On April 8th 2020, as part of the monitoring the health crisis linked to COVID-19, Marie-Laure Denis, President of the CNIL, was interviewed by the French Parliament.
The President firstly underlined the importance of the stakes related to data protection in the midst of the current health crisis. In particular, she declared that “business continuity depends partly on digital tools using personal data” but also that “personal data is perceived as a resource to directly tackle the health crisis”.
On this second point, which justified the request for this interview by the Law Commission, Marie-Laure Denis spoke more specifically on the use of digital tools, based on the analysis of individual data location.
The President of the CNIL differentiates three purposes for which the government may use the location data of its nationals: mapping the spread of the virus, enforcing measures taken by the government and contact tracing.
Regarding the use of data location of European residents, Marie-Laure Denis underlined the applicable legislation.
First, directive “ePrivacy” states that unless anonymized, the processing of location data requires consent from the data subject. Marie-Laure Denis however mentions that under this directive, member states may adopt legislative measures allowing data subject’s consent to be waived under certain circumstances. Since “Public security” is one of those circumstances, the fight against Covid-19 is likely to be covered in this case.
The other relevant legal text is the GDPR, which applies when location data is not anonymized. The President of the CNIL makes three observations on this matter. First of all, the processing of personal data must have a legal basis, which can in this case be consent, compliance with a legal obligation, performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or in some cases the protection of the vital interests of the data subject or of another natural person. The second observation concerns the processing of health data, which is in principle prohibited with certain exceptions including consent of the data subject, if the processing is necessary for the provision of health care or if the processing is necessary for reasons of public interest in the area of public health.
Finally, the President of the supervisory authority reaffirms that member states must respect certain rights or comply with some obligations, no matter how legitimate the goals pursued by the processing are. Hence, she sets out in greater detail the rules to be followed to process data location in the context of fighting Covid-19. These include in particular the definition and limitation of the purposes of the processing (aim pursued), the justification of the adequacy of resorting to the processing of these data (in this case, its usefulness in the context of a health crisis), the necessity of resorting to this processing (actual need to process these data in order to curb the pandemic) and the proportionality (favoring the least intrusive solutions). Moreover in theory, data cannot be stored after the health crisis.
The President of the CNIL concludes by restating the two options available to the government in order to process data location:
Accordingly, while the CNIL seemingly does not completely exclude the implementation of forthcoming monitoring tools, set forth by the government as a response to the health crisis, the Supervisory Authority maintains a strict reading of the legal grounds which may legitimately justify such personal data processing. The Authority therefore remains faithful to its protective positions on the limits that can be placed on individual freedoms, in particular for public interest purposes.
For any question, please send us an email to: