France: CNIL's response to Coronavirus
The public health crisis caused by the current COVID-19 ('Coronavirus') pandemic raises many data protection issues. Claire François, Counsel at Hunton Andrews Kurth LLP, discusses the data protection issues arising from the Coronavirus crisis and the action taken by the French data protection authority ('CNIL') in response to the same.
The impact of Coronavirus
The Coronavirus crisis has had a significant impact on data protection for two different reasons. The first reason is that business continuity depends partly on data-intensive digital tools that are used extensively, such as telemedicine, teleworking, or distance education for students. The second reason is that personal data is considered a resource to directly respond to health challenges (e.g. for health research, protecting vulnerable individuals, and accompanying containment/de-containment strategies with tools locating individuals or retracing their exposure to the virus).
CNIL has taken action on all these aspects to assist public authorities and private and public organisations. In particular, CNIL recently published new practical guidance, or reiterated its previous position, to support cybersecurity of employers or employees and help them pursue their business activities. In addition, CNIL adopted a pragmatic approach to facilitate the implementation of Coronavirus research projects and issued recommendations on the processing of mobile location data to combat and exit from the Coronavirus crisis.
CNIL's business continuity guidance
CNIL intends to offer advice to professionals throughout the Coronavirus crisis to help them pursue their activities. At the time of writing, CNIL has published a number of recommendations, including on teleworking and video conferencing tools, and reminded businesses of its previous guidance on the use of employee-owned devices at work, better known as 'Bring Your Own Device' or 'BYOD.'
On 1 April 2020, CNIL released guidance for employers on how to implement teleworking ('the Guidance'). According to the Guidance, employers should implement the following measures to secure their information systems:
- Ensuring that they have an IT charter or information security policy in place covering teleworking, or, at the very least, a set of minimum rules that must be complied with by each teleworking employee. Such policy or rules should be binding for employees.
- Assessing the risks raised if the rules governing the information systems (e.g. authentication rules) need to be revised to allow teleworking, and implementing appropriate measures to mitigate those risks.
- Ensuring that all employee workstations are equipped with at least a firewall, antivirus protection and a tool blocking access to malicious sites.
- Implementing a Virtual Private Network ('VPN') solution to avoid direct exposure of the organisation's services on the Internet. If possible, organisations should enable two-factor authentication for VPN login.
If the organisation's services are delivered on the Internet, the Guidance further recommends the following steps:
- Using protocols that ensure the confidentiality and authentication of the receiving server (such as HTTPS for websites, and SFTP to securely transfer files), and using the most recent versions of those protocols.
- Applying the latest security patches to the equipment and software used (VPN, remote desktop solution, email and videoconference systems, etc.). In this respect, the Guidance invites organisations to regularly consult the newsletters of France's national Computer Emergency Response Team in order to be informed of the latest software vulnerabilities and how to protect against them.
- Implementing two-factor authentication mechanisms on all remotely accessible services to limit intrusion risks.
- Regularly reviewing logs of access to remotely accessible services to detect suspicious behaviours.
- Not making non-secure server interfaces directly accessible. More generally, employers should limit the number of services available on the Internet to the minimum in order to reduce the risk of attack.
CNIL also published best practices for employees while teleworking, including the following practices:
- Following the instructions of their employer - if the employer has issued an information security policy in the context of teleworking, employees should strictly apply it. More generally, employees should not do at home what they are not permitted to do in the workplace.
- Securing their home Wi-Fi network by using state of the art encryption (WPA2 or WPA3 with a long and complex password), turning off the WPS function and deleting the guest Wi-Fi.
- Using the equipment provided and controlled by their employer as well as the VPN provided by their company. Employees should connect to the VPN at least once a day to apply updates, and should deactivate it only when using high bandwidth services such as video streaming that do not require passing through the company's network.
- Sufficiently securing their own device if they do not have a company-owned device. This involves installing a firewall and anti-virus protection, and regularly updating the operating system and software used, including the web browser and extensions, etc.
- Transmitting personal data in a secure way. In particular, employees should refrain from transmitting confidential data through consumer services (storage, file sharing and collaborative editing services) or via consumer email services. If employees have to transmit such data via these services, the data must be encrypted before their transmission, and the encryption keys must be provided via another communication channel (e.g. by telephone or text message). Employees should seek to use end-to-end encrypted communication tools, if their employer does not provide a secure communication tool, as well as videoconference systems that protect the privacy of their users, such as Tixeo that has been certified by National Cybersecurity Agency of France ('ANSSI').
- Finally, employees should be particularly aware of phishing attempts that have increased during the COVID-19 pandemic.
On 9 April 2020, CNIL issued recommendations to users of videoconference apps prior to downloading the app, when registering to the service, and when using the app.
Prior to downloading a videoconference app
- favour privacy-friendly solutions, such as Tixeo, certified by ANSSI;
- avoid downloading the app from an unknown source;
- use only apps for which the app publisher clearly specifies how personal data are re-used (e.g. within the app itself or on its website);
- read users' comments on discussion forums or in app stores;
- verify that the app publisher implemented key security measures such as end-to-end encryption of the communications;
- secure their home Wi-Fi network with a robust password and WPA2 or WPA3 encryption; and
- ensuring that their firewall and anti-virus protection are up-to-date.
When registering to the videoconference service
- limit the information they provide, including by using a pseudonym and a dedicated email address, and verifying the privacy settings when creating their account;
- use a different password than those they use on other online services; and
- read the app's terms and conditions of use, especially with respect to the protection of personal data.
When using the videoconference app
- review the app's settings, especially the privacy settings and verify whether, e.g. there are options allowing them to download their data or limit the use of some information;
- close the app when not in use, especially if the microphone or webcam are still on; and
- disable the microphone and webcam when they are not used.
CNIL further reminded businesses of its 2019 guidance on BYOD, when employees are authorised to use their own devices to perform their job duties. In that respect, CNIL's guidance stresses that the employer is responsible for ensuring the security of the personal data of its company, including when the data are stored on devices that the employer does not control. To that end, employers should first identify the security risks raised by BYOD practices, taking into account the specificities of the context, and assess those risks both in terms of severity and likelihood. Employers should then determine the security measures to be implemented and formalise them in a security policy. Key practical steps that employers may take to ensure information security include:
- partitioning the parts of the employee-owned device to be used in the professional context, e.g. using MDM to ensure a compartmentalisation of professional and personal environments;
- controlling remote access to the employee-owned device through a robust authentication mechanism (e.g. using an electronic certificate or a chip card, where possible);
- implementing encryption measures for information flows (VPN, HTTPS, etc.);
- having a procedure in place in the event of an equipment failure or loss;
- requiring employees to comply with basic security measures, such as activating automatic locking of the device with an appropriate password;
- using updated anti-virus software, etc.
- raising employees' awareness on the specific risks associated with using their own devices, formalising the responsibilities of every employee and specifying the precautions to be taken in a binding policy; and
- making use of employee-owned devices subject to the network administrator's and/or employer's prior authorisation.
In all cases, the security of the company's information systems must be reconciled with the employee's right to privacy in the workplace. For example, employers cannot implement security measures, which have the object or effect of hindering the use of a smartphone in a private context (e.g. by prohibiting web browsing, downloading mobile apps, etc.), simply because that device can be used to access the company's information systems.
CNIL's action to help combat the crisis
CNIL has also taken action to assist public authorities and public and private organisations in combating the Coronavirus crisis, especially with respect to Coronavirus research projects, and use of tracing apps.
Facilitating health research
Most research projects may be implemented without CNIL's prior authorisation, when they comply with one of CNIL's Reference Methodologies for medical research processing. For those projects that require CNIL's prior authorisation, such as studies for which patients cannot be individually informed of the use of their data, CNIL created a dedicated email address for requesting pre-appraisal. As soon as the authorisation requests are complete, CNIL may grant the authorisations rapidly, in some cases even within a few hours. Since the beginning of the Coronavirus crisis, CNIL already granted a dozen of authorisations to organisations such as Greater Paris University Hospitals ('AP-HP') – the university hospital trust operating in Paris and its surroundings-, the French National Institute of Health and Medical Research ('Inserm'), the Pasteur Institute, and the teaching hospital in Lille.
Recommendations for using tracing apps
On 8 and 15 April 2020, CNIL's Chairwoman, Marie-Laure Denis, was heard by the Law Commission of the two houses of the French Parliament - the National Assembly and the Senate respectively. At these hearings, CNIL's Chairwoman made recommendations on the use of tracing apps in response to the Coronavirus crisis. If the app could result in the processing of mobile location data in an individualised and non-anonymous way, that app should be deployed a voluntary basis, i.e. with the individuals' freely given and informed consent. Refusing to implement the app should not affect individuals. If, on the other hand, the processing of non-anonymous mobile location data were to be implemented on a compulsory basis, the app would necessarily require a legislative measure. The necessity and proportionality of such app should be demonstrated, taking into account the fundamental data protection principles, while its use should be genuinely temporary. Whichever the solution, it will need to comply with EU privacy and data protection standards, and in particular with the following principles:
- Purpose limitation: The purpose of the data processing should be clearly defined, and the data should not be further processed for other purposes that are unrelated to the current health crisis.
- Adequacy, necessity and proportionality: Use of mobile location data should be adequate, necessary and proportionate. The app should be genuinely useful to respond to the crisis, and there should be no effective alternatives. Further, the tool should be proportionate. To that end, as recalled by the European Data Protection Board ('EDPB'), public authorities should first seek to process location data in an anonymous way. Proportionality also implies that the app should be limited to the emergency period, and the data should be destroyed after the crisis, or eventually kept for a limited period afterwards and in a secure manner for complementary research purposes or for the management of potential disputes.
- Data minimisation: The data processed should be limited to what is strictly necessary.
- Control of individuals over their data: The tool should be designed in a way that allows individuals to keep control over their data. The data should be stored locally on the user's device, where possible. More generally, apps based on Bluetooth data that are directly encrypted on the mobile phone under the user' control provide more guarantees than apps based on continuous geolocation-based (GPS) monitoring of individuals.
- Transparency, data security and respect for individuals' data protection rights: The tool will also have to comply with the transparency requirement, ensure the security of the data, and allow individuals to exercise their data protection rights.
Ensuring compliance with the existing EU data protection rules is a primary consideration in all actions taken by CNIL, including in the current situation. The EU data protection framework does not hinder measures taken to fight against the Coronavirus crisis. On the contrary, that framework, CNIL stated, “contains itself the solutions allowing us to respond to the crisis.” Furthermore, CNIL calls for vigilance regarding technological 'solutionism.' As pointed out by CNIL's Chairwoman before France's Parliament, digital tools will not resolve everything. They may contribute to safely lifting containment measures in the context of a global strategy, but are only part of the response to the Coronavirus crisis.
Claire François, Counsel
Hunton Andrews Kurth LLP, Brussels