The project of a mobile application to tackle the spread of coronavirus once lockdown is lifted is underway, but it will have to meet the principles laid out by data protection law as highlighted by the European Data Protection Board on 14 April 2020.
Act I – no state of emergency for personal data – being over, this act II will necessarily be followed by a third one, upon implementation of this complex technological innovation. Just as a number of other countries, France is focusing on a massive deployment of a mobile app, named StopCovid, to fight the pandemic and mitigate the risks of a “second wave” after 11 May 2020, the envisaged date of the end of the strict lockdown.
According to the EPDB letter published on 14 April 2020, the risky gamble of trust, materialized by a voluntary adherence to these mobile apps, shall overtake the use of authoritarian force within the European Union, and the need for transparency prevail over opacity and the mistrust it generates. Both allow us to believe in a European Union which gathers its peoples around common values protective of fundamentals rights and liberties, drivers of growth and creation, while the pandemic increases geopolitical tensions between the US and China and paves the way for an opportunistic collaboration between the two tech giants Apple and Google to process the location data of smartphone users.
At this stage, the technical and operational modalities remain unclear, but one setting is deemed essential to ensure the success of this tool, as Marie-Laure Denis, the president of the CNIL, stated in her audition before some Members of Parliament (commission des lois) on 8 April 2020: “We need to gain citizens’ confidence so they adopt this mechanism in sufficient number to guarantee its sanitary effect”.
The recent intervention of the EDPB, in line with the CNIL, points out the necessity to protect freedoms through the mechanisms provided for by the General Data Protection Regulation (GDPR), such as transparency, and advocates for a voluntary use of the apps, token of individual trust and collective responsibility, thus echoing the concept of social contract (“contrat social”) developed by Rousseau and based on the citizen adherence to the constraints of living together.
In this context, President Emmanuel Macron, in his presidential address dated 13 April 2020, announced that regarding the development of StopCovid in France, a debate would be organized before the Parliament on 28 and 29 April…but would not lead to a vote by the MPs, thus fueling a certain mistrust towards this mobile app which only a short majority of French people would be willing to download (51%) at the moment, according to a recent poll by the Elabe institute on 15 April 2020.
I. A MOST WELCOME COMMON EUROPEAN APPROACH
In March, when the issue of processing of health and/or location data was brought up in order to fight the Covid-19 pandemic, the EPDB confirmed that the European Union legal framework, including the ePrivacy directive of 2002 and the GDPR, provided for enough flexibility to carry out such processing, under certain conditions.
The European Commission followed through on 8 April 2020, defending a common European project regarding the use of technologies to tackle the spread of coronavirus (A), before the EDPB issued a new statement on 14 April 2020, in relation specifically to smartphone applications (B).
A. An ambitious European project led by the Commission
As the role of technologies and personal data in the right against coronavirus was progressively affirmed, the European Commission unveiled a two-goal plan in its recommendation dated 8 April 2020.
- The first priority consists in a pan-European approach (PEPP-PT) for mobile applications, which would allow for contact tracing (i.e. identifying the mobiles devices in the vicinity of one mobile, to send them an alert if the owner of the mobile has been tested positive) to prevent an uncontrolled spread of coronavirus when lockdown measures are lifted; the StopCovid app developed by France is placed under the auspices of this common European initiative. If the operating mode of such apps remain uncertain, the Commission already insists upon the need to ensure full compliance with data protection law (processing for specified purposes, retention of data only while the pandemic is not under control, transparency of the source code, etc.).
The Commission also advocates for a constant dialogue among involved parties – the effectiveness of such mechanisms should be assessed from a medical and technical point of view – and enhanced scrutiny to tackle a counter-productive proliferation of such apps.
- The second priority relies on the use of anonymized and aggregated location data, to model the spread of the virus and thus anticipate the medical response. The Commission pleads for an exchange of information and best practices among Member States, on the basis of location data made accessible by the telecom operators, who very early on helped governments model population movements.
This initiative is a step towards the emergence of a European data market, based on the free flow of non-personal data in accordance with the provisions of European regulation 2018/1807 of 14 November 2018, an initiative that should be praised for in this global context of fierce competition over data.
B. The EDPB approach regarding contact tracing apps
In response to the Commission statement, the EDPB proceeded to a more thorough evaluation of the PEPP-PT project, and pointed out once again that “the implementation of data protection principles and the respect of fundamental rights and freedoms is not only a legal obligation, but also a requirement to reinforce the effectiveness of any data-based initiatives for combating the spread of the Covid-19 virus”.
The EDPB thus placess data protection law and particularly GDPR at the heart of the deployment of mobile apps for contact tracing, in order to lay out a base of transparency which is vital to fuel collective trust therein.
The EDPB however acknowledges that a unique, one-size-fits-all solution is not relevant and that the methods used by Member States will be assessed on a case-by-case basis. Regarding StopCovid, its technical feasibility is currently being evaluated, notably regarding the use of Bluetooth, and it would be very difficult to measure the effectiveness of such a tool at this stage, which depends very largely on the extent to which it is adopted by the population.
Not without knowing that it “can only focus on the overall goal of the envisaged apps”, the EPDB yet managed to establish relevant bases in terms of data protection as so many key points to which public authorities will have to pay attention to.
To start with, the EDPB strongly supports the Commission’s proposal for a voluntary adoption of these apps, which induces the possibility for any individual to download and delete the app at their will without having to fear any negative consequence if they don’t use it.
Resorting to the individual’s consent to process their personal data (which is different from the voluntary adoption of the app) is subtly discarded, as it is uncertain whether it could be freely given considering the alarming context of global pandemic. Fully aware that obtaining a consent which complies with the requirements of article 4.11 of the GPDR would hardly be possible, the EDPB rather states that the most relevant basis for the processing of personal data is “the necessity for the performance of a task carried out in the public interest” (article 6.1.e of the GDPR) or even “compliance with a legal obligation to which the controller is subject” (article 6.1.c of the GDPR).
The EDPB takes a tough stance regarding the use of location data which are covered by the 2002 ePrivacy directive, as their collection and processing would violate the principle of data minimisation as provided for in Article 5 of the GDPR; the goal of the mobile apps is not to follow the movement of individuals or to enforce respect of lockdown measures (consequently, the EDPB limits the functionalities solely to contract tracing and the provision of medical advice).
Finally, in accordance with the provisions of the GDPR, the EDPB recalls the necessity that:
- the processing of personal data be based ideally on the performance of a task carried out in the public interest in the field of public health;
- a data protection impact assessment (DPIA) be conducted and accounted for;
- the data protection by design and by default principles be respected while developing the app, by not storing any identifying data in users’ device if possible;
- the processing of data be strictly limited to the pandemic period and shall cease as soon as the situation is under control;
- all collected data be deleted or anonymized as soon as possible; and
- the source code of the app be made publicly accessible to promote full transparency.
II. THE OUTLINES OF THE FRENCH STOPCOVID APP
After a time of political resistance likely to be linked with the historical mistrust of French citizens towards any mechanism which could possibly hinder individual freedoms, the government eventually chose to resort to a contact tracing mobile app, as Emmanuel Macron himself confirmed in his presidential address of 13 April 2020.
The deployment of this app, scheduled for 11 May 2020, when lockdown measures are lifted, will be preceded by a parliamentary debate on 28 and 29 April, however not followed by any vote of the MPs. This announcement therefore led certain political figures, either representatives of the presidential majority or in the ranks of the opposition, to question the need to convene the two chambers (Assemblée Nationale and Sénat) in this context, and is contrary to the wishes of the president of the CNIL, Marie-Laure Denis, who called for the enactment of a law with sufficient guarantees if the consent of the person concerned was not required.
One could therefore wonder what framework would be suitable for this specific data processing, including that of health data which need to be based on Member State law that provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, under Article 9.2.i of the GDPR.
Further clarification is expected in the coming days, an occasion for public authorities to reassure citizens regarding the use of the StopCovid app, in order to guarantee a maximum number of downloads when it is launched.
In any event, the recent statements of the European Commission and the EDPB may be regarded as an injunction to governments not only to fully comply to data protection rules while designing technologies against the Covid-19 pandemic, but also to use such rules as a means to promote transparency towards the population and consequently to increase their trust in these mechanisms.
- The European data protection board clarifies its position in a new set of guidelines - May 18, 2020
- Contact tracing application: “an individual choice pledge of collective responsibility” - April 25, 2020
- #COVID-19 : No state of emergency for data protection ! - March 26, 2020
- Brief n°2 – The controls of the French supervisory authority in 2019: enforcing the rights of the data subject - June 3, 2019
- CNIL investigations in 2019 : the sharing of responsibilities between controller and processor - May 3, 2019