Blog details

CNIL authorizes experimental concert in Paris

CNIL authorizes experimental concert in Paris

CNIL authorizes experimental concert in Paris after a request for authorization, due to the processing of sensitive data. 


As governments worldwide endeavour to reopen and boost economies affected by the COVID-19 pandemic, attempts are being made at hosting mass crowd events, something which has been disallowed in many countries since the start of the pandemic. Last month, we wrote about the CNIL of France’s opinion on the use of “vaccine passports” for admission into mass crowd events. The Authority addressed the aspects of privacy and protection of personal data, much of which would need to be processed in order to make this operation functional or successful. Due to the volume of personal data to be processed, authorization was sought from the CNIL, by the AP-HP for the hosting of an experimental concert, studying the risk of spread of COVID-19. The CNIL has given its support to the execution of this exercise for research purposes, reiterating the importance of ensuring compliance with the GDPR and Data Protection Act. 


This experimental concert is part of a clinical trial studying the risk of contamination of COVID-19 in crowd settings.


This clinical trial consists of two groups of people, an experimental group of 5000 people who would be in attendance at the concert and a control group of 2500 people who would not be at the concert. The aim of this study is to analyze the transmission of COVID-19 in a large-scale gathering or mass crowd event in an enclosed room, with the application of specific health protocols. The concert, which was scheduled for May 29, is seen as the first attempt at the return of standing concerts in France. Similar concerts have taken place in other European countries like Spain, and these events are expected to give researchers and officials an idea of how safe it truly is to reintroduce mass crowd events to everyday life in a post pandemic society. 


Due to the volume of personal data to be processed in the execution of this clinical trial, CNIL was asked for authorization. 


The research conducted by the hosting of this experimental concert involved the processing of sensitive data from a large number of participants. During the study, the participants had to take several COVID-19 screening tests, the results of which were centrally stored. Participants had the option of uploading proof of a recent and negative screening test result online, or of presenting a hard copy. In addition participants from the experimental group attending the concert were filmed throughout the process, using smart cameras, in an effort to assess the circumstances under which concert attendees were less likely to respect mask mandates. Each participant was individually informed on the manner in which the study would be carried out, and their consent was obtained in writing, in advance of the study, ensuring that their consent was free, specific and informed. Participants were specifically expected to consent to participating in the research in general, and also to being recorded. This consent could have been withdrawn at any time without justification.


CNIL was in full support of this initiative, giving authorization the very day the request was received. 


CNIL, considering the challenges that have been faced by entertainment professionals in France for the duration of the pandemic, has given its support to this experimental concert. The authority reiterated the importance of compliance with the GDPR, and data protection regulations, as well as guarantees for the protection of individual rights and freedoms. This concert is one of many research projects which have benefited from legal and technical support from the CNIL during this health crisis. Many of these projects have been authorized in less than two days in order to meet specific deadlines, with a total of 117 medical research authorizations issued by the CNIL on COVID-19 during the pandemic.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Prev post
La AEPD multa a EDP con 1,5 millones de euros
June 1, 2021
Next post
La CNIL da luz verde a un concierto experimental en París
June 3, 2021

Leave a Comment