STOPCOVID: Journey of a controversial application

STOPCOVID: Journey of a controversial applicationNot a day goes by without the question of "deconfinement" of the population being addressed, in France as elsewhere, in connection with the tracing of the virus and the individuals who transmit it.

Recent developments mention the creation of a file to track infected people, the details of which are submitted to the CNIL for review.

The media also reported a standoff between GAFAM and the government to implement the most virtuous "stopCovid" application.

While parliamentary debates on this application are currently suspended, can we have a clear vision of the issues and impacts of such digital monitoring?

Is it a question of national sovereignty, a question of data control or, more prosaically, “simple” technical choices?

The question is important because it concerns not only France, but most European countries and other states trying to manage the pandemic.

Protocols and their impact on data processing

The PEPP-PT (Privacy Preserving Proximity Tracing) project was originally intended to enable the development of applications in Europe on a harmonized basis, in compliance with the law.

The aim is to inform a person that they have been in contact with an infected person, based on the Bluetooth technology of their smartphone, without geolocating them.

While PEPP-PT initially seemed to gain support, several hundred scientists distanced themselves from it and took a position in an open letter in favor of a protocol based on a decentralized approach such as DP-3T (decentralized privacy preserving proximity tracing), so that the data remains stored locally: this would offer better guarantees in terms of data security and regarding the risks of data misappropriation by third parties or use for different purposes.

Let us remember that the conservation of data locally is a principle of proportionality and Privacy by Design put forward in other contexts such as the processing of biometric data.

The CNIL has a clear position on this subject, which can be found in particular in its communication concerning the use of biometric data by smartphones or in the workplace. 

The tools implemented by Google and Apple were developed (in particular) with this local storage perspective recommended in the DP-3T protocol, in order to prevent overly intrusive use of data from users' laptops.

Where the problem lies is when France (and initially Germany, which has since changed its mind) develops an application based on the Robert protocol (for ROBust and privacy-presERving proximity Tracing), which cannot work based on the functionalities proposed by Apple and Google, with specific requirements in terms of Bluetooth and data centralization (the details are clearly explained here).

This does not in itself mean that the French application violates data protection principles: guarantees (particularly in terms of pseudonymization) have been provided, and the CNIL, while issuing some observations, has given a favorable opinion.

But where France is taking precautions, how many other more or less democratic countries would take advantage of the "à la carte" features offered by Apple and Google to carry out much more intrusive surveillance of their populations?

This explains – in part – the reluctance of the web giants and the current deadlock in the situation.

The Presidency of the European Council has put this item on the agenda of its meeting on 5 May, during which EU telecommunications ministers will try to adopt a common approach.

The legal framework

Beyond these technical aspects, the management of contact data via this type of application raises common issues with regard to the law: let us specify from the outset that the data is not anonymous but pseudonymised, which leads to the application of the GDPR and the principles of protection of telecommunications data.

In addition to the voluntary nature of using the application, the government can only process this type of sensitive data if it is authorized to do so by a specific legal basis.

Furthermore, transparency of processing must be ensured, data must be secured and their deletion must be planned within strict time limits.

Whether it is the CNIL, the EDPB (group of European "CNILs"), the European Data Protection Supervisor (EDPS) in its hearing in the Senate on April 27, or the Council of Europe, the supervisory authorities point out that no system can completely avoid vulnerabilities and risks of re-identification, whether it is a centralized or decentralized system.

They agree on the precautions to be taken in the design and use of applications, but they also emphasize first and foremost the non-trivial nature of this type of tool, citing the risk of prolonging emergency situations and of the population becoming accustomed to latent surveillance. 

In the same vein, we can cite students who today have to get used to regular screenshots of their terminal by their teacher when they take a remote exam, and who could eventually find this type of intrusion normal in other contexts.

It is therefore above all a question of not dodging the fundamental question of the necessity of the measure, its impact and its proportionality in the face of the consequences on the fundamental rights of individuals.

And also:

• In France :

In addition to a significant number of practical sheets relating to pandemic management in the context of scientific research, labor relations and the tracking of individuals, the CNIL has just launched a public consultation on the rights of minors in the digital environment. This is open until June 1, 2020.

• Europe and International:

The European Data Protection Board (EDPB)) adopted several documents aimed at guiding public authorities and companies in the context of data management in the context of the pandemic: it focused in particular on the conditions for processing data for medical research purposes, on international transfers of this data, and on tracking and localization via mobile terminals.

At the international level, documents from all authorities are available on the Global Privacy Assembly website.

BEUC (European Consumer Organisation) communicated on April 21 on a joint action with more than 40 consumer rights and freedoms organizations regarding widespread surveillance by the adtech industry and digital tracking.

Belgium : The data protection authority has imposed a €50,000 penalty for violation of the principle of independence of the DPO : the disputes chamber thus considered that the accumulation of this function with those of director of the risk, audit and compliance departments constituted a conflict of interest.

The Netherlands : The Dutch Supervisory Authority imposed its highest fine at the end of April, amounting to 725 000 €, against a company that processed fingerprints of its employees without real justification in terms of security.

Anne Christine Lacoste

A lawyer specializing in data law, she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.

As part of the expansion of remote working, the authority has also conducted a very detailed comparison of the main videoconferencing systems with regard to data protection. Only the Dutch version is available online, which is why we are attaching the unofficial English translation in full (thanks to Christopher Schmidt). We should also add to this list the Tixeo solution, mentioned by the CNIL in its recommendations on videoconferencing, and certified by ANSSI.