Support Centre

France: CNIL approves of implementation of StopCovid app

The French data protection authority ('CNIL') published, on 26 May 2020, its opinion ('the Opinion') on the draft decree regarding the conditions for the implementation of the StopCovid app ('the Draft Decree'), following its previous opinion on the app itself. In particular, the Opinion outlines that the StopCovid app intends to inform users if they have been in close proximity with individuals who have tested positive with COVID-19 ('Coronavirus'). Furthermore, the Opinion indicates that the StopCovid app will use pseudonymised data, without resorting to geolocalisation, and that it will not create a database of infected individuals. Moreover, the Opinion finds that CNIL's recommendations had been taken into account, and as such the StopCovid app can be lawfully implemented. However, the Opinion offers some further amendments to the Draft Decree to ensure compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Specifically, the Opinion notes, among other things, that the utility of the app will need to be re-evaluated after its launch, that users must be informed of how they can erase their personal data, that children and guardians must be informed specifically, and that the right to object and right to be forgotten should be explicitly clarified.

You can read the press release here and the Opinion here, both only available in French.

UPDATE (28 May 2020)

National Assembly adopts tracing app declaration

The National Assembly announced, on 27 May 2020, that it had adopted with 338 votes in favour and 215 votes against the declaration concerning the implementation of the StopCovid app for the Coronavirus crisis.

You can read the press release, only available in French, here.

UPDATE (4 JUNE 2020)  

CNIL publishes English translation of the Opinion 

CNIL published, on 3 June 2020, an English translation of the Opinion supporting the tracing app and making some recommendations to ensure its compliance with data protection requirements.  

You can read the press release here and the Opinion here