Will France’s health pass collect my private information?
The government intends to roll out the pass to facilitate foreign travel and grant people access to large events
Both France and the EU are developing a type of “health pass” aimed at facilitating travel this summer.
The French pass will also be used to allow people to access certain large events, such as sports events, gigs or exhibitions.
President Emmanuel Macron has said that from June 9, the pass will be used to allow foreign tourists to enter France.
Both France’s and the EU’s pass will complement each other. For the EU pass to work, it requires each member state to create a way for certificates to be generated and also verified. These certificates will be given for Covid-19 PCR tests and for vaccinations.
France is doing this through its track and trace application TousAntiCovid.
In the app there is a section called “carnet” (notebook in English). The carnet allows people to scan a QR code that can be found on all Covid-19 PCR test result certificates and all new vaccination certificates.
Anyone who has been vaccinated previously and who has not received a certificate with a QR code will have to wait until mid-May to be able to register their certificate on the app. This will be done through France’s health insurance agency Ameli.fr.
The EU COVID-19 Certificates and France’s “carnet” health pass will use a system of digital signatures to operate.
In short, this means that each authority that can issue a Covid-19 test certificate or vaccination certificate (hospitals, laboratories, pharmacies, etc.) will have access to a digital signature. Some authorities will share these, but there will be hundreds or thousands of them in France alone.
These will all be stored in a central database in France.
It is these signatures that will be kept within the QR code on the certificates.
This means that when, for example, a travel authority at an airport scans the QR code, the scanner will read the digital signature and if it finds a match of this signature in France’s central database, then it means the certificate is authentic.
The EU’s system will allow, for example, a travel authority in Spain to scan a certificate that was issued in France and will allow the Spanish verification system to access France’s database of digital signatures to ensure that it is an authentic signature.
In this way, it is only access to the database of digital signatures that is being shared around Europe.
No private health information will be shared.
Q&A - Is our private information safe?
The Connexion spoke to Arnold Zephir, a data expert and the lead data scientist at French company Prevision.io, which enables business users, data scientists, and developers to deliver AI projects.
We asked him about both France’s and the EU’s planned travel certificates and what it means for our personal data.
What is the TousAntiCovid carnet?
The idea is to build a digital wallet that will allow people to travel abroad, for example to Germany, by storing certificates issued after Covid tests or vaccinations.
So, you show your certificate that is stored on the application in the “carnet” and which has a QR code on it. When that QR code is scanned, the scanner will verify that the digital signature is correct by accessing the national countries' digital key database.
It won’t share any personal details. It will just show if there is a match between the signatures.
This digital signature system is a good way to exchange data between the countries without sharing private data.
Obviously, it is out of the question to open France’s health database to everyone. France can not make its health database available to Spain or Italy, for example.
The alternative [to the digital signature system] is a huge global database with everyone’s health record information, but that is also out of the question.
What is the link or difference between France’s TousAntiCovid carnet and the EU COVID-19 Certificate?
It is hard to understand because the messages have been somewhat contradictory.
I do not think that it has totally been defined yet, there are still things to be worked out.
For example, will it be possible to get an EU certificate after one or two doses of a Covid vaccination, etc.
But, for example, in France I will be able to get an [EU COVID-19 Certificate] if I have been vaccinated or had a negative PCR test.
And I can then have it on paper or store it in France’s TousAntiCovid application.
I can then take it to, for example Roissy Airport, and someone there will be able to scan the QR code and see if I am eligible to fly.
So every country in Europe will have to have something similar to TousAntiCovid carnet?
Yes. So, it is France’s mechanism for storing and scanning the certificates. All countries will have to have a similar mechanism.
Will the government be able to collect the names of everyone who does not wish to be vaccinated against Covid-19?
Not explicitly no. For years the government in France has kept a healthcare database.
Children have a digital file that eventually gets linked to their carte Vitale that will say if the child has been vaccinated [against various things] or not.
Most governments have a database of information relating to the health status of their population.
So yes, when you hand over your carte Vitale to a doctor they might be able to see if you have been vaccinated against Covid-19 or not. But it is private.
This database is not the same as the database of digital signatures that is behind the health passes.
What would be new about this whole situation is if the access to bars, restaurants, cinemas, etc, is linked to someone’s vaccination status.
But in theory, there is very little chance this will happen.
The fact that the government has a health database is not new at all.