A little over a week after the alert of a computer researcher on the too “big ears” of the government application StopCovid – which would send more data than what is provided for by the legislative framework -, the Cnil has launched an investigation into this possible breach of law.
Does StopCovid respect its own rules? A week after the bug report of a computer researcher, the National Commission for Computing and Liberties (Cnil) announced on Monday that it was going to control “in the next few days” the government application. His grievance? This app would not respect the limits that it has imposed on itself in the collection of data. According to the researcher, the software would collect the data of other users of the application without taking account neither the distance nor the duration of the contact. If this fact is true, it would contradict the commitment of the digital secretary, Cédric O, who had assured that the application would only collect user data located at 1m or less and for a period equal to or greater than 15 min, as specified in the decree which formalizes these limits.
A discrepancy that challenges the policeman of personal data. Last May, she gave her consent “global“on the legal framework of the system including the thorny issue of data collection framed by the European Union and its General Data Protection Regulation (GDPR). In its opinion of May 25, the CNIL noted that these data collections would be “adequate, relevant and limited to what is necessary for the purposes“.
Checks in progress
Following this annoying bug report, the Cnil intensified its controls. In addition to online verifications and the sending of questionnaires in progress since June 9, according to Le Parisien, another mission has been carried out to verify the statements of the researcher. “We will check what data is sent by the application, which will allow us to assess compliance with the decree and the GDPR“, explains the Deputy Secretary General of the Cnil, Gwendal Le Grand. These checks must begin on site, at the premises of the data controller, “in the next few days“he specifies to the newspaper of the capital.
“At the end of the investigation, the findings may lead, in the event of serious or repeated breaches, to the adoption of corrective measures, such as formal notices or sanctions.“, warns the Cnil. According to the Parisian, the Cnil explains that the pseudonymous identifiers of the contact cases reported by the application when the user declares himself sick are not yet “at risk“, corn “likely to be at risk“. This nuance, absent from its public notices, would have been part of the discussions with the government. A way to not upset anyone?
Following this annoying bug report, the Cnil intensified its controls. In addition to online verifications and the sending of questionnaires in progress since June 9, according to Le Parisien, another mission has been carried out to verify the statements of the researcher. “We will check what data is sent by the application, which will allow us to assess compliance with the decree and the GDPR“, explains the Deputy Secretary General of the Cnil, Gwendal Le Grand. These checks must begin on site, at the premises of the data controller, “in the next few days“he specifies to the newspaper of the capital.
“At the end of the investigation, the findings may lead, in the event of serious or repeated breaches, to the adoption of corrective measures, such as formal notices or sanctions.“, warns the Cnil. According to the Parisian, the Cnil explains that the pseudonymous identifiers of the contact cases reported by the application when the user declares himself sick are not yet “at risk“, corn “likely to be at risk“. This nuance, absent from its public notices, would have been part of the discussions with the government. A way to not upset anyone?
.
-1657451838.jpg "Putting your phone on silent could increase your stress")
