This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at firstname.lastname@example.org.
The Covid-19 pandemic shows the importance of relying on data including on personal data in order to fight the spread of the virus and to save lives. Despite the circulation of these data and a real attempt at transparency, including data visualisation based on the collected data, there are still a lot of uncertainty and unknown about this unprecedented pandemic. According to the French Health Ministry, the first case of Covid-19 recorded in France dated back to 24 January. At this date two patients who had been travelling in China, were hospitalised, one in Paris and the other one in Bordeaux. However, experts are still looking for the French patient zero. The first French cases might have been circulating much earlier than initially reported, most likely in November or December 2019. The official total number of confirmed death in France related to Covid-19 is 30,120, mostly in the French Metropole. The regions of Paris and the East of France have been and still are the most affected by the pandemic. France was in lockdown from 17 March 2020 to 11 May 2020. The government considers that the pandemic is now under control in clusters while expressing concerns for a re-spreading of the Covid-19 pandemic. Therefore, emphasis has been put to recall the necessity of respecting precautionary measures, such as wearing a mask in the public space, which will become obligatory as of 1 August.
There are several issues related to data protection raised in the context of the pandemic in France. This post will be focused on health data processing related to Covid-19 such as the creation of specific files of the infected persons and the French contact tracing app called Stop Covid. This first post will demonstrate how the pandemic led to a unique exercise of data protection by design. This part will also reveal the political challenges of the involvement of Microsoft in the processing of French health data. A second post (tomorrow) will analyse the control of surveillance measures introduced by public authorities for enforcing the lockdown or the way out of the lockdown. This requires to start with briefly clarifying the French legal framework of the health emergency (« état d’urgence sanitaire »), which is the legal ground of these specific processings.
1. French Legal Framework of the Health Emergency
The Covid-19 health crisis led to the adoption of a new legal concept, that of health emergency (see here the traditional constitutional and legal framework of emergency situations used before in France for the Algerian conflicts, or more recently the civil riots in the suburbs and, the terrorist attacks in Paris). The law 2020-290 adopted on 23 March 2020 introduced the concept of health emergency. Art. L3131-12 to L3131-20 of the Public Health Code provides the specific regime of the health emergency which was applicable
until 21 April 2021. According to Article L3131-12 of the Public Health Code, the health emergency fits with a “health catastrophe endangering, by its nature and its gravity, the health of the population”. The health emergency is declared by a Council of Minister’s decree based on a report by the Health Minister, and the scientific data on which the decision is grounded has to be made public. After one month the parliament extended by a law the public health committee. Article L3131-15 of the Public Health Code lists ten categories of measures that can be adopted by decree such as the possibility of restricting or prohibiting the movement of people and vehicles; of introducing quarantine and/or isolation for individuals affected by the virus. Due to the gravity of the pandemic, the first heath emergency was declared by the above-mentioned law 2020-290 for two months by derogation to the provisions of Public Health Code. The Law 2020-546 adopted on 11 May 2020 extended the health emergency until 10 July. The Law 2020-856 adopted on 9 July 2020 organised the exit of the health emergency. In this dense legal framework of the French health emergency, it is worth mentioning that article 11 of the Law 2020-546 is the legal ground for the implementation of the information system for the specific purpose of fighting the Covid-19 pandemic.
2. Health data processing issues
Before the implementation of a French contact tracing app, France set up two new health data files based on the collection of health data by Health professionals and National Health Insurance Fund (Caisse Nationale d’Assurance Maladie, hereinafter CNAM). Beyond these three tools, the involvement of Microsoft in the French Health Data Hub was criticised due to the strategic importance of these health data.
The creation of “SIDEP” and “Contact Covid”
The decree 2020-551 on 12 May created these two databases to control the spread of the Covid-19 in particular in the context of exiting out of the lockdown. SIDEP centralises the results of the Covid-19 positive tests. Contact Covid is an adaptation of an information system called Amelio Pro of the CNAM, which gives the possibility to trace the person who has been infected and the person who has been in contact with an infected person. Both systems are manually filled by professional persons. It can be sanitary brigades, health professional, and laboratories. The data protection by design of both information systems has been improved by the interaction of the French Constitutional Court, the Parliament during the elaboration of article 11 of the Law 2020-546, and the French Data Protection Authority, the CNIL, during the adoption of the decree 2020-551 (for more detailed see our article in French here). The main modalities of these data processings have been detailed. Therefore the decree 2020-551 provides explicitly that these databases rely on a mission of public interest according to art. 6§1e) GDPR. This allows for the collection of sensitive data as provided by art. 9§2i) GDPR. The controllers are explicitly identified; the purposes, and the categories of collected data are strictly listed. The categories of individuals who can have access to these databases are also detailed. The French Constitutional Court imposed to delete the access to these databases by bodies in charge of social support of the data subject because social support is not directly in connexion with the purpose of fighting against the pandemic
(see point 70 of the Decision 2020-800). The CNIL insisted in having guarantees regarding the temporary character of these processings and the clearly limited duration for the retention of the collected data. Initially limited to a three month period after their collection, data retention for epidemiological surveillance and research can now be extended on the basis of article 3 of Law 2020-856 on 9 July 2020 provided that the data are anonymised. The data protection by design of these databases should also be connected with setting up a Committee (Comité de contrôle et de liaison Covid-19) by the above-mentioned article 11 VIII of the Law 2020-546. This Committee is an oversight body, which includes the participation of the civil society and the French parliament in the implementation of these databases (see here the composition of the committee). On its website, the CNIL officially declared that it would also control the implementation of these databases. Despite the detailed system, some additional regulation could be needed.
The lively debated implementation of Stop Covid French mobile app
The French application Stop Covid is based on the decree 2020-650 on 29 May after two opinions adopted by the CNIL, which contributed to improve its data protection by design. The first opinion adopted on 24 April is a general consultation of the CNIL by the government at an early stage of the conception of the app. It allows the CNIL to draw some red lines for the future implementation of the app (see our comment in French here). The second opinion adopted on 25 May is based on the detailed project of Stop Covid. The CNIL approved the necessity and the proportionality of Stop Covid based on the guarantees introduced by the government. This includes in particular, the provisional character of the application, which is implemented for specific purposes. Stop Covid is available from 2 June. This is a voluntary mobile application for which the data controller is the French Minister of Heath. Stop Covid notifies the users of the application of a potential risk of infection by another user who had been positively tested to Covid-19. The app uses the Bluetooth technology for identifying the proximity between the infected user and others. The creation of the French mobile Apps Stop Covid raised several data protection issues, which can be summarised in three main categories. Firstly, the effectiveness of such an app to contribute to fighting against the spread of the Covid-19 has been questioned from the beginning. In its first opinion on 24 April, the CNIL underlined that the government had to demonstrate the necessity of implementing such an app for the management of the pandemic in balance with the respect of private life (more information on the opinion see our comment in French here). Currently, the low level of downloading of the French apps (only 3% of the population) is considered to be a weakness of the system. On 23 June, the French government reported that only 68 persons were declared positive and 14 notifications have been sent through the StopCovid app. The costs of the apps (between 100,000 EUR and 300,000 EUR per month) for such disappointing results were criticised. More information has been required both by the parliament and by the civil society on the exact costs incurred for implementing the app. Secondly, the risk of disproportionate interference with the fundamental rights and freedoms has been invoked (see for instance the opinion of the National Consultative Commission of Human Rights). The future uses of intrusive technologies for more general public order purposes were feared. Thirdly, the technical aspects of the app have been discussed. The code of Stop Covid has been partially made public. This transparency allowed researchers to alert the public that Stop Covid collected more data that it was supposed to (see here). After the control of the French Agency in charge of cybersecurity (Agence Nationale de la Sécurité des Systèmes Informatiques also called ANSSI), the security of the app was challenged by a group of ethical hackers. The debate about centralised versus decentralised approaches of contract tracing apps was a misleading one (see here). The deliberate political choice of France for a centralised model, as opposed to the decentralised model promoted by Apple and Google, was also at the core of these discussions. This leads to a call in favour of a political digital sovereignty. The pandemic and the strategical importance of the health data gave more echo on the French technological dependence. In this context, the involvement of Microsoft in the French Health Data Hub was put in question before the French Court.
The opposition of the involvement of Microsoft in the French Health Data Hub
The French Health Data Hub is an ambitious initiative created by the Law 2019-774 on the reorganisation of the transformation of the National Health System also called Law « Ma Santé 2022 ». Created in December 2019, this infrastructure aims to facilitate health data sharing between private structures, individual and public authorities for research purposes. During the lockdown, a ministerial decision adopted on 21 April 2020 by the Health Minister authorised an anticipated and partial implementation of the Health Data Hub, for the sharing of different categories of health data only for the management of the health emergency and the improvement of the scientific knowledge on Covid-19. This anticipated implementation has been done despite the concerns expressed by the CNIL regarding the security and the risk of access by third parties (see its opinion here). The civil society association La Quadrature du Net decided to challenge the legality of the ministerial decision of 21 April 2020 before the French Administrative Court. This led to the need for a new assessment of the pseudonymisation efforts of the Health Data Hub by the CNIL and an improvement of the right of information of the data subjects.
The French Supreme Administrative Court rejected most of the other arguments of the association, in particular, the hotly debated issue of the contract between Microsoft and the Health Data hub, which confers the legal status of a processor of the French Health Data for data hosting. The French Supreme Administrative Court considered that the involvement of this American company created no risk of invalid data transfer to a third country on the only ground of the existence of the registration of Microsoft in the Privacy Shield. The French Supreme Administrative Court did not refer to the current legal uncertainty of the conformity of the adequation decision which was eventually declared invalid a couple of days later by the CJEU in its new Schrems decision. Besides data protection issue, the case raised other issues, such that the contract was awarded to Microsoft without a proper call for tenders. After the interim order of the French Supreme Administrative Court, there is still a public debate on the gap between the political call for digital sovereignty and the choice of Microsoft as the processor of the French Health Data Hub.
Olivia Tambou is Senior Lecturer at the University Paris-Dauphine, Founder and Editor of blogdroiteuropéen
For more information on the context of this e-conference
and the other papers see here
Don’t miss the second part of the paper tomorrow on Control of some intrusive surveillance by public authorities