Key developments of the past year
Following the outbreak of covid-19 and its development into a global pandemic, some questions arise about the development of apps to help manage the epidemic. Among these questions is the relevance and legality of the use of technologies for tracking and tracing individuals for the purpose of preventing the spread of the virus, both in employment context, for employers vis-à-vis their employees, and public context as part of the security mission of the public authorities.
In France, the Labour Code requires employers to implement meas- ures necessary to ensure the security of the employee. At this regard, employers may implement third-party apps to do health screening, analyse travel records, etc.
The National Commission for Data Protection and Liberties (CNIL) sets the limits that must not be crossed ‘the privacy-invasive measures of the data subjects, in particular through the collection of data that would go beyond the management of suspicions of exposure to the virus are prohibited’.
When implementing these measures, employers must consider the following key issues.
In the context of this pandemic, decisions have also been rendered, reflecting the Schems decision on the invalidation of the privacy shield. Indeed, due to the fear of possible transfers of personal data to the United States, associations and unions had asked the judge of the French Council of State to suspend the Health Data Hub platform as a matter of urgency. This request was refused because the processing of data by Microsoft on the territory of the European Union was not in itself a serious and manifest illegality. This remains a sensitive issue at a time when platforms processing health data are multiplying in this crisis context (Conseil d'Etat decision of the judge of summary proceed- ings of October 13, 2002).
Employers must have an appropriate legal basis for processing the personal data collected from individuals relating to the covid- 19 outbreak
Employers may be tempted to collect as much information as possible from individuals relating to the covid-19 outbreak. A large proportion of this information will fall within the categories of ‘personal data’ and ‘special categories of personal data’. Employers must rely on a legal basis provided for in article 6 of the General Data Protection Regulation (GDPR) when processing such data. In the context of covid-19, the legal basis could be compliance with a legal obligation. It should be noted that, in France, the processing of health data by an employer must be authorised by a special text and not by a general provision such as that of ensuring the safety of the employee (article L4121-1 of the French Labour Code).
Employers should ensure that the purposes for which the data are collect and process are well defined, explicit and legitimate The GDPR requires that data controller only collect as much personal data as is strictly necessary for the purposes being pursued. Also, the choice to adopt a broad purpose to justify several processing is not possible. For example, nothing would justify an employer processing ‘blood group’ data for the implementation of preventive actions.
Review and update privacy policies as necessary
If an employer is collecting new categories of personal data from employees and processing such data for new purposes, it will likely be necessary to update privacy policies to reflect the new changes in the collection of data from employees. This principle is also provided for in the article L.1222-4 of the French Labour Code which states that:
No information concerning an employee personally may not be collected by a device that has not been worn prior to its knowledge. Moreover, employee representative bodies must be informed and consulted, when employers intend to introduce new technologies processing employees personal data.
Employers should conduct a data protection impact assessment before collecting any personal data relating to the covid-19 outbreak
A data protection impact assessment (DPIA) is intended to help employers understand the risks associated with particular data processing activities and the measures that can be taken to mitigate such risks. Also, a DPIA may help the employers to target the amend- ments may be required in other data protection-related compliance documentation within the organisation (eg, privacy policies or records of processing activities). Additionally, guidance issued by CNIL suggests that a DPIA should be performed where a processing activity involves biometric data, genetic data or tracking data.
Regarding public authorities, the European Union and many member states have been putting forward various digital tracking measures aimed at mapping, monitoring and mitigating the pandemic.
Such apps aim to alert people who have been in proximity to an infected person for a certain time, including those one may not notice or remember, without tracking the user’s location.
On 16 April 2020, the European commission in cooperation with member states, European Data Protection Supervisor and the European Data Protection Board published guidelines aimed at ensuring that any covid-19 related apps fully comply with data protection standard and limiting intrusiveness
In France, the government developed the application called StopCovid that is designed to alert its users that they have been in close proximity to people who have been tested positive for covid-19 and who use the same application. The application is based on a voluntary use, and allows contact tracing, using Bluetooth technology, without geolo- cating individuals. It is therefore alerting people who are using the application and who have been exposed to the risk of contamination.
CNIL was consulted by the Secretary of State for Digital Affairs on the compliance of the StopCovid app with the French data protection regulation. CNIL considered the system to be compliant with the GDPR, if certain conditions are met. It notes that a number of safeguards are provided by the government's plan, including the use of pseudonyms.
CNIL considered that the application can be deployed, in compliance with the GDPR, if its usefulness for crisis management is sufficiently proven and if certain safeguards are provided. In particular, its use must be temporary and the data must be kept for a limited period of time. CNIL therefore recommended that the impact of the system on the health situation be studied and documented on a regular basis, to help the public authorities decide whether or not to maintain it.
In its opinion, CNIL points out that the use of contact tracing applications must be part of a global health strategy and calls, in this respect, for particular vigilance against the temptation of ‘technological solutionism’. It stresses that the app’s effectiveness will depend, in particular, on its availability in application stores, widespread adoption by the public and appropriate configuration.
The StopCovid app was launched on June 2020.