The French gendarme of personal data is on his guard. The Cnil announced Monday that it would monitor "in the coming days" the operation of the central server of the government application StopCovid, accused by specialists of sharing more data than expected.
A cybersecurity researcher claims in particular that users who declare themselves contaminated would send to the health authority "all cross contacts during the last 14 days" (maximum time for incubation of the virus), and not only "at risk" contacts detected for 15 minutes within one meter, as presented by the government.
"The subject is identified and is part of the scope of the controls operated by the Cnil," confirms the deputy secretary general of the Cnil, Gwendal Le Grand. These checks must begin on site, at the premises of the data controller, "in the coming days," he said.
The commission had pronounced on April 24 on the principle of the application and on the envisaged technical protocol, which uses Bluetooth technology to detect the contacts and not the localization of the user, then on May 25 on the draft decree establishing a legal framework for the system.
According to her, the pseudonymous identifiers of contact cases brought up by the application when the user declares that they are ill are not yet "at risk", but "likely to be at risk". This nuance, absent from his public notices, would have been part of the discussions with the government.
"We will check what data is sent by the application, which will assess compliance with the decree and the GDPR", the general data protection regulation, presents Gwendal Le Grand.
Warnings or sanctions
The Cnil began its checks on June 9 with online checks and the sending of a questionnaire. "At the end of the investigation, the findings may lead, in the event of serious or repeated breaches, to the adoption of corrective measures, such as formal notices or sanctions," she warns.
Newsletter - Essential newsEvery morning, the news seen by Le Parisien
Your email address is collected by Le Parisien to allow you to receive our news and commercial offers. Find out more
Wanted by the government to fight the spread of the coronavirus and highly criticized by those who fear a surveillance company, StopCovid has been downloaded less than two million times according to the latest available figures, and has generated very few notifications, in particular due to the decline in the number of contaminations in France.