StopCovid: CNIL gives notice to the Ministry of Health to comply with the GDPR

The French contact tracing application is not at the end of its troubles. During its verification work on the new version of the StopCovid application, the Cnil notes that, while the application essentially complies with the GDPR and the Data Protection Act, it does however raise several irregularities, in particular the use of Google re-catcha in the information provided to the public and in the subcontracts.

In its decision of July 15, 2020 made public, the regulatory authority gives the Ministry of Solidarity and Health formal notice to remedy the situation within one month.

StopCovid has been updated following the previous checks carried out by the CNIL during the month of June. The regulator had indeed observed in the first version of the application that the IP address was regularly used by the security system, known as anti-DDOS, deployed as part of the service.

If the first version of the application sent all of the user’s contact history back to the central server (and not the only contacts most likely to have been exposed to the virus), the CNIL specifies that this problem is this resolved in the new version deployed at the end of June (version v1.1). 

“On the one hand, the captcha authentication method – which makes it possible to verify during the initial activation of the application that the latter is used by a human being – which was based on the reCaptcha technology of the company Google, is now replaced by captcha technology developed by the company Orange. On the other hand, a pre-filter function of the contact history of the user who declares himself positive for the SARS-CoV-2 virus, based on criteria of duration and distance from the contact, is activated to act on the user’s phone. “

However, the authority asks that this new version be “generalized to all users of StopCovid” because to date, the two versions coexist.

StopCovid: the CNIL gives notice to the Ministry of Health to comply with the GDPR

Breach of the information obligation

The authority also considers that certain information should be mentioned. The CNIL notes that the information provided to users of the service is “almost in accordance with the requirements of the GDPR” and should be supplemented on a few points, namely “the recipients of this data, the operations of reading the information present on the equipment. terminals (performed via recaptcha) and the right to refuse these read operations, ”she explains.

The CNIL also affirms that the impact analysis relating to data protection carried out by the ministry remains incomplete concerning “data processing carried out for security purposes” (anti-DDOS solution collecting the IP address and recaptcha). However, according to the independent authority, “as soon as this security solution involves the collection of personal data, the description of this processing operation must appear in the impact assessment carried out by the controller”.

The StopCovid application had been the subject of strong reservations from its launch. The number of users of the application struggled to take off: two weeks after its launch, it was hardly close to 1.7 million (or 2% of the population) . A figure hardly sufficient to truly impact the lifestyle of users. The service would henceforth affect “nearly 2 million users”, specifies the Cnil.