The CNIL has pronounced itself, on the 7th June 2021, on the moods of implementations of the health pass which conditionate some movements as well as the access to specific places that receive lot of people.
The essential
- The principle of the health passports, joined with a certain number of guarantees, has been decided with the legislation of the 31st May 2021 on the crisis exit management.
- After having expressed a first opinion on the principle of the health passport on the last 12th May, the CNIL has pronounced itself, on the 7th June 2021, on the conditions of the situation.
- The CNIL has recommended to define clearly the time and the ambit of the application of the health passport, in particular talking about places, establishments and events, as well as interested people in the duty to provide a health passport.
- The health passport will be in force until the 30th September 2021. It refers to movements out of France or among Metropolis and Corsica or overseas, as well some places and entertainments events with more than 1.000 people. Places of everyday life or connected to the exercise of fundamental freedoms are not interested.
- In order to move in those places it will be necessary to present a proof which shall attest that the person has been vaccinated, or that he/she has resulted negative to COVID-19 or that has resulted positive for a long period of time for being recovered and immune.
- The health pass will be a QR code. In compliance with the CNIL recommendations, controllers will read the health pass with a specific app, TousAntiCovid Verif, which will give the access to their names, surnames, date of birth and general information on the validity of the proof (“green or red button”).
- The CNIL has made up a series of recommendations for the correct implementation of the health system.
The context
On Wednesday 9th of June 2021, in the ambit of the third phase of lockdown, the Government has implemented the health pass, which principle and a specific number of guarantees are planned by the Law of the 31st May 2021 on the health crisis exit management.
The health certificate which permit to limit the risks of contamination by subordinating some movements and the access in specific places, establishments and events with the presentation of one of the following proofs: a negative COVID-19 screening test, a certificate of vaccination or a certificate of reintroduction after a previous COVID-19 infection.
The passport will have two functions:
- The “activities” health passport shall permit the recovery of different activities which have been interrupted due to the health crisis and the reopening of closes places which involve a lot of people (from 1.000 people).
- The “Border” Health Pass, implemented as part of the European Union’s upcoming Digital Covid Certificate (effective 1st July). It should facilitate free movement within the European Union.
The opinion of the CNIL on the conditions of implementation of the health pass
The perimeter of the sanitary pass: places and people concerned
The places, establishments and events involved in the health pass
The CNIL notes that the places concerned by the health pass (sports or cultural venues, outdoor sports establishments, etc.), the list of which is now specified in the decree of 7th June 2021, do not concern activities of everyday life (restaurants, workplaces, shops, etc.) and are not linked to certain usual manifestations of fundamental freedoms, in accordance with its recommendations of 12th May 2021.
The persons concerned by the obligation to present the health pass
The CNIL invited the Government to delimit, in the draft decree before it, the persons concerned by the obligation to present the justifications provided by the law.
The Order specifies that the “activities” health pass applies to minors who are at least 11 years old.
Regarding the health pass «activities», the CNIL had invited the Government to explicitly specify that it will not concern employees, organizers and professionals who occur in the places concerned.
How TousAntiCovid Verif works
The control of the sanitary pass must be done by the persons empowered to control the justifications, by means of the mobile application TousAntiCovid Verif.
In accordance with the principle of data minimization, persons authorised to check the credentials using the TousAntiCovid Verif application will have access only to the names, given names and date of birth of the person concerned and the positive or negative result of holding a valid document.
However, the CNIL recalls that it is possible for an ill-intentioned person to access all the personal data integrated into the QR codes present on the justifications, including health data. It called on the Government to put in place information measures to raise public awareness of the need to protect their credentials and not expose them outside the controls provided for by the health pass (do not present the proof in places that are not concerned by the health pass, do not publish them on social networks etc.).
The CNIL recalls that no personal data must be kept by either the central server or the TousAntiCovid Verif application after the verification of the credential.
Other observations of the CNIL
In view of the sensitivity of the scheme, the CNIL also made several recommendations in that opinion, among which:
- The mention, in the decree, of the categories of personal data present on the justifications (similar to those provided for by the proposed regulation on the European digital certificate Covid).
- The need to ensure that the paper format of the vouchers can enable the data subjects to present only the data necessary for the control of their health pass (for example, by clearly indicating the bending instructions visibly on the attestations or by providing a second document, by incorporating clear information on the justifications, etc.).
- The publication of the source code of the application TousAntiCovid Verif.
- The CNIL also made recommendations on the evolution of the technical architecture of the system.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL