Opinion of the French Data Protection Authority on the contemplated extension of the Contact COVID digital information system
In a deliberation No. 2021-006 issued on January 19, 2021, the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority, hereinafter the “CNIL”) gave its opinion on a draft decree aimed at strengthening the system for tracing the chains of COVID-19 transmission, known as the “Contact Covid” information system, as part of the French Government’s strategy to fight against the spread of the virus.
This article outlines the CNIL’s main observations and recommendations which aim at maintaining the protection of often sensitive personal data while the draft Decree foresees a considerable and substantial extension of the information collected.
The CNIL was asked by the Minister for Solidarity and Health to issue an opinion on a draft Decree amending Decree No. 2020-551 of May 12, 2020 on information systems mentioned in Article 11 of Law No. 2020-546 of May 11 extending the state of health emergency.
This actually refers to the information system called “Contact COVID”, set up by the French Government when the first lockdown was lifted in spring 2020 and aiming at controlling the evolution of the epidemic by identifying and isolating persons tested positive for COVID-19 and their contacts. This digital tool is used exclusively by healthcare professionals (physicians, pharmacists, biologists from COVID screening laboratories and professionals authorized by the French National Health Insurance Fund, the National Public Health Agency and Regional Health Agencies).
The objectives of this draft Decree were as follows:
“– strengthen the system for tracing the chains of transmission of the virus, particularly in the case of asymptomatic individuals;
– identify places and events where there is a high risk of virus spreading, in order to guide public policies in the management of the crisis, by providing useful data for policies on the opening and closure of places open to the public. […]
– reinforce social and health support in case of isolation of people.”
The CNIL underlined that the draft Decree plans to extend “considerably and substantially the information collected in the information system”, thereby calling for vigilance. Nevertheless, it then qualified this statement by recalling that the system is conditional on the fact that people questioned provide information on a voluntary basis only.
The main changes contemplated by the draft Decree were thus examined by the CNIL:
Regarding the new category of “co-exposed” persons
The draft Decree envisages the processing of data related to a new category of persons, i.e., the “co-exposed” persons.
The concept of co-exposed person is supposed to refer to any person “having been in the same place or event, where the [so-called] “barrier gestures” [i.e. preventative measures that each individual should take to protect himself/herself and others against COVID-19] could not be fully respected, identified by patient zero as the possible source of his/her infection”.
However, the CNIL invited the Ministry to clarify the concept and to specify the criteria (difference with the concept of contact case, conditions relating to a “co-presence”, conditions relating to the failure to respect “barrier gestures”).
Regarding the collection of data concerning vaccinated or previously infected persons
The draft Decree also envisages the collection of data related to the existence of a previous infection with the virus in a previous two-month period, or the existence of vaccination.
However, further details are to be provided as to the nature of the data processed and the purposes of this processing.
In this respect, the CNIL recalled that in accordance with Article 5-1(c) of the GDPR, only data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed may be collected.
Regarding the collection of data related to gatherings of people
The draft Decree envisages the collection of information related to visits to places open to the public or related to the attendance to a gathering, event or activity when contamination may have occurred there.
The CNIL invited the Ministry to specify the criteria for establishing that contamination may have occurred.
It recalled that the processing of the data collected may not be used for purposes other than those defined in the draft Decree (i.e., tracing contamination) and may not therefore be diverted for the purpose of monitoring compliance with measures to combat the COVID-19 epidemic.
Generally speaking, the CNIL also recalled the risk that this type of processing may generate with regard to the protection of the privacy of the data subject, in particular if the gathering, event or activity in question involves sensitive data, as defined in Article 9 of the GDPR.
Regarding the collection and transmission of data to transport operators
The contemplated development of the information system would also make it possible to identify the railway or bus stations, marine terminals or airports through which the persons concerned have transited during the last fourteen days following a stay away from home. The transport operators would also be identified.
The Ministry specified that the information relating to patient zero could be transmitted to the relevant operator in order to identify the contact cases co-exposed persons.
The CNIL indicated that the draft Decree must explicitly identify the transport operators among the possible recipients of these data. It also wondered about the exemption from medical secrecy that such a treatment would imply.
In general, the CNIL drew the Ministry’s attention to the need to respect the confidentiality of the data, and to the need for training and awareness raising for people who process health data which are in essence particularly sensitive.
This opinion highlights that it is sometimes difficult to balance the pursued objectives of controlling the COVID-19 epidemic on the one hand and the preservation of individual freedoms, in particular the protection of privacy and personal data, on the other hand.
 https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000043023857 (in French only)
 https://www.legifrance.gouv.fr/loda/id/JORFTEXT000041869923/ (in French only)