As of June 9, France will be implementing a paper and digital health pass making it possible to prove one's vaccination status or a negative PCR test taken within 48 hours. What are the consequences for individuals and the concerns regarding personal and medical data?
Interview with Nathalie Devillier, Doctor of International Law, specializing in data protection and the GDPR, Associate Professor in the Department of Management, Law and Finance and one of the Digital Organization and Society Chairs at Grenoble Ecole de Management.
The introduction of a health pass in France is controversial. In your opinion, is there an issue regarding personal and health data protection?
Two years ago, the French government "offered" the sensitive health data market to Microsoft. In fact, The Health Data hub (the national platform for health data) was subcontracted to Microsoft without any call for tender. This is despite the fact that France wishes to retain its digital sovereignty. As of today, we can therefore say that Microsoft servers are a kind of "open bar" if you will, for everything that concerns accessing, processing and using sensitive personal data.
On May 11 and 12, French deputies ratified a project for a national health data platform, managed by the American company. The servers are based in the United States and therefore the data will be used. This is all the more problematic as this data is outside national sovereignty, even though the protection of sensitive data is much stronger in the United States…
What do you think motivated this government decision?
There are no technologies or resources available in France or in the European Union. Hence the choice to use Microsoft. For years, particularly in France, health and digital technologies have not included a personal medical record (DMP). A few projects were set up in 17 regional areas, but they never came to fruition.
Today, in France, vaccination registration platforms such as Doctolib and Keldoc are private. This means that private companies have a monopoly on the entire virtual consultation and vaccination market, and on all health data nationwide!
What are the main issues?
Will we have access to a better quality of service? We get referred to the Microsoft website to find answers. And yet, there is a huge amount of work to be done in the health sector in order to draw relevant correlations between data and produce recommendations tailored to individuals regarding health. For example: I have a desk-bound job, I have such and such a condition, I take such and such a treatment, I run regularly, I record my performance, I eat in such and such a way, etc. The relevant processing of personal health data could lead to recommendations for my lifestyle in terms of prevention, however, in this scenario, leaking data to Microsoft does not give any feedback on data sharing! This is completely missing.
Overall, there is no transparency. An impact study should have been completed to measure the risks. None of that has been done. Several European Union member states - Germany and Spain for example - have published impact studies, which are available online, but France has not.
What specific problems does the TousAntiCovid application pose?
Since last year, the government wanted to manage the spread of the virus firstly through the Stop Covid application project, which was rejected by the CNIL (French National Commission for Information Technology and Civil Liberties). Today, TousAntiCovid allows users to register their vaccination status and, if this is not available, their PCR tests, etc. However, one of the first problems of this application concerns interoperability. If you travel to Italy, for example, the Italian authorities will not be able to read your vaccination status. The TousAntiCovid application is still not interoperable! This is unacceptable and a major problem from a technological point of view. This has been corrected through the use of a QR code…
As it stands, France is unforgivable: the European Commission has published a number of "toolkits" and since April 2020, has reported on the issue of backtracking i.e. the application's ability to show a notification in the event of too close a perimeter.
In theory, this application should promote the free movement of people - which is the main reason why many people get vaccinated. The problem is that there is no European format which can guarantee legitimacy! In the UK, the Netherlands and even at Paris Charles de Gaulle Airport, fake vaccination certificates and fake negative PCR tests are being sold via Snapchat for 40 Euros. As such, the required level of security for the health pass is not guaranteed. There is even a proven risk of fraud regarding the QR code. This is very problematic.
There is also confusion amongst the public between free movement and the freedom to be vaccinated (or not). Some people do not meet the eligibility criteria, and others do not wish to be vaccinated. The presence or absence of the "green" certificate should not hinder the free movement of individuals.
Finally, it is important to remember that the GDPR cannot correct the pitfalls of national security. In France, the Data Protection Act prevails.
