individuals. It is therefore alerting people who are using the application and who have been exposed to the risk of contamination.

The opinion of the CNIL

The use of the application considered by the Government is voluntary. The CNIL specifies that it implies that there will be no negative consequences for those who do not use the application, in particular for access to tests and healthcare, but also for access to certain services when the lockdown is lifted, such as public transport. In addition, the CNIL acknowledges that the application respects the concept of data protection by design, since it uses pseudonyms and will not allow lists of contaminated persons to be retrieved.

However, the CNIL's analysis of the technical protocol confirms that the application will indeed process personal data and will be subject to the GDPR. It draws attention to the specific risks, in particular of trivialisation, linked to the development of a tracking application that records the contacts of an individual, among other users of the application, for a certain period of time.

The CNIL considers that the application can be deployed, in compliance with the GDPR, if its usefulness for crisis management is sufficiently proven and if certain safeguards are provided. In particular, its use must be temporary and the data must be kept for a limited period of time. The CNIL therefore recommends that the impact of the system on the health situation be studied and documented on a regular basis, to help the public authorities decide whether or not to maintain it.

In its opinion, the CNIL points out that the use of contact tracing applications must be part of a global health strategy and calls, in this respect, for particular vigilance against the temptation of "technological solutionism". It stresses that its effectiveness will depend, in particular, on its availability in application stores (appstore, playstore, etc.), widespread adoption by the public and appropriate configuration.

Should the use of this system be adopted following the parliamentary debate, the CNIL will issue recommendations on the architecture and security of the application. It stresses that all these precautions and guarantees are likely to foster public trust in the system, which is essential to ensure that it is successful and maximise its usefulness.

Finally, the CNIL considers that the use of a voluntary contact monitoring scheme to manage the current health crisis should have an explicit legal basis in national law. It calls on the Government to consult the CNIL on the draft legislation.

The CNIL will continue to pay particular attention to this project and to the conditions for the effective implementation of the system.