3 April 2020
At a time when initiatives are being launched in France and in Europe to use anonymous data collected by electronic communications operators in the struggle against Covid-19, and when the French government is studying the possibility of launching an application, one shall reflect on the question of "backtracking" or "contact tracing".
This technique, which has been used in various forms for example in South Korea or Israel, is designed to trace the movements of subscribers via their telephones in order to determine the routes taken by contaminated persons, and to identify the individuals with whom they may have been in contact.
"Backtracking" must be analysed in the light of certain rules, such as those stemming from the GDPR and the French Data Protection Act, or the e-Privacy" Directive.
Where the intended uses are based on completely anonymous or anonymized data (i.e. no re-identification possible), the GDPR does not apply.
However, in the context of "backtracking", the processing consists in being able to identify contaminated individuals, and to track their interactions with other individuals, through the geolocation data of their phones. It is therefore no longer anonymous data, and in this case the GDPR is fully applicable.
Beyond the general principles mentioned in Articles 5 and 6 of the GDPR, in particular relating to the fairness and loyalty of the processing, its proportionality, or the existence of a legal basis, the difficulty arises from the fact that data collected and processed is health data: the proven contamination or the risk of contamination of a person by Covid-19.
Indeed, Article 9 of the GDPR prohibits, as a matter of principle, the processing of sensitive data, including health data, unless an exception applies. One of these exceptions is the free, specific, informed and unambiguous consent of the data subject. Other potentially exceptions are the necessity of the processing for reasons of substantial public interest (article 9.2.g. of the GDPR), or the necessity of the processing for reasons of public interest in the area of public health (article 9.2.i. of the GDPR).
The French Data Protection Act, as amended by Order No. 2018-1125 of 12 December 2018, and except where consent has been obtained, provides for additional rules specifically applicable to the processing of personal data in the field of health.
The French Data Protection Act thus requires either an authorization of the processing by the CNIL, under the conditions of its Article 66, or the sole carrying out of a privacy impact analysis, for the cases covered by its Article 67, i.e. "processing of personal data in the field of health carried out by bodies or departments entrusted with a public service mission appearing on a list drawn up by an order from the Ministers for Health and Social Security, adopted after obtaining the opinion of the National Commission on Informatics and Liberties (CNIL), which sole purpose is to respond, in the event of an emergency, to a health alert and to manage the consequences thereof, within the meaning of Section 1 of Chapter III of Title I of Book IV of Part One of the Public Health Code".
In this respect, "Santé Publique France" and the Regional Health Agencies (ARS), with the support of the National Center of Reference for Respiratory Viruses (CNR), have published an information documenton the processing they implement relating to the monitoring of persons contaminated by Covid-19, and the individuals with whom they have been in contact (by collection from the persons concerned, caregivers and public authorities), based on the response to a health alert (Article 67 of the French Data Protection Act).
Thus, with regard to the GDPR and the French Data Protection Act, the public persons mentioned in Article 67 of this law may set up individualized monitoring processing in relation with the pandemic, subject only to the carrying out of a privacy impact analysis, where private persons or other public persons would have to obtain the consent of the data subjects concerned, or an authorization from the CNIL.
However, it must be borne in mind that in all cases, prior information must be provided to the concerned data subjects.
Apart from the GDPR, the rules of the e-Privacy Directive must also be complied with as the considered is geolocation data collected through telephone.
In particular, Article L.34-1.V. of the French Post and Electronic Communications Code, which transposes Article 9 of the e-Privacy Directive, provides that consent is required for any processing of data enabling the location of a user's terminal equipment for purposes other than those relating to the routing of a communication.
Thus, geolocation data of subscribers cannot be collected without their knowledge, and their consent must be explicitly obtained.
However, for the purposes of "backtracking", the European Data Protection Board (EDPB), in its press release of 19 March 2020, recalls the terms of Article 15 of the e-Privacy Directive, which allows Member States to legislate to restrict the rights of individuals, especially with regard to consent, in order to safeguard public security. This Article 15 finds its counterpart in Article 23 of the latest version of the text of the draft e-Privacy Regulation, dated 6 March 2020.
The EDPB also recalls that adequate safeguards should be implemented, including the possibility for data subjects to have access to judicial remedies, and that the principle of proportionality should always apply, in order to favor the least intrusive scenarios for the rights of individuals.
To date, we are not aware of any draft legislation under Article 15 of the e-Privacy Directive.
"Backtracking" using telephone geolocation data can today only be implemented with the consent of the data subjects. This collection poses many practical difficulties, which is probably the reason why the main initiatives for monitoring the pandemic based on contact with contaminated persons are based on applications downloaded voluntarily by individuals.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 Law No. 78-17 of 6 January 1978 relating to data processing, files and liberties, as amended
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
 Recital 46 of the GDPR mentions in particular the monitoring of epidemics and their spread.
♦ ♦ ♦
Gide's IP-TMT practice group is available to answer any questions you may have in this respect. You may also get in touch with your usual contact at the firm
This legal update is not intended to be and should not be construed as providing legal advice. The addressee is solely liable for any use of the information contained herein and the Law Firm shall not be held responsible for any damages, direct, indirect or otherwise, arising from the use of the information by the addressee.
>> Click here to read the legal updates of Gide's multidisciplinary taskforce set up to answer all your legal issues relating to Covid-19.