Norton Rose Fulbright - Data Protection Report blog

Following the example of many European countries, the French government plans to introduce a contact tracing app, known as “StopCovid”.  The app is designed to be used by people once they leave the confinement of their homes with the aim of preventing the spread of COVID-19. StopCovid is being developed within the INRIA, the French national research institute for digital sciences and technologies.

This blog post summarises the status of the project and the discussions from legal, political, scientific and technological perspectives.

How will StopCovid work?

For each smartphone on which the app is downloaded, temporary crypto-identifiers will be generated (approximately every 15 minutes).  These identifiers are associated with the smartphone – and not with the person who owns the smartphone.

When a user tells the app that he or she is infected, the app sends the history of the crypto-identifiers that the device has encountered (the “contact identifiers”) to a central server.  The device’s own crypto-identifiers, however, are not disclosed to the central server. Each smartphone that has downloaded the app makes regular checks against the central server to see if its crypto-identifiers are part of the “contact identifiers”. When this is the case, an alert is generated by the app to warn the user that he/she has been exposed to the virus.

No personal data is transferred between any two smartphones and no directly personally identifiable data is transferred to the central server. Importantly, no personal data related to persons who have tested positive for COVID-19 are stored on the central server.

What are the possible downsides of the StopCovid app?


Technological limitations

The initiative faces certain technological limitations, notably due to the use of Bluetooth technology.  This is because Bluetooth is not a particularly precise technology for estimating the distance between two smartphones.  This could result in false positives/false negatives if the distance measurement is wrong and the app alerts someone who is in fact not infected (because he/she was not actually close enough to the contaminated person) or the contrary.

In addition, in order for the app to be installed on the largest number of smartphones and be compatible with both iOS and Android, it must meet the security requirements of Apple and Google. However, the two companies are working on a joint initiative to release a software for developers to build compatible apps, and for the time being, their API is not compatible with projects such as StopCovid, which requires Bluetooth to be permanently activated in the background.

Scientific limitations

The app is based on the risks defined by epidemiologists on the basis of their current knowledge. However, some areas, notably the model of virus transmission, are very uncertain. There is therefore a real risk of false positives and/or false negatives which may be increased by the lack of precision of Bluetooth technology.

Legal limitations

Many questions remain to be answered: which public authority will control the central server? How can the risk of cyber-attacks be minimised? The app is also strongly criticised by some associations who denounce the excessive risks it would pose to users’ privacy.  The CNIL’s (the French data protection authority) opinion is very interesting in this regard…

The CNIL’s opinion

In a decision published on 24 April 2020 , the CNIL assessed the project as presented by INRIA in mid-April (the project is likely to evolve) from a data protection law perspective.

The CNIL confirmed that the data processing carried out within the framework of such a system is a processing of personal data concerning health, as defined in the GDPR.

While recalling that the system can only be a complementary measure within the framework of a global health response, the CNIL notes that the StopCovid application provides a high degree of guarantee to minimise the risk of re-identification of individuals associated with the data stored in the central server. Moreover, the CNIL validates the purpose of this processing (i.e. alerting the persons exposed to the risk of contamination), which it considers to be fair and proportionate, as well as its legal basis (public interest), which is reinforced by the voluntary nature of the application.

The CNIL therefore considers the project to be generally compliant with the GDPR, if the following conditions are met:

  • Data controller. The ministry in charge of health or any other health authority involved in the management of the health crisis must be designated as the data controller(s).
  • DPIA. The processing is likely to present high risks as the processing involves health data, is intended for large-scale use, requires systematic monitoring and is using a new technological solution. Therefore, it requires a data protection impact assessment to be conducted prior to any implementation of the scheme.
  • Purposes. Should the app be used for other purposes in the future (e.g. monitoring of compliance with containment measures, monitoring of the number of infected persons, contacting an infected person, etc.), a new assessment will have to be carried out.
  • Consent. The voluntary nature of the application must be set out in future legislation. Furthermore, the use of freely given consent implies that no negative consequences may result from a person’s refusal to use the app. Thus, the use of StopCovid may not be made conditional on screening tests, access to healthcare, the right to mobility or access to certain services (e.g. public transport).
  • Minimisation and storage. Data collection and storage is limited to the data strictly necessary for the use of the app and should only be stored for a limited period of time. The data will have to be deleted when the usefulness of the app is no longer proven. However, the CNIL recognises that it is not possible to estimate such a duration, even as an indication, for the time-being.
  • Security. Organisational and technical security measures of the highest level must be put in place:
    • at the level of the central server, in order to avoid any abuse that could result due to the centralisation of crypto-identifiers (e.g. the encryption keys allowing access to the identifiers of the persons concerned could be protected via hardware security modules, as well as by independent trusted third parties); and
    • at the app and central server level to avoid recreating a link between temporary crypto-identifiers and specific information on the terminal linked to Bluetooth technology (e.g. name of the mobile equipment, MAC address) which might allow the identification of users.
  • The CNIL also states that:
    • only state-of-the-art cryptographic algorithms should be used to ensure the integrity and confidentiality of exchanges; and
    • the absence of an enrolment mechanism (login, password, user account) increases the risk of cyber-attacks and appropriate measures must be put in place to minimise this risk.

Generally speaking, the CNIL stresses the difficulties the government may have in using this system in a homogeneous manner throughout France, and therefore in an effective manner. On the one hand, the app will have to be compatible with all smartphones (including Android and Apple). On the other hand, even if this were the case, La Quadrature du Net estimates that only 77% of the French population has a smartphone and this proportion drops to 44% for those over 70 years of age, who are considered to be amongst the most vulnerable.

The French Prime Minister announced that parliamentary debates and voting will be held once the final version of the app is released. One part of the opposition has already declared that they will vote against StopCovid.