CNIL authorizes experimental concert

CNIL authorizes experimental concert in Paris

CNIL authorizes experimental concert in Paris after a request for authorization, due to the processing of sensitive data. 


As governments worldwide endeavour to reopen and boost economies affected by the COVID-19 pandemic, attempts are being made at hosting mass crowd events, something which has been disallowed in many countries since the start of the pandemic. Last month, we wrote about the CNIL of France’s opinion on the use of “vaccine passports” for admission into mass crowd events. The Authority addressed the aspects of privacy and protection of personal data, much of which would need to be processed in order to make this operation functional or successful. Due to the volume of personal data to be processed, authorization was sought from the CNIL, by the AP-HP for the hosting of an experimental concert, studying the risk of spread of COVID-19. The CNIL has given its support to the execution of this exercise for research purposes, reiterating the importance of ensuring compliance with the GDPR and Data Protection Act. 


This experimental concert is part of a clinical trial studying the risk of contamination of COVID-19 in crowd settings.


This clinical trial consists of two groups of people, an experimental group of 5000 people who would be in attendance at the concert and a control group of 2500 people who would not be at the concert. The aim of this study is to analyze the transmission of COVID-19 in a large-scale gathering or mass crowd event in an enclosed room, with the application of specific health protocols. The concert, which was scheduled for May 29, is seen as the first attempt at the return of standing concerts in France. Similar concerts have taken place in other European countries like Spain, and these events are expected to give researchers and officials an idea of how safe it truly is to reintroduce mass crowd events to everyday life in a post pandemic society. 


Due to the volume of personal data to be processed in the execution of this clinical trial, CNIL was asked for authorization. 


The research conducted by the hosting of this experimental concert involved the processing of sensitive data from a large number of participants. During the study, the participants had to take several COVID-19 screening tests, the results of which were centrally stored. Participants had the option of uploading proof of a recent and negative screening test result online, or of presenting a hard copy. In addition participants from the experimental group attending the concert were filmed throughout the process, using smart cameras, in an effort to assess the circumstances under which concert attendees were less likely to respect mask mandates. Each participant was individually informed on the manner in which the study would be carried out, and their consent was obtained in writing, in advance of the study, ensuring that their consent was free, specific and informed. Participants were specifically expected to consent to participating in the research in general, and also to being recorded. This consent could have been withdrawn at any time without justification.


CNIL was in full support of this initiative, giving authorization the very day the request was received. 


CNIL, considering the challenges that have been faced by entertainment professionals in France for the duration of the pandemic, has given its support to this experimental concert. The authority reiterated the importance of compliance with the GDPR, and data protection regulations, as well as guarantees for the protection of individual rights and freedoms. This concert is one of many research projects which have benefited from legal and technical support from the CNIL during this health crisis. Many of these projects have been authorized in less than two days in order to meet specific deadlines, with a total of 117 medical research authorizations issued by the CNIL on COVID-19 during the pandemic.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

The CNIL issues it’s opinion

The CNIL issues it’s opinion on vaccine passes for mass gatherings

The CNIL issues it’s opinion on the implementation and use of vaccine passes for admittance to mass crowd events in France. 


 As the world aims to resume somewhat normal activity during the global COVID-19 pandemic, France is considering the use of the vaccine passes or  green passes for admission to mass gatherings of at least 1000 persons. This suggestion comes in an effort to re-open certain establishments and resume certain activities, while minimizing the risk of contamination from the virus. These green passes, as with the ones for travel, will include information related to the COVID-19 vaccine, a negative COVID-19 test, or proof of recovery from the virus. While they were originally developed to facilitate travel with more ease during the pandemic, the Government of France seeks to take the opportunity to use them for access to mass crowd events, in an effort to resume those activities much sooner. 


The CNIL makes it clear that these passes are not to be used beyond the health crisis. 


The CNIL wishes that it be made clear that these passes are intended only for use during the pandemic and it will definitely be of a temporary nature. In acknowledging the unprecedented nature of an initiative like this and the implications that it may have for the lives of individuals, the Authority wants it to be made clear that this measure is meant for the specific purpose of dealing with the current health crisis and should only be used for as long as its purpose is applicable to the COVID-19 pandemic. In addition, the CNIL requests that the impact of this system on the health situation be monitored, studied and documented at regular intervals and on the basis of objective data, in order to determine whether public authorities should continue its use. 


The CNIL would like guarantees that the use of these passes is limited to mass crowd events. 


While the authority acknowledges the functionality of these passes for admittance into mass crowd events, CNIL would like to make it clear that in the interest of respect for the fundamental rights and freedoms of persons, these passes should be limited to those mass crowd events for which they are intended. The Authority wants to ensure that the use of these passes excludes places that relate to the daily activities of the population like restaurants, workplaces, shops, etc. In addition these passes should not be used for admission to any venue linked to certain usual manifestations of fundamental freedoms (in particular the freedom to demonstrate, to organize political or trade unionists and to freedom of religion). The CNIL notes that the particular exclusion of these passes and the prohibition of their use in these spheres is likely to minimize any implications of the use of this system on the rights and freedoms of individuals. CNIL also believes that there should be further clarification and transparency on the qualification of the events where the use of these passes would be considered appropriate, and measures ensuring that the passes are not used in places and events which do not meet those qualifications. 


The CNIL would like to ensure that the use of these passes does not result in discrimination, and protects the personal data of individuals. 


In order to avoid discrimination, the CNIL is stressing the need that these passes be accessible to all. This includes ensuring that passes are available on paper as well as in digital format. It is also important to ensure that there is no discrimination based on the type of evidence presented in these passes, whether it be evidence of vaccination, a negative COVID-19 test, or recovery from the virus. Due to the sensitive nature of the information used for these passes, it is very important to make special considerations for limiting the disclosure of health information of individuals. The CNIL therefore suggests the implementation of a solution which would make it possible to limit access to persons authorized to verify the certificates. In addition, the Authority believes that these verifications should result in a color code (green or red color), along with the identity of their holder, so as not to reveal whether the individual has been vaccinated, tested, or recovered from a previous infection with COVID-19.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

COVID-19 travel certificates

COVID-19 travel certificates questioned by Italian DPA

COVID-19 travel certificates launch in the EU soon, however the Italian DPA has pointed out some issues that need critical attention before the rollout. 


This summer, COVID-19 travel certificates or “vaccine passports” will be rolled out throughout the EU, with the official launch of this scheduled for the end of June. The majority of EU countries should be technically prepared by the first week of June, according to this article from Euractiv. In order to avoid delays, the aim is to have the systems for the functioning of these certificates ready when the legislation is published. The passes are expected to be legally valid and operational all over Europe. These EU COVID-19 travel certificates, which we wrote about last month, will take the form of a QR code containing information related to a person’s status with regard to the COVID-19 vaccine, or virus (whether it be negative test results or the presence of antibodies). Due to the amount of data intended to be contained in these QR codes, and the nature of that data, data protection authorities around Europe are paying close attention to the rollout of these certificates to ensure the people’s rights and freedoms of natural persons. The Italian DPA has issued a statement pointing out certain key issues which will require special attention in ensuring that the rights and freedoms of natural persons remain protected. 


Twenty countries, including Italy, are expected to be part of the first group to begin technical checks to interconnect the systems, from the second week of May. 


EU member states have been divided into three groups and rated based on their preparedness to begin system testing. The first group which includes Italy, France, Spain and Germany are expected to start testing the interconnected systems from the second week of May. The third, and last group is expected to begin their phase of testing around the middle of June. This technical testing will include checking the entire setup, after checking that the system is validated, and changing the keys. For this reason, an EU official explained, the member states are divided into groups for testing and being tested in phases. 


While the technical work is being done to lay the groundwork for COVID-19 travel certificates, the EU is working on the legal basis of the initiative. 


On April 29th, European lawmakers adopted a negotiating decision on the proposal by the Commission for the COVID-19 travel certificates or digital green certificates. This set the stage for the inter-institutional negotiation, where the Council will represent the 27 member states. With the goal of having the certification system up and running for summer, in an effort to save the struggling European tourism sector. There may seem to be a bit of pressure for time, however data protection authorities appear to be keeping a watchful eye on the process. 


The Italian DPA has released a statement pointing out some major critical issues for vaccination passes. 


The COVID-19 travel certificates have been criticized by the Italian DPA. The EDPB reported that the supervisory authority has highlighted that this rollout is affected by several data protection shortcomings, including the lack of assessment of possible large scale risks affecting the rights and freedoms of individuals. Contrary to EU GDPR requirements, the decree called “Italy Reopens”, does not provide a suitable legal basis to introduce and regulate a nationwide green pass. Among the issues cited by the Italian DPA, the decree does not specify the purposes of the processing of health data, and paves the way to multifarious and unforeseeable future applications which potentially conflict with EU initiatives and go against the GDPR. The Italian SA has noted that the major critical issues that it has found are ones that could have easily and quickly been addressed beforehand, however the SA has offered its cooperation to the government in resolving those criticalities. 


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.