On 25 May, the CNIL issued a ruling on a draft decree relating to the ‘StopCovid’ mobile app. The purpose of this app is to inform users that they have been in close proximity to someone who has been diagnosed as Covid-19 positive who is also using the app, as this proximity may lead to a risk of infection.
This referral follows the opinion issued by the CNIL on 24 April 2020 on the principle of introducing such an app. At that time, the CNIL considered the implementation of ‘StopCovid’ to be possible, provided that it is useful in the context of the ‘deconfinement’ strategy and that it is designed to protect users’ privacy.
The CNIL notes that its main recommendations (use of pseudonymised data, no geolocation or creation of a record of infected individuals) have been taken into account by the government and thus believes that this temporary, voluntary arrangement can be legally implemented.
In order to ensure full compliance of the application with the GDPR, the CNIL has nevertheless made several observations on the draft decree and on the conditions for deploying the app.
These observations relate in particular to the responsibility for processing entrusted to the ministry in charge of health policy, the absence of negative legal consequences resulting from individuals choosing not to use the application and the implementation of certain technical security measures.
The CNIL considers that the application can be legally deployed as long as it is a complementary tool to assist in-person health investigation measures and provides faster alerts in the event of contact with an infected person, including for contacts they do not know.
Nevertheless, the CNIL considers that the real usefulness of the application will have to be more precisely assessed after its launch. The duration of its operation will have to be conditional upon the results of this regular appraisal.