The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
The right to privacy is enshrined in French law, but is now primarily governed by the European Union’s General Data Protection Regulation (GDPR). The GDPR’s provisions have been incorporated into the 1978 Loi Informatique et Libertés, France’s original information privacy law. Information technology must not infringe upon human identity, human rights, privacy, or individual or public freedoms. Furthermore, personal data must be processed lawfully and fairly, and data that falls under the GDPR should also be processed in a manner that is transparent for the data subject. Mishandling personal data is a criminal offense under the French Penal Code. The main enforcement authority for issues of technology and privacy is the Commission nationale de l’informatique et des libertés (CNIL), an independent agency.
As a general rule, data may not be retained in a manner that allows the data subjects’ identification beyond the time necessary to fulfill the purpose for which it was collected. Location tracking of individuals falls squarely in the GDPR’s definition of “personal data,” and may only be collected and processed under the conditions laid out by that regulation. The Loi Informatique et Libertés contains several provisions regarding the handling of personal data related to health care, which may be collected and used only for certain limited purposes.
The French government has developed two electronic databases to help in the fight against the spread of COVID-19. The SI-DEP database is a secure platform where all COVID-19 test results are recorded to ensure that all positive cases are taken care of by the French health care system. The “Contact COVID” database collects information on positive cases, such as where they live and work, and who they are in regular contact with, to facilitate contact tracing. Additionally, the French government is deploying a smartphone app, called StopCovid, to help with contact tracing. This app, which is used on a purely voluntary basis, relies on Bluetooth technology to notify its user if he or she has been in close proximity to a person infected by COVID-19 for 15 minutes or more. This app is controversial and has elicited concerns over whether it is lawful under French and European privacy laws. The CNIL has issued two opinions declaring it to be legal, so long as certain conditions are respected. The French Parliament approved the app’s deployment in a nonbinding vote on May 27, 2020.
France, like many other countries, has been hard-hit by the COVID-19 pandemic. According to the French government, there have been 149,071 confirmed cases of COVID-19 in France as of May 28, 2020, and a total of 28,662 deaths from that disease. France has taken several important measures to fight COVID-19’s spread, including declaring a new type of state of emergency in March 2020.
Contact tracing appears to be an important tool in the fight against COVID-19, and France is using some technological solutions to facilitate or supplement this process. One of these solutions is the deployment of a smartphone app, capitalizing on the broad penetration of smartphones in the French market. Indeed, about 95% of French residents had a mobile phone in 2019, including approximately 77% who had a smartphone.
II. Legal Framework
A. Privacy and Data Protection
The French Civil Code provides that all people have a right to privacy. However, data protection in France is primarily governed by the European Union’s (EU’s) General Data Protection Regulation (GDPR), and by the domestic Loi Informatique et Libertés (Law on Information Technology and Freedoms). The latter was originally adopted in 1978, but has been amended many times since. For example, it was amended in 2004 to incorporate provisions from the EU’s ePrivacy Directive, and it was amended in 2018 to be consistent with the GDPR and the EU’s Directive 2016/680 on processing of personal data. The Loi Informatique et Libertés states that information technology “should not infringe upon human identity, human rights, privacy, or public or individual freedoms.” Personal data must be processed lawfully and fairly, and data that falls under the GDPR should also be processed in a manner that is transparent for the data subject. Data may not be used in a manner that is incompatible with the explicit and legitimate purposes for which it was collected.
Mishandling personal data in or through a computerized system, whether intentionally or by negligence, is punishable under the French Penal Code. Someone who violates the rules set out in the GDPR or the Loi Informatique et Libertés can be sentenced to a fine of up to €300,000 (about US$327,300) and up to five years in jail.
The Loi Informatique et Libertés set up the Commission nationale de l’informatique et des libertés (CNIL) (National Commission on Information Technology and Freedoms), an independent agency tasked with enforcing regulatory or legislative texts regarding the use of personal data. The CNIL also provides advisory opinions to the government, and informs the public on data privacy issues.
B. Data Retention
As a general rule, data may not be retained in a manner that allows the data subjects’ identification beyond the time necessary to fulfill the purpose for which it was collected. The main exception is that data, even personal information, may be retained for archival purposes, for historical or scientific research, or for statistical purposes. Even within this exception, however, the data must be kept in a manner that complies with the GDPR, and it may not be used to make decisions concerning the data subjects. Additionally, data must be kept in a manner that adequately protects personal information from being lost, destroyed, damaged, or used in an illegal or unauthorized manner.
Data that is found to be inaccurate with regard to the purpose for which it was collected should be immediately corrected or erased. Additionally, data subjects have a right to demand that their personal data be erased. Furthermore, the CNIL has the authority to demand that data be corrected or erased if it finds that the GDPR or other legal requirements have not been respected.
C. Location Tracking
Location tracking of individuals falls squarely in the GDPR’s definition of “personal data,” and is in fact one of the criteria listed to define an “identifiable natural person.” Location tracking in France is therefore primarily governed by the GDPR and the Loi Informatique et Libertés. Location tracking data may only be processed if at least one of the following conditions is fulfilled:
- The data subject has explicitly given consent under conditions defined in the GDPR,
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
- Processing is necessary for compliance with a legal obligation,
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person,
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the data subject is a child.
D. Data Related to Health Care
The Loi Informatique et Libertés contains several provisions regarding the handling of personal data related to health care. Personal health care data may only be collected and processed for a purpose of public benefit, such as ensuring high quality and safety standards for medication and health care practices. Organizations that wish to collect or process personal health care data must either provide prior notice to the CNIL if the collection and processing fall within certain published guidelines, or request the CNIL’s prior authorization if they fall outside these guidelines. An exemption exists, however, for organizations that collect or process data for the sole purpose of responding to a health emergency. This exemption only applies to organizations that have a public service mission and are on a list established by the Minister of Health, with the CNIL’s advice. In any case, health care professionals who provide data from their patients to an organization authorized to collect this data must do so in a manner that guarantees confidentiality. If the results of the data processing are made public, it must be in such a manner that the direct or indirect identification of the data subjects is impossible. Furthermore, the data subjects must be informed in accordance with the requirements of the GDPR. The Loi Informatiques et Libertés contains similar provisions for data collection and processing for the purposes of health-care-related research.
III. Electronic Measures to Fight COVID-19 Spread
A. Contact-COVID and SI-DEP Databases
On May 13, 2020, the French government deployed two electronic databases to help fight the spread of COVID-19. These databases were authorized by Parliament two days before, as part of a law that extended the state of emergency related to the COVID-19 pandemic. Indeed, this law authorized the implementation of a computerized database “for the sole purposes of fighting against the spread of the COVID-19 epidemic, and for the amount of time strictly necessary for this goal or, at most, a period of six months after the end of the state of emergency [related to the epidemic].” As an exception to the legislation on the confidentiality of personal medical information, this database may include relevant personal information even without the data subject’s consent. The Constitutional Council, which judges the constitutionality of French laws, was asked to review the bill before it became law. In its opinion, the Council stated that while aspects of the proposed database violated the right to privacy, these violations were necessary for, and justified by, the fight against the COVID-19 pandemic. The Council did warn, however, that “a particular vigilance must be observed” with regard to the use of personal data of a medical nature.
The two databases that came out of this legislative authorization are called “Contact COVID” and SI-DEP. SI-DEP, which stands for Système d’Informations de DEPistage (Screening Information System) is a secure platform where all COVID-19 test results are recorded to ensure that all positive cases are taken care of by the French health care system. “Contact COVID” collects information on positive cases, and is meant to facilitate contact tracing. The information collected includes the data subject’s identity and contact information, the identity and contact information of people they are close to, their frequent contacts, their workplace, whether they display clinical symptoms, information on their general state of health, and whether they are homeless or in an otherwise vulnerable situation.
Contact COVID is managed by the national health insurance organization, while SI-DEP is managed by a partnership between the Ministry of Health, the Paris public hospital system, the French public health agency, and medical laboratories throughout the country. The data in both systems may only be accessed by medical professionals who are subject to duties of medical confidentiality: doctors, pharmacists, testing laboratory technicians, and other professionals accredited by the national health insurance organization, the national public health agency, or regional public health agencies.
B. StopCovid Smartphone App
The French government deployed a contact tracing app, called “StopCovid,” on June 2, 2020. This app uses Bluetooth technology, rather than geolocation, to detect whether the user was, for a period of 15 minutes or more, within one meter of a person infected with COVID-19. Installation and use of this app is on a purely voluntary basis.
This app has been in development since April 2020, but was delayed by technical difficulties as well as legal uncertainties. Unlike many other countries, France opted for a system in which data was stored on a central server controlled by the public health authorities. This led to disagreements with both Google and Apple, the designers of the two most common operating systems for smartphones, who favored a more decentralized concept.
The legal uncertainties around the StopCovid app mostly had to do with whether it is an illegal infringement of the right to privacy. To clarify this issue, the government sought advice from the CNIL twice. The CNIL issued one opinion on April 24, 2020, and the second on May 25, 2020.
In its April 24th opinion, the CNIL found that the proposed app did not infringe the GDPR or other privacy legislation, so long as it is truly useful to deal with the COVID-19 crisis and certain privacy guarantees are built in. The CNIL stated that use of the app needed to be purely voluntary, and that there should be no negative repercussion for not using it. Furthermore, according to the CNIL, this app must be temporary, and the data gathered must be preserved only for a limited amount of time. The CNIL also made some recommendations to ensure the security of the data collected, including the advice that only state-of-the-art cryptographic algorithms should be used to ensure the integrity and confidentiality of the app and database. In its May 25th opinion, the CNIL found that the recommendations that it had issued on April 24 appeared to have been followed, and that the app could be legally deployed. However, the CNIL required that the app’s actual utility be evaluated after its deployment, and stated that the continued use of StopCovid should be contingent on the results of regular evaluations. The CNIL also recommended that the app’s source code be made public in its entirety, though details of the security measures and software parameters should remain secret.
In an effort to quell the controversies and promote public acceptance of StopCovid, the government submitted its deployment to a nonbinding vote by Parliament on May 27. In defending the app before the National Assembly, the government specified that StopCovid was only one tool out of several to fight against the COVID-19 epidemic, and that its purpose was to complement rather than replace the work of contact tracing teams. The National Assembly approved the deployment of StopCovid by 338 votes against 215. The Senate also expressed its approval.
Prepared by Nicolas Boring
Foreign Law Specialist
 Proportion d’individus disposant d’un téléphone mobile en France de 2005 à 2019, Statista (Mar. 9, 2020), https://perma.cc/RWG9-FJSM; Répartition de la population en France de 2011 à 2019, selon le type de téléphone mobile utilisé, Statista (Mar. 5, 2020), https://perma.cc/BM53-J67A.
 Loi n° 2004-801 du 6 août 2004 relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel et modifiant la loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (Aug. 6, 2004), https://perma.cc/FPZ7-DBA6.
 Loi n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles (June 20, 2018), https://perma.cc/2Y25-G7ZW; Ordonnance n° 2018-1125 du 12 décembre 2018 prise en application de l'article 32 de la loi n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles et portant modification de la loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés et diverses dispositions concernant la protection des données à caractère personnel (Dec. 12, 2018), https://perma.cc/7U58-XB42.
 Loi Informatique et Libertés, art. 1.
 Id. art. 4.
 Loi Informatique et Libertés, art. 8.
 Id. art. 4.
 Id. arts. 51, 106.
 Id. art. 20.
 General Data Protection Regulation (GDPR), art. 4, point (1).
 Id. art. 6; Loi Informatique et Libertés, art. 5.
 Loi Informatique et Libertés, art. 66.
 Id. art. 67.
 Id. art. 68.
 Id. art. 69.
 Id. arts. 72 to 77.
 Décret n° 2020-551 du 12 mai 2020 relatif aux systèmes d'information mentionnés à l'article 11 de la loi n° 2020-546 du 11 mai 2020 prorogeant l'état d'urgence sanitaire et complétant ses dispositions, May 13, 2020, https://perma.cc/LY6U-U6NS; Coronavirus : le fichier de suivi des malades "Contact Covid" entre en vigueur, L’Express (May 13, 2020), https://perma.cc/5UBG-3GTT.
 Id. art. 11.
 Id. at 5.
 Id. at 7.
 Id. at. 10.
 Id. at 4.
 Id at 12.
 Elsa Bembaron, supra note 55.
Last Updated: 12/30/2020