Briefing on the legal and policy issues attendant to the identification and tracing of Covid-19 cases
These past months, numerous international, European and national initiatives to develop digital tools to contain the spread of the Covid-19 epidemic have sprung forth. These projects raise important legal, ethical and political issues, pertaining to both their architecture and their governance. To the extent they raise the issue of the protection of privacy in the digital age it would seem reasonable and appropriate to revisit the existing legal framework to ward against too much intrusion, or even the generalized surveillance of the population.
- Main initiatives in France
The French public authorities have developed several projects in the context of the health emergency:
o Following a traditional approach to epidemiological monitoring, the French Government has set up two databases of people infected or at risk of infection (by decree dated May 12th, 2020). The first, SI-DEP, is a national information system for population-based screening which compiles the results of Covid-19 testing and the identity of positive patients to improve the care management of individuals who have been confirmed positive. The second, Contact Covid, is a tool to support the work of “health brigades” responsible for proposing screening and isolation measures to the family and known contacts of a person who has tested positive. Their action is based on the active and voluntary participation of persons who have tested positive: in other words, they voluntarily provide the name and contact details of the persons they have been in contact with during the past 15 days, in order for the “health brigades” to get in touch with them.
o The crisis has also resulted in the development of entirely new tools for the management of the health crisis. Several types of mobile apps, which differ by their purpose or their mode of operation, have been rolled out in Europe and elsewhere. For its part, the French Government decided to develop a contact tracing app for positive cases.
Christened StopCovid, its objective is to alert users if they have been in close proximity to someone who has tested positive for Covid-19. This app uses Bluetooth technology to measure the proximity between two users without geolocating them. This proximity data is recorded in order to subsequently alert/warn citizens that they have been in close contact with a person who later turns out to have been infected with Covid-19. Having been approved by Parliament, this app will be rolled out on a voluntary basis nationwide in the coming weeks.
- The challenge of protecting our fundamental rights and freedoms
This large-scale use of technology to tackle a pandemic is historically unprecedented.
In a context of voluntary adoption, the confidence of citizens in such a system is crucial. Widespread adoption is in fact an essential prerequisite for its effectiveness. Only if at least half the population, accounting for roughly 80% of smartphone users, adopt the app, will it be useful in breaking the chain of infection.
In France, public opinion is understandably hesitant in the face of tools that are not well understood, even if identifying both the potential and the risks embodied by such tools. The main risk identified is that of the repurposing of a “tracing” system, aimed at controlling the spread of a pandemic on an exceptional basis, into a “tracking” system to monitor and measure social activity for mercantile reasons or to consolidate government power, without any limitation in time or of permissible purposes. The concern thus centers on the setting up of a system, which while useful as a time-bound, exceptional measure, that risks being maintained.
Cognizant of the stakes involved and the sensitivity of the issue, the French authorities have taken a series of measures to strengthen the legal framework and limit possible uses and misuses of the system.
o The French Data Protection Authority (CNIL), which is responsible for ensuring compliance with rules on privacy, and in particular with the General Data Protection Regulation (GDPR), was consulted for its opinion on both the StopCovid app, and the implementation of the two databases referred to above.
Where the app is concerned, the CNIL opined that the government had introduced a certain number of safeguards, such as the use of pseudonymous data and minimization of the risk of tracing back specific lists of infected persons to re-identify the data subjects. The CNIL also insisted on the need to obtain the freely given consent of users. Accordingly, no negative consequences should be attached to not downloading or using the application (in terms of access to tests and healthcare, public transport, or employers making certain rights conditional on the use of the app, etc.).
In both cases, the CNIL closely looked into compliance with the principle of proportionality, stressing that the system should only remain in place for the duration of the health crisis. Similarly, data retention should be strictly limited in time. For both databases, the Government has restricted the data retention period to three months and indicated that the system would be dismantled no later than six months after the end of the state of emergency.
o The Government has also followed the recommendations of the National Cybersecurity Agency (ANSSI) regarding cybersecurity aspects.
o Lastly, the Government organized a debate in Parliament, followed by a vote on the rollout of the app. Following this debate, held on May 27th, both the National Assembly and the Senate voted in favor.
The process behind the discussion and design of this system point to a strong concern with setting an example in terms of the protection of fundamental rights and freedoms and maintaining democratic debate in crisis times. Other countries, such as Hungary, have not hesitated to suspend entire sections of the GDPR, including its provisions on the rights of data subjects concerned by the processing of their personal data.
Elsewhere in Europe, some countries have relied on technical protocols supplied by Internet giants to develop their apps. The debate concerning the technology “bricks” used is also lively, especially as it pertains to the data collected by these tools.
For France, the main challenge in the short and medium-term will be to keep a watchful eye to ensure that the Government holds to its commitments. Looking further afield, it will be necessary to ensure that the implementation of this type of system does not pave the way for other initiatives with a less compelling rationale than the protection of public health or for the progressive erosion of privacy rights. Democratic control through checks and balances exercised by public authorities such as the CNIL, elected officials or organizations defending privacy rights, will play a decisive role and the current debates on the pros and cons of contract-tracing apps are likely to re-emerge in the future.
Co-authored by Benjamin DE VANSSAY and Giulia OLIVEAU under the supervision of Thaima SAMMAN.