This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break.
Italy was the first Western country to face COVID-19 outbreak, before any other country in Europe. The decision to adopt a Covid-19 Exposure Alert App was firstly announced at the end of March, together with the launch of a multidisciplinary Governmental Task Force that had to analyse the legal, societal and technological aspects of possible anti-virus measures and select the best solution to track and mitigate contaminations in Italy. After this long multi-step process, the Government chose the App Immuni to alert individuals about the risk of possible contagion. The App is: voluntary; decentralized (with some exceptions about epidemiological analytics that we will discuss below); open source; (aiming to be) interoperable; and based on high level of pseudonymization and – more in general – of data minimization and purpose limitation. Before analysing these features one-by-one, we first analyse the legislative framework of tracing apps in Italy, then we analyse the technical and legal aspects of Immuni app, together with remarks of the Italian DPA and some open issues.
Legislative framework of the tracing apps
Exposure Alert App in Italy is regulated by Article 6 of “Decreto Legge 30 Aprile 2020, n. 88”. In Italy, the legal tool of “decreto legge” has the same value of any law (“legge”), but is approved by the Government in situations of necessity or urgency and must be converted into a proper statute (“legge”) by the Parliament within 60 days, otherwise it loses any legal bindingness. This decreto legge – which actually was aimed to regulate also totally different topics, such as several aspects of criminal procedure and prison systems – was converted into law by “Legge 25 giugno 2020, n. 70”. The new approved law did not modify any aspects of Covid-19 Alerting App regulation: accordingly, we can analyse directly Article 6 of the initial decreto legge. That article states that an official Covid-19 alert app would be adopted in Italy but with the sole purposes of alerting people who were in contact with subjects tested positive and of protecting their health. The same article provides that the use of the App shall be totally voluntary: people that choose not to download the app shall not be adversely affected in any way in order to respect “the principle of equal treatment”.
As regards the data processing within the App, we can infer that the legal basis under the GDPR to process such data is the public interest (Article 6(1)(e)) and, in case of special categories of data (e.g., being positive to COVID-19), the legal basis is reasons of public interest in the area of public health (Article 9(2)(i)). The Italian DPA considered that the “decreto legge” is an adequate legal tool to meet the legality requirement at Article 9(2)(i) (“on the basis of Union or Member State law”).
Technical and legal aspects of Immuni app
Article 6 of the abovementioned Decreto Legge – which was approved after having been examined and accepted by the Italian DPA – states that the data controller of the personal data processed through the App is the Ministry of Health. Also, other public entities may end up being joint controllers (regions, departments, the Civil Protection agency). Actually, in the implementation phase the Ministry has nominated as data controllers a private-public entity (Sogei s.p.a.) owned by the Ministry of Economy and Finance, which has also nominated some sub-processors as Content Delivery Network providers.
Within the principle of purpose limitation and data minimization, Article 6 prohibits the identification of the geolocation of the data subject. On a similar note, the personal data of the app users should be processed under high standards of pseudonymization. Indeed, the only personal data collected is the “Temporary Exposure Key” (TEK), i.e. a temporary code generated by each app and shared via Bluetooth Low Energy. Such TEKs are stored for 14 days in the physical devices of other users who were in contact with the device who generated the TEK. There is no central database that could lead from the TEK to the physical person’s identifiers. Article 6 of the Decreto Legge also allows data processing for health research purposes, but only at an aggregated level. In addition, Article 6 requires a DPIA before the official release of the app and delegates to the Ministry of Health many technical aspects (including the decentralization nature, the information notice, the data flow in case a user uninstall the app, etc.). Personal data can be processed only until the pandemic emergency goes on and no later than 31 December 2020. For the development of the whole platform, 1,500,000 euros are provided (while the developers, “Bending Spoons”, have accepted to work for free).
The functioning of the App has been described above, but one aspect remains to be clarified here: once an app user is tested as positive, she can upload such information on the app platform. In order to do that, a person from the National Health Service needs to verify and certify this information on the app so that the user can share the following information with the central app system: the TEKs generated in the previous days, the result of Covid-19 test (as positive), the regional department (“provincia”), possibly additional epidemiological data (e.g., the length of the exposure to a positive person, including the date). The only location data that is required is, thus, the “province” (the department in a Region) and is not collected through GPS, but voluntarily uploaded by the user. In addition to the epidemiological analytics, the app collects some operational analytics for the well-functioning of the system.
Once the information is uploaded, through an OTP (one-time-password communicated to the NHS representative), other users who were exposed to the positive person are alerted (each user’s device checks if there is one or more matches between the national TEKs list of positive persons and the personal list of TEKs stored in the device).
The app was officially launched on 1st June. Since then, devices of users started to share TEKs. However, the full functioning of the uploading part has been gradual, starting from only 4 “pilot” regions and – after 2 weeks – extended to the whole Italian territory.
Before the official launch, on 28 May, the Ministry of Health sent a DPIA report to the Italian DPA, who approved it and authorized the launch of the app. However, the DPA added a few comments that should be taken into account. In particular, the controller should:
- update the DPIA, mentioning the algorithm used (based on probabilistic and epidemiological criteria) and explaining the parameters used and the conclusions reached (this model seems very similar to the Algorithmic Impact Assessment model suggested in the legal literature);
- inform users that the exposure alert may not correspond to real risks because some exposures happened in contexts with adequate health safeguards (e.g., workplace);
- allow users to temporarily inactivate the app through an easy button in the homepage (and informing users of this option);
- protect the epidemiological and operational analytics in Immuni backend, avoiding any possible reidentification of data subjects, informing users about the specific types of data processing with such analytics and which data are collected for different categories of data subjects;
- make the privacy information notice and the alert more legible, considering that also children (from 14 years old) can use the app;
- give more details in the information notice about the pilot phase;
- clarify the exercise and consequences of the right to erasure and to object in the DPIA (and in the information notice);
- according to the accountability principle, clarify in the DPIA the roles, tasks and responsibility of private entities that are neither controllers nor processors, in particular the developer (Bending Spoons) and Google and Apple. For each of these entities, the controller should indicate the risks for data subjects;
- trace the operations of all authorized persons (e.g., data processors or persons they delegate) on the databases and on the operating system;
- mitigate the risk of material or diagnostic mistakes that could lead to upload TEKs of users who are not Covid-19 positive.
Implementation and open issues of Immuni app
In the first month after the launch, the app has been downloaded by 4 million people (more than 10% of the potential users): 1,2 million on iPhone and 2,8 million on Android (after initial problems with Huawei and older iPhones).
Looking at the broader picture, it seems that the Italian Exposure Alert app “Immuni” is based on high standards of Data Protection by Design and has already been downloaded by a relevant number of residents. In sum, it seems to comply with the EDPB indications about tracing apps, but some issues might still be on the table.
It is not clear whether Article 22 of the GDPR applies and which safeguards should be implemented in this specific case. The Italian DPA had initially mentioned this issue, clarifying that exposure alert is an automated decision producing significant effects for individuals and requiring at least a human involvement upon request of the user. Actually, in the final authorization after the DPIA there are no specific references to Article 22, but indirectly the DPA requires to “explain” the algorithm used (considering in particular the parameters used and the decision reached).
In addition, as revealed by a recent case in Apulia, tracing apps might lead to false positives or false negatives alerts. This issue is even more serious if there is no rapid system of testing in the National Healthcare System. The DPA tried to address this issue through better explanation of the algorithm and mitigation of risks of mistakes (see points 1 and 10 above), but the structural issues of the NHS go beyond any technological or organizational safeguard in the app.
One last issue is the role of Google and Apple in the data processing relating to the Italian app (and any similar Apps): the DPIA of Immuni does not clarify if they are processors or joint controllers (or none of them) and the Italian DPA is still waiting for more clarifications on this point.
It is clear that these last three issues (Article 22 GDPR; false positive connected to structural healthcare issues; and the data processing role of Google and Apple) are not limited to the Italian solution but can be exported to any Covid-19 Exposure Alert App and should be perhaps clarified at a supranational level.