Contact tracing app: The Italian Garante gives the green light and prescribes additional measures to protect data subjects’ rights

On June 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali – “Garante”) authorized personal data processing related to the national contact tracing system designed by the Italian government in cooperation with the company Bending Spoons S.p.A. The Garante also required that certain measures geared to protecting data subjects’ rights and freedoms be implemented.

  1. The national contact tracing system based on the mobile app Immuni

By Law Decree No. 28/2020, the Italian government established a national contact tracing system based on a mobile app named “Immuni.” Immuni is managed by the Italian Ministry of Health (which is the data controller) and is available for voluntary download on both iOS and Android mobile phone devices. After an initial trial phase — during which Immuni was fully operational only in certain Regions — Immuni can now be used throughout the entire Italian territory.

The authorization of the Garante was required based on article 36, paragraph 5 GDPR (providing that national laws may require prior consultation with and authorization of the supervisory authority when processing is carried out by the controller for the performance of a task carried out in the public interest, such as social protection and public health). Indeed, the Italian Data Protection Code states that the processing of personal data performed in carrying out tasks in the public interest and presenting high risk for the data subjects according to article 35 GDPR requires previous consultation with and authorization of the Garante, which in turn can require further safety measures to be adopted in order to protect data subjects.

Immuni features a contact tracing system based on Bluetooth Low Energy (the system will use no geolocation data whatsoever, including GPS data) and leverages the Exposure Notification framework developed by Apple and Google. Basically, once Immuni is downloaded and activated, it allows the recording — in an encrypted area on a user’s mobile phone — of a proximity identifier relating to the interactions of the user with other users who downloaded Immuni. More specifically, every 10 minutes Immuni generates a random cryptographic key (called a Temporary Exposure Key — “TEK”). Each TEK produces up to 144 proximity identifiers (called Rolling Proximity Identifiers — “RPI”), which are then broadcast. If two devices with Immuni are sufficiently close to each other, Immuni records the RPI of each device on the other device.

If a user tests positive for COVID-19, s/he can communicate this diagnosis to the health authorities through the app. Through a system of one-time passwords (OTPs), the user may authorize transmission of the TEKs generated starting from the day when the user started to experience the first COVID-19 symptoms to Immuni’s back-end. Together with the TEKs, the back-end receives epidemiological analytics (such as contacts with subjects who tested positive) and the user’s province of residence.

The TEKs of the individuals who tested positive are published in an encrypted format and are downloaded by the other devices through a content delivery network managed by a third-party company. The devices compare, at a local level, the RPI generated by the published TEKs, and an algorithm provided by the Exposure Notification network calculates an overall risk score based on certain parameters (such as the duration of contact and the distance of the devices from each other). If the overall risk score is above a certain threshold, Immuni notifies the user whose device contains the TEKs broadcast by the positive user that s/he came into contact with a COVID-19 positive person and invites the user to contact his/her physician.

Immuni will also collect some epidemiological and technical information regarding contacts considered “at risk” (e.g., day and duration of exposure, estimated distance between users, information on how contagious the infected user was likely to be when the exposure occurred) for the purpose of helping the National Healthcare Service provide effective assistance to users.

  1. The elements of the processing as described in the DPIA conducted by the Ministry of Health
  1. Legal basis

The processing — in accordance with Article 6 of Law Decree No. 28/2020 — is based on necessity for reasons of substantial public interest, that is (i) alerting the contacts of users who test positive for COVID-19 and (ii) allowing public authorities to adopt the public health measures necessary to combat the spread of the virus. In addition, in accordance with the recommendations of the European Data Protection Board, download and use of Immuni is voluntary; indeed, the user freely chooses whether to opt in for each step of the tracing/alerting process and cannot be discriminated against or be subject to any negative consequences if s/he does not participate in the contact tracing system.

  1. The use of pseudonymized data and security measures

Immuni bases its core function on the dissemination of encrypted information (that is, TEKs) to users who do not have the corresponding cryptographic keys, which are available solely to the data controller. As a consequence, TEKs must be considered “pseudonymized personal data,” i.e., personal data that cannot be attributed to a given data subject without the use of additional information. Similarly, the RPI and the analytics information are also pseudonymized personal data.

The pseudonymization is a key privacy-by-design measure that to be fully effective needs to be paired with adequate security measures preventing the re-identification of data subjects. Among others, the Ministry of Health has adopted the following measures: storage of the information in encrypted areas of the user’s device; the exchange of personal data between Immuni and the back-end is based on HTTPS protocol; TEKs and RPI are deleted after 14 days; access logs of system administrators are traceable; the identification of healthcare providers assisting users with the insertion of OTPs; and so on.

  1. Entities involved in the processing

The data controller is the Ministry of Health, which appointed as data processors the Ministry of Economics and Sogei S.p.A. in relation to the management of — respectively — the back-end system and the healthcare system (which dialogues with Immuni’s back-end when a healthcare professional inserts the OTP generated by the user’s device). Immuni involves other entities to function (such as the development company Bending Spoons S.p.A., Apple, and Google); however the DPIA is unclear as to their role and refers to them as “technology providers.”

  1. Data subjects’ rights

Users may delete the TEKs and the RPI stored in their devices and may stop using Immuni at any time. Nevertheless, the specifics of the processing (namely, the pseudonymization) make it impossible for data subjects to exercise other rights available to them. In particular, data subjects cannot exercise the rights of access, rectification, limitation, and portability.

  1. Points to be clarified and the measures prescribed by the Garante

In the recent months of the pandemic, there has been a certain amount of uncertainty as to the functioning of Immuni. This authorization, together with the publication of the DPIA conducted by the Ministry of Health, has the undisputed merit of clarifying key points about Immuni, which are analytically described and justified in light of the data protection framework. Nevertheless, certain issues — as promptly highlighted by the Garante — remain unclear.

One of the main points to be clarified is the functioning of the algorithm calculating the score that determines the level of exposure and based on which Immuni notifies users that they are at risk and collects analytics information. This point, however, is crucial to ensuring that the scientific community can adequately verify the reliability of Immuni and that the algorithm reflects the most recent discoveries about the way the virus propagates, as well as the prompt detection of “false positives” and “false negatives.” Last but not least, a lack of transparency in the way the algorithm is structured will eventually lead to a lack of trust in the functioning of Immuni, which — in a system based on the voluntary participation of users — is a crucial element for the contact tracing system to be effective.

Additionally, the extent of the participation in the contact tracing system of certain parties, such as Bending Spoons S.p.A. and Google/Apple, remains unclear. Indeed, while the DPIA labels these entities “technology providers,” it is not clear whether they actually play a role in processing activities. In this respect, the Garante also required the DPIA to highlight the existence of risk for data subjects.

The Garante also pointed to a lack of transparency regarding the processing of analytics information, since neither the information notice nor the DPIA specifies the modalities for processing this information, the anonymization techniques adopted, the duration of storage periods, or the security measures that are implemented to protect this data.

The Garante also issued other prescriptions regarding the following: the opportunity to easily deactivate Immuni; the provision of information regarding the fact that the receipt of a notification does not amount to a diagnosis of COVID-19; the provision of information regarding the characteristics of the trial phase; detail in the information notice on how data subjects’ rights may be exercised; and so on. The Ministry of Health will have 30 days to implement the prescriptions required by the Garante.

  1. Concluding comments

Regardless of how the Ministry of Health moves forward in adjusting the key issues highlighted by the Garante, it should be noted that the lawfulness of the entire contact tracing system ultimately relies on at least two factual premises, namely the following: (i) the ability of the National Healthcare Service to make COVID-19 testing available to anyone who is flagged as at risk by Immuni, and (ii) the high rate of participation in the contact tracing system by the population. Indeed, without any serious action aimed at ensuring that these conditions are met, the effectiveness of the described contact tracing system will be seriously jeopardized. These two factual premises may even affect the assessment of whether such a tool (which is undisputedly invasive regarding the rights of the individuals) will be deemed necessary to pursue the envisaged purposes.

Follow us on