Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Data, apps and citizens' controls - Italy focus

A global effort is being made to control movement and prevent a rise in the cases of COVID-19.

15 April 2020

Publication

A global effort is being made to control movement and prevent a rise in the cases of COVID-19.

Governments have set up internet, communications and technology (ICT) tools to help authorities control quarantined people and more. In this article, we look at what has been done and what the next steps will be.

Asia

China, Singapore and South Korea rely heavily on the control of their populations via apps:

  • Korea: a self-quarantine safety protection app was developed by the Ministry of the Interior and Safety to allow those quarantined to stay in touch with caseworkers. It also uses GPS to keep track of their location to make sure they are not breaking quarantine. The Corona 100m app was launched on February 2020 and using government data it alerts users when they come within 100 metres of a location visited by an infected person;

  • China: an app was launched to reduce the spread of coronavirus by alerting users when they've been in close proximity to someone with the illness. The Close Contact Detector app lets users check their status by scanning a QR code. Users are then directed to enter their name and government ID number. They can also check the status of three other ID numbers in proximity.

  • Singapore: on 20 March 2020, a mobile app called TraceTogether was launched to improve tracing efforts during the COVID-19 outbreak. Downloading the app is voluntary. After giving consent during the set-up of the app, users need (i) to turn on their Bluetooth and (ii) to enable push notifications and location permissions. The app uses Bluetooth to identify people who have been within 2m of coronavirus patients for at least 30 minutes. If a user gets infected, the authorities will be able to quickly find the other users they have been in close contact with, allowing for easier identification of potential cases and helping to curb the spread of the virus. To build trust and increase the use of the app, Singapore made the software for its contact-tracing application freely available to developers around the world and some safeguards have been put in place by the government to protect the users’ privacy. Information collected is stored locally on the phones and automatically erased after 21 days. The app is opt-in and doesn’t track users, instead recording who you've encountered. The only information stored on government servers is provided by users confirmed to have COVID-19 who agree to share their logs.

Initially, the above seemed invasive and in certain aspects, violates the privacy and/or breaches individual rights. There is currently a debate on the use of such apps.

Italy (a few weeks ago)

The growth of the pandemic in the EU has followed Asia and measures adopted here have been replicated successfully in other countries.

In Italy, one of the countries most affected by COVID-19, the legislator (and immediately after, the local DPA) has shown great interest in the COVID related matters when impacting privacy in the recent weeks.

See here for the 120+ pages of legal documents which have been produced.

In this article, we want to make a point on the use of technology and data, in particular concerning mobile applications, tracing and the use of anonymised data.

News, papers and lawyers have been discussing the AllertaLOM app which was recently updated with a new service related to COVID-19 and launched to help public local authorities to run studies and statistics analysis and to control and monitor the population's movements. The app already existed to notify users of weather conditions, fires and other services.

How does the app work?

The app provides a clear privacy policy. A data controller runs statistical analysis through collecting data related to the symptoms of each participant. The Regione Lombardia, the most affected region in Italy, has started to monitor this data.

AllertaLOM collects information via a questionnaire that the user can choose to fill out. Users are free to decide to actively collaborate with the authorities and the Regione Lombardia so the app can more precisely quantify the developments of the contagion and the territorial distribution of cases.

The data controller is the Regione Lombardia. It does not collect direct identification data such as name, surname, fiscal code or residency. The reason why they collect this data is because it is in the public interest, according to section 9 para 2, lett. I) of the GDPR as well as the informed and revocable consent of the user (as per section 9 para 2, let. A). Therefore, any collection is subject to the consent expressed by the user.

Data is also used for anonymised statistical purposes and they will never be treated by uniquely automatised processes. Data is not transferred out of the EU.

In broad terms, AllertaLOM is not comparable with Corona 100m and Close Contact Detector (in Asia, as referred above) and as long as the current terms and conditions (T&Cs) and privacy policies are in place, it does not seem to violate any GDPR and local legislation with regards to privacy and related rights.

The Italian DPA position

With specific reference to the use of certain apps (and with expected timing), the Italian DPA has issued several statements and declarations. It has taken position vis a vis the risk of violation of GDPR rules and in the background on human rights (see also Hearing of its President focused on the use of new technologies and the internet to counter the COVID-19 epidemiological emergency before the Committee IX of the Italian Chamber of Deputies on April 8 2020).

In a nutshell, the Italian DPA is confirming the following:

Rights, derogation and restrictions

Certain derogations from the standard data processing were set out in the decrees that were issued after the decision to declare a state of emergency. These mainly concern the communication of health data.

Section 14 of Law Decree 14/2020 reiterated those derogations which were taken up in a primary law instrument (no longer in a governmental decree) and clearly marked out as temporary in nature without envisaging particularly innovative data collection mechanisms.

New, more intrusive data collection arrangements might be introduced on grounds of public health, which make up a specific legal basis like with the emergency rescue activities. This is on the condition they are compliant with the principles of necessity, proportionality, adequacy and respect the essential core of the right at issue.

Epidemiological mapping and surveillance

This is the framework for the proposal to collect data on those who have tested positive for COVID-19. The data collected is on location or device interaction with mobile devices of those who are COVID-19 positive. The framework evaluates epidemiological trends and traces back the spread of the contagion.

The acquisition of genuinely anonymised mobility patterns raises no specific issues.

Article 9 of the Directive 2002/58/EC “concerning the processing of personal data and the protection of privacy in the electronic communications sector” (the e-privacy directive) legitimises the acquisition of location data without the data subject’s consent, providing data is anonymised. This approach allows for mapping of the development of the epidemic. This is helpful for prognosis and statistics but less so for diagnostic purposes.

On the other hand, using non-anonymised data on location or interactions with other devices may prove helpful in many ways. In any case, this will require - also pursuant to Article 15 of the e-privacy directive sufficiently detailed rules including adequate safeguards.

The data in question may be used theoretically to:

  • determine the location of an individual confined to home because they tested positive for the virus - i.e. the geo-location of their mobile phone (which is assumed to be carried permanently by that individual) can be used to establish compliance with the home confinement obligations; or
  • acquire, going backwards, data on the interactions of the virus-positive individual with other individuals to establish their possible contact during the virus activity period via several technologies: phone cells, GPS, Bluetooth.

Contact tracing

This can be done, at least theoretically, by matching several categories of data including commercial transactions, phone cells, interactions with other mobile devices as extracted from Bluetooth data.

We will see that selecting the most effective data category also impacts on the overall assessment of proportionality. This is because increased selectivity reduces the intrusiveness of the given measure to what is strictly necessary and produces socially meaningful effects in protecting the health of individuals and the community as a whole.

Technological solutions are powerful tools for epidemiological prevention purposes. However, they require supplementary measures to be in place in order to overcome the limitations caused by the digital divide, among other things.

This consideration regarding the limitations inherent in technological solutions has two implications:

  • in assessing the expected effectiveness of a measure, one should not fail to consider those supplementary measures. These are the measures envisaged for the reasonably subsequent stage when the individuals identified via data tracing as potentially infected will have to undergo medical tests; and
  • the need to trace back the spread of contagion by means of electronic devices makes it difficult to impose a general obligation for everyone to use those devices. Indeed, a precondition for this is that everyone can, not only in monetary terms but also in terms of cognitive skills, use a smartphone and the many functions it holds, which is factually not feasible for everyone.

These considerations point to the advisability of relying on approaches that are based on the voluntary acceptance of the individuals allowing their locations to be traced. Still, this consent should be in no way conditional so as to ensure that it is truly free and therefore valid with a view to data processing.

Accordingly, consent given to the processing of data acquired via the mechanisms described so far could not be regarded as valid if framed as a precondition, for instance, to obtain certain services or goods.

In any case, the effectiveness of this solution for diagnostic purposes is related to the support received from citizens since the data could only be collected, by definition, from the part of the population that would give their consent to tracing.

From this standpoint, the voluntary activation of an app intended to collect data on device interactions is a precondition for a regulatory framework grounded in public health requirements, including appropriate safeguards for data subjects (Article 9(2), letter i), of GDPR).

On April 29 2020, the Italian DPA confirmed that an app for contact tracing based on the principles below is in line with personal data protection rules and rights when it is:

  • based on detailed national legislative provision;
  • usable with mandatory voluntary consent;
  • achieving public interests excluding secondary use of data, save for the possibility to use data in anonymized and aggregated form or for statistic or scientific needs;
  • consistent with minimization and privacy by design and by default criteria, insofar as it provides for the collection of only the proximity data of the devices, their treatment in pseudonymous form, provided that it is not possible in a completely anonymous form, excluding the use of geolocation data and limiting their conservation to the time strictly necessary for the purposes the pursuit of the indicated purpose, with automatic cancellation on expiry of the term;
    • complying with the principle of transparency towards the interested party, ensuring due information; and
  • admitting the further clarification of the detailed characteristics of the treatment and the adequate safety measures by the Ministry of Health and, as regards the screening of the DPA, by means of a specific the act referred to in art. 2-quinquiesdecies of the Code. In these ambits, the methods of human intervention on the algorithmic decision may also be provided, so as to also meet the requirements of Article 22, par. 2, lett. b) - of the Regulations.

Storage

After data collection, the next step in the processing is the storage of data with a view to alert possibly infected individuals.

This customisation should take place in regard to virus-positive individuals and the individuals that have had significant contact with them - but only during the period of potential infection.

From the perspective of privacy implications relating to the storage of the data for its possible subsequent use, one should prefer a solution whereby a contact journal would be created on the device owned by the individual at issue. This would avoid storage of the personal data in the telecom operators’ databases, which might raise the criticalities already flagged by the EU Court of Justice regarding data retention.

The necessity, proportionality and minimisation criteria highlighted by the EU Court point anyhow to the need for limiting these privacy restrictions to what is strictly necessary in order to achieve relevant, important purposes by undermining data subjects’ rights to the minimum possible extent.

Which technology?

Bluetooth technology would appear to be preferable in order to select possibly infected individuals out of a more reliable sample, limited to significant contacts, as it yields data on spatially closer interactions compared to those that are identifiable within the much larger area covered by a phone cell. This is what Singapore and Germany seem to be planning to do.

An individual testing positive would then provide the International Mobile Equipment Identity (IMEI) of their device to the relevant geographical health care agency, which would then transmit it to the central server to trace back the contact with other individuals who also have activated their Bluetooth apps via an algorithm.

Those other individuals would receive an alert of potential infection and be invited to undergo medical testing – of course, one assumes such an invitation to be followed responsibly.

In this manner, tracing would be based on pseudonymised data and re-identification would only be implemented if case virus positivity was established.

The communication between the central server and apps of potentially infected individuals would also take place without enabling their re-identification. This would minimise the impact on their privacy but certainly posing sever question on cybersecurity.

As an alternative to the intra-app alerts, one might envisage that the local health care agency directly alerts and tests the individuals who, based on Bluetooth data, are found to have had significant contacts with a virus-positive individual.

The contact data should be retained by the server for no longer than is indispensable with a view to identifying possibly infected individuals.

The medical history subsequently collected by a physician would introduce a human intervention in the algorithmic process, which is required by the General Data Protection Regulation (GDPR) to prevent exclusively automated decisions and make good any distortions or inaccuracies brought about by those decisions.

In any case, it is desirable for the complex set of operations involved in contact tracing to be carried out entirely by public bodies.

Working as legislators

Introducing specific legislation would be efficient to provide a general framework of rules and safeguards to be abided by also at a local level. This would avoid a patchwork of initiatives, differing from one area to the next one, which are often poorly consistent and difficult to gauge in terms of their effectiveness and may ultimately undermine the overall impact of the fight against this contagion. This call for uniformity applies both domestically and at a supranational level.

Obviously, and in line with the requirements made by the Italian Constitutional Court in respect of any emergency measure, it is fundamental for these provisions to be limited in time and be revoked immediately if the state of emergency ceases – or if those provisions are found to be poorly effective in practice. From the latter standpoint, regular checks would be advisable.

It is also fundamental to lay down the mandatory erasure of the data once the period set for their potential use expires – subject to storage of such data in aggregate or anonymised format exclusively for statistical or research purposes. Adequate punishments should be introduced for non-compliance.

At the same time, any reuse of the data for purposes other than contact tracing should be prohibited.

In Official Gazette n. 111 dated April 30 2020, the Law Decree n. 28 dated April 30 has been published with full validity and enforceability with an express reference to the new app Immuni.

What is about here in Italy, now (and likely tomorrow)

A public tender has been opened at the end of March to select the best proposals to monitor data and a global strategy to fight the COVID-19 via apps.

The chosen solution is the one engineered by Bending Spoons Spa and named Immuni.

It helps the fight against the COVID-19 epidemic by notifying users at risk of carrying the virus as early as possible, even when they are asymptomatic. Immuni’s design and development are based on six main principles: utility, accessibility, accuracy, privacy, scalability, and transparency.

It features an exposure notification system that leverages Bluetooth Low Energy:

When two users come sufficiently close to each other for long enough, their devices record each other’s rolling proximity identifier in local memory. Rolling proximity identifiers are generated from temporary exposure keys and change multiple times each hour. Temporary exposure keys are generated randomly and change once a day.

When a user tests positive for SARS-CoV-2, they have the option to upload to a server their recent temporary exposure keys. This operation can only happen with the validation of a healthcare operator.

The app periodically downloads the new temporary exposure keys and uses them to derive the infected users’ rolling proximity identifiers for the recent past. It then matches the identifiers against those stored in the device’s memory and notifies the user if a risky exposure has occurred.

Besides the temporary exposure keys, the Immuni app also sends to the server some analytics data. These include epidemiological and operational information and are sent for the purpose of helping the National Healthcare Service (Servizio Sanitario Nazionale) to provide effective assistance to users.

With specific reference to privacy matters:

  • the app does not collect any personal data that would disclose the user's identity. For example, it does not collect the user's name, date of birth, address, email, or phone number;
  • the app does not collect any geolocation data, including GPS data. The user’s movements are not tracked in any shape or form;
  • the rolling proximity identifier that is broadcasted by the app is generated from random temporary exposure keys and does not contain any information about the device. Moreover, it changes multiple times each hour;
  • the epidemiological information uploaded about the user’s exposure to potentially contagious users has certain limitations. For example, the duration of the exposure is measured in five-minute increments and capped at 30 minutes for the sum of all contact with an infected user on any given day. Moreover, Immuni has no way to determine that exposures occurring on different days may have involved the same infected user;
  • the operational information is uploaded without leveraging a user identifier or device identifier, and without requiring the user to authenticate in any way (including verifying a phone number or email);
  • the app performs periodic dummy uploads to mitigate the risk of someone gaining sensitive information about the user through traffic analysis;
  • the data stored on the device are encrypted;
  • all connections between the device and the server are encrypted; and
  • all data, whether stored on the device or on the server, are deleted when no longer needed, and in any case no later than December 31 2020.

Presidenza del Consiglio dei Ministri, Dipartimento per la Trasformazione Digitale, is the data controller. The data will be used solely with the aim of containing the COVID-19 epidemic or for scientific research. The data will be stored on servers located in Italy and managed by publicly controlled entities.

What happens at an EU level

We are happy to note the recent statement from Andrea Jelinek, Chairman of the European Data Protection Board (EDPB) who said:

"The Board will prioritise providing guidance on the following issues: use of location data and anonymisation of data; processing of health data for scientific and research purposes and the processing of data by technologies used to enable remote working. The EDPB will adopt a horizontal approach and plans to issue general guidance with regards to the appropriate legal bases and applicable legal principles".

In line with this approach, we have just seen the issuance of the EC Recommendation (on April 8 2020) specifically “on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data” which is a clear, interesting and updated point of view on data tracking and relevant tools and worth reading through. Find it here.

We noted that a first deadline was matched as the requested EU Toolbox for COVID-19 on mobile applications has been issued by 15 April 2020.

This first iteration of a common EU toolbox developed urgently and collaboratively by the e-Health Network with the support of the European Commission, provides a practical guide for EU Member States. The common approach aims to exploit the latest privacy-enhancing technological solutions that enable at-risk individuals to be contacted and, if necessary, to be tested as quickly as possible, regardless of where they are and the app they are using.

It explains the essential requirements for national apps, namely that they be:

  • voluntary;
  • approved by the national health authority;
  • privacy-preserving - personal data is securely encrypted; and
  • dismantled as soon as no longer needed.

The added value of these apps is that they can record contacts that a person may not notice or remember.

These requirements on how to record contacts and notify individuals are anchored in accepted epidemiological guidance and reflect best practice on cybersecurity, and accessibility. They cover how to prevent the appearance of potentially harmful unapproved apps, success criteria and collectively monitoring the effectiveness of the apps, and the outline of a communications strategy to engage with stakeholders and the people affected by these initiatives.

EDPB has then worked heavily in the last weeks and the most relevant documents produced are:

  • guidelines 05/2020 on consent under Regulation 2016/679;
  • guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak; and
  • guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak.

We shall prepare an extensive review of the guidelines above in the next release.

See our Coronavirus (COVID-19) feature for more information generally on the possible legal implications of COVID-19.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.