France edges towards coronavirus tracing app

Out-Law Analysis | 04 May 2020 | 4:33 pm | 5 min. read

Contact tracing technology is being seen as a way to make more targeted interventions to control the spread of coronavirus and enable restrictions that have been placed on businesses and the population more broadly to be eased.

Co-authored by Annabelle Richard and Pauline Binelli, who are both experts in data privacy at Pinsent Masons, the law firm behind Out-Law.

In France, issues of data privacy are heavily shaping the debate over how a coronavirus tracking app should be designed.

France is following a number of countries around the world in either implementing or exploring how to implement new apps based on the processing of both individual and collective location data with the purpose of better controlling the propagation of the virus.

Data protection guidance

In reaction to the deployment of such applications, the European Commission has published guidelines which are intended to ensure that the apps developed to combat the pandemic fully comply with data protection law. Before publishing these guidelines, the European Data Protection Board (EDPB) was consulted. The EDPB has set out its view on the Commission guidance and published guidelines of its own.

Richard Annabelle_Dec 2019

Annabelle Richard


Both the CNIL and the EDPB are active in publishing guidelines to help countries develop coronavirus tracking tools that comply with data protection rules and observe the principles of individual liberties 

The principal preconditions for the development of applications connected with the coronavirus set by the Commission are:

  • National health authorities must be appointed as the data controllers for the processing carried out using the data of citizens;
  • Users of the app must retain full control over their personal data. The use of the application must be on a consenting and voluntary basis. The users must be able to exercise their rights under the GDPR.
  • Fundamental principles of data protection must be observed by the apps – these include around data minimisation, explicit and fixed purposes of processing, and retention of data limited to the necessary administrative measures. The Commission considers that location data are not necessary for tracing contacts and has recommended that location data are not used in this context.
  • Data must be stored and encrypted on users' devices.
  • Accuracy of the data processed has to be guaranteed by means of technologies such as Bluetooth.
  • National data protection authorities, such as the CNIL in France, should be full and willing participants, be consulted on the development of the app, and should be responsible for controlling the deployment.

On 8 April 2020, the National Assembly heard the president of the CNIL, Marie-Laure Denis, who had been asked to give her opinion on the implementation of a Covid-19 contact tracing app.

Rules on processing location data

The coronavirus tracking apps already launched by other countries can be classed in one of two categories: those that use individual location data and those which use aggregates of location data.

In the latter case, an individual's data and personal data are collected but the way the data are processed renders them anonymised and aggregated. As a result, this information is no longer considered to be personal data when it is transmitted to the recipient.

In both cases and when the data are collected by means of mobile terminals, it is the EU's so-called ePrivacy Directive which applies.

Article 6 of the ePrivacy Directive concerns the processing of 'traffic data', which is information that is processed when electronic communications are transmitted. This includes data referring to the routing, duration, time or volume of a communication, to the protocol used, to the location of the terminal equipment of the sender or recipient, to the network on which the communication originates or terminates, to the beginning, end or duration of a connection, as well as the format in which the communication is conveyed by the network, according to the Directive.

Article 6 requires anonymisation or the erasure of the data except for the purposes of invoicing or interconnection payment and only until the end of the period during which the invoice may be legally challenged or actions initiated to obtain payment of the invoice. Traffic data can be retained for longer for the purposes of the marketing of electronic communication services or the provision of value added services, but only if the user is informed of this, given their consent and able to withdraw their consent at any time.

The ePrivacy Directive sets out further rules on the processing of geolocation data under Article 9. It provides that the processing of location data can only take place if the data have been anonymised or with the consent of the users and to the extent and for the duration necessary to provide the value added service.

Like with the processing of traffic data, users must be informed of the types of location data other than data relating to the traffic that will be processed, the objectives and the duration of this processing, and whether the data will be transmitted to a third party with a view to providing the value added service. The operator must thereafter obtain the consent of the users, who must be able to withdraw their consent to the processing of the location data at any time.

A new app in France

At her hearing before the National Assembly, Marie-Laure Denis stressed that both European and French law strictly regulates the use of the location data of French citizens, and that any app must provide users with maximum control over their data. She said that a series of basic and guaranteed principles must be observed by the state, even when they have legitimate reasons to limit certain rights and/or certain obligations.

Cédric O, secretary of state for digital, also expressed his views on a potential new app in a hearing before a committee of the National Assembly, on 17 April. He pointed out the fact that the use of a mobile app could only be one element of a broader process intended to prevent a new wave of coronavirus and that France cannot rely only on such an app.

The design of the app has yet to be finalised, and it is unclear whether one will be ready before 11 May, the date on which some lockdown measures in France are set to be eased.

Cédric O said, though, that maintaining the sovereignty of France, and the EU more generally, over the personal data of its residents is important. This view was echoed recently by the AP-HP, the French public health establishment which acts as a regional hospital centre for Paris, when it refused a partnership proposed by Palantir, an American company specialising in data and Big Data analysis, to develop a tool to "fight against the virus", for reasons of security and sovereignty of French patients data.

Both the CNIL and the EDPB are active in publishing guidelines to help countries develop coronavirus tracking tools that comply with data protection rules and observe the principles of individual liberties.

The launch of a public consultation by the CNIL on 21 April, which will address the adoption of specific recommendations for the processing of data relating to minors, is an example of guidelines that – though larger scope – resonate in a context where minors may have to use the government's future app.

Co-authored by Annabelle Richard and Pauline Binelli, who are both experts in data privacy at Pinsent Masons, the law firm behind Out-Law.