Although he emphasizes that Bluetooth technology appears to be "less intrusive than the use of a technology that would immediately allow registering the user's location", he says that this "is not without risks". Also, the decentralized model of the STAYAWAY system receives the green light for being considered more adequate from the point of view of data protection, in addition to the fact that the source code will become public, "an important factor of transparency".
Google and Apple APIs are "one of the most critical aspects of the application"
Among the various aspects analyzed, CNPD states that "the interface between Google and Apple is one of the most critical aspects of the application, as there is a crucial part of its execution that is not controlled by the authors of the application or those responsible for the application. treatment ", he says.
"This situation is even more problematic because GAEN declares that its system is subject to modifications and extensions, by unilateral decision of the companies, without being able to anticipate the effects that this may have on the rights of users", can be read in the document .
Regarding the principle of transparency, CNPD recalls that data owners, that is, users, must always be aware of all aspects of the application's operation and its implications for the treatment of personal data and privacy, indicating that "This is all the more important as many interactions occur automatically, without the user being aware of them".
"The impact assessment must be revised, taking into account the critical aspects signaled by CNPD and which have not been analyzed", the document refers, also pointing out the omission regarding the purpose and conditions of data processing, detailing the date of the RPI, the date of the first symptoms or COVID test date for asymptomatic, universal unique identifiers.
CNPD recommendations
In addition to the various notes, CNPD leaves three recommendations on the application STAYAWAY COVID, focusing mainly on the processing of personal data. Recommendations are:
– The legal framework for the operation of the STAYAWAY system be given, "not only because access to the GAEN interface is granted to public health authorities, and only to one application per country, but also the reliability of the system depends on the validation of the medical diagnosis, by that it is essential to foresee and regulate in the legal plan the intervention of that health professional ", he mentions, also indicating that special safeguards must be made regarding" how the doctor authenticates and interacts with the system to guarantee the global security of STAYAWAY and for the maintenance of the pseudo anonymization of the treated data ".
– The requirement for legal regulation of this treatment does not rule out the voluntary nature of the use of the application by the user. CNPD also stresses that there is a double condition of lawfulness, which reinforces its legitimacy.
– The interoperability between national applications for tracking proximity contacts implies the treatment of more data, more communications and more recipients, and therefore the options must respect the principles of data protection, in particular minimization. "Likewise, we must ensure that, with interoperability, data protection safeguards do not succumb to a common minimum, but rather seek to achieve a high level of protection for the privacy of its users".
Editor's Note: The news has been updated with more information. latest update 18h32