The emergency law of 23 March 2020, enacted in the context of the fight against the Covid-19 pandemic, notably enables the French Prime Minister to adopt, by decree, measures restricting individual freedoms (free movement, gatherings, etc.).

Violations of fundamental rights and liberties are thus allowed under this specific regime, on condition of being proportionate to the intended purpose – a delicate balancing act to which public authorities will be confronted. What about the key issue of the processing of personal data? Failing any reference thereto in this emergency law, the usual legal framework remains applicable.

The European Data Protection Board (EDPB), in a press release dated 16 March 2020, clearly identified the conflicting interests at stake and the need to conciliate them in these uncertain times:

Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects.

 The GDPR is a broad legislation and also provides for the rules to apply to the processing of personal data in a context such as the one relating to COVID-19[1]

Thus, the EDPB, which ensures the effectiveness of data protection within the European union, regards GDPR as sufficiently flexible to provide undertakings and publics authorities with the necessary legal grounds, even in the unprecedented context of a global pandemic, to process personal data without the individuals’ consent.

Particularly, two categories of personal data shall be handled with special care when weighing public health requirements and protection of personal data.

1. Health data

This sanitary crisis underlines this importance of processing health data; for instance, many undertakings have wondered, in the first stage of this pandemic, whether they could proceed to temperature checks on their employees or on visitors entering their premises (so as to forbid access to anyone with fever symptoms).

Normally, the processing of health data, which are regarded as special categories of data within the meaning of Article 9 of the GDPR, shall be prohibited unless the data subject has given explicit consent thereto (although with a limited number of exceptions). The CNIL, the French regulatory authority, in a webpage published online on 6 March 2020, has proceeded to a strict application of these provisions, notwithstanding the relative margin allowed for by the GDPR in such a context, by reminding employers they were forbidden to perform medical checks or collect health questionnaires within the company, despite their legal obligation to guarantee the safety, security and well-being of their employees.

This prohibition could prove to be excessively rigorous in some cases and also raises the issue of the legal force of the CNIL’s doctrine (online publications, guidelines, recommendations, etc.), soft law that is theoretically devoid of any binding power (which the Conseil d’État and the CNIL itself acknowledge). For instance, could a key operator (“opérateur d’importance vitale”) demonstrate to the CNIL that performing temperature checks on their employees is a prerequisite for allowing them to intervene on a strategic site? Therefore, the question that arises is whether the CNIL should systematically warn controllers of personal data of their right, in accordance with Article 58.4 of the GDPR, to assert special circumstances prone to render its doctrine inapplicable.

This situation sheds light on the necessity to establish a clear legal framework allowing for the possibility, in very specific circumstances, to divert from a strict application of the authority’s recommendations by promoting other legitimate interests. In the present case, shall the necessity to guarantee employees’ health justify a derogatory processing of health data, under Article 9.2.i) of the GDPR which enables processors to bypass the collection of the consent of data subjects if such processing is “necessary for reasons of public interest in the area of public health”? The question remains open.

2. Location data

These data, which could prove very useful in times of strict lockdown, do not seem to be exploited in France to control the population, unless they have been previously anonymized or if the consent of data subjects has been obtained. Yet, a mass processing of users’ data could allow public authorities to assess the global respect of lockdown measures and adapt their policies accordingly; a modeling of the spread of coronavirus on this basis is currently being conducted by the European commission, under the guidance of French commissioner Thierry Breton. However, at the same time, a rumor that police forces had used running apps to track people and fine them has brought up to the surface the underlying fear of a generalized individual monitoring.

Besides, a number of countries have used location data to sharpen their knowledge of the virus and thus save lives: in South Korea and Taiwan, locating the smartphone of people tested positive to Covid-19 has enabled identification those they had been in contact with.

The EDPB has made its position known on 16 and 19 March 2020: the public authorities should first aim for the processing of location data in an anonymous way and aggregated in a way that it cannot be reversed to personal data, to map the level of concentration of smartphones. However, Member States are reminded that, in accordance with the provisions of Article 15 of the ePrivacy directive, they may adopt legislative measures to restrict individuals’ rights (such as the consent required to process location data under article 9 of the directive) if necessary to safeguard national security for instance. Article L. 851-1 of the “Code de la sécurité intérieure” (Homeland Security Code), introduced by the law dated 24 July 2015 on intelligence and which enables intelligence services to access users’ data related to electronic communications, illustrates this possibility.

The French Minister of Health Olivier Veran has stated he was personally not in favor of mass tracking, and the Minister of Higher Education, Research and Innovation has dispelled any plan to use digital information to check, for instance, whether lockdown measures are respected. Cedric O, the Secretary of State for Digital pointed out the absence, for the time being, of a government project for an app based on the use of personal data to fight the pandemic. However, discussions have been engaged with Germany and the UK among others, and the “Comité analyse recherche expertise” (analysis, research and expertise committee), working alongside the Presidency, has been assigned the task of evaluating the opportunity of implementing a digital strategy of identification of those who have been in contact with confirmed cases of Covid-19 (telephone operating companies, such as Orange and SFR, have declared to French authorities they agreed to share a massive amount of location data).

Following the establishment of this committee, the CNIL has laid down a certain number of recommendations on 25 March 2020, including that a number of scenarios (regarding the processing of location data) can be envisaged, and their consequences on the rights and freedoms of individuals will depend on what type of processing is carried out.

In line with the EDPB, the CNIL reminds that the actual legal framework (ePrivacy directive and GDPR) allows for a processing of location data if previously anonymized or with the consent of the data subjects; France would therefore have to adopt a law if it intends to carry out a more thorough processing of non-anonymized data. Resorting to Articles L. 851-1 and s. of the « Code de la sécurité intérieure » would not be relevant.

The hypothesis of a collection of the individual’s consent to the processing of their location data shall not be put aside. For instance, the CoronApp app, which is being developed, shall make it possible to retrace the itinerary of infected people in order to warn those they have crossed paths with. This raises this issue of how to obtain a proper consent, how to provide data subjects with the correct information (under Article 13 of the GDPR) and the retention of such data.

Therefore, the European union legal framework regarding the protection of personal data, often regarded as being too constraining for and by controllers, clearly demonstrates that it has the capacity to confront a serious health crisis. This flexibility, higlighted by the EDPB, contrasts with the rigorous position adopted by French authorities. Can this strict approach by explained by the singular relationship that France maintains with the protection of fundamental individual rights? In that case, what about the serious amendments to the Labor Code that have been permitted to absorb the economic crisis resulting from the pandemic?

Anyhow, this flexibility of data protection law requires much maturity from controllers, notably when implementing the principles of accountability and privacy by design. Once acquired, such maturity can pave the way for a new era in which technology applied to the processing of personal data will be used to serve the health of citizens while preserving the individual rights and freedoms, to which each and every one of us is deeply attached. Once again, ethics are at the forefront of promoting technological and scientific innovations.

 

[1] https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_fr

 

Isabelle GAVANON

Partner - IT contracts
Isabelle Gavanon assists and helps her clients to manage the legal risks associated with digital transition projects thanks to contractual techniques (IT implementations and projects, electronic communications, internet …) and the optimization of data, information and data status creations (RGPD compliance, open data, electronic evidence, digital identity, databases / copyright and counterfeiting, etc.). Strong litigation activity completes this consulting practice.

View All Posts

Valentin LE MAREC

Associate - Information Technologies & Intellectual Property
Valentin Le Marec is a lawyer at the Paris Bar and has been working at Delcade alongside Isabelle Gavanon since April 2019 ; his main areas of expertise are Information Technologies and Intellectual Property.
He assists in clients in all projects related to their digital transformation, whether in terms of data protection (GDPR compliance, Internet cookies, pre-litigation and litigation with the supervisory authority), industrial property (trademarks, softwares) or innovatives technologies (blockchain, AI, electronic signatures).

View All Posts
Online live chat Contacts