Immuni. Guarantees for privacy protection of the Italian contact-tracing app
For the purpose of containing the spread of the Covid-19 virus, Article 6 of Legislative Decree no. 28/2020 provided for the implementation of a national platform for contact tracing, aimed at alerting users who came in contact with virus-positive subjects, who can therefore promptly activate health prevention and treatment protocols (quarantine, medical exams).
Following the consultation opened by the Ministry for technological innovation and digitisation, “Immuni” (a smartphone app created by the company Bending Spoons S.p.a.) was chosen amongst the other platforms for its suitability for preventing contagion and for guarantees offered in terms of privacy protection. Systematic and large-scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy and the processing of personal data carried out by contact tracing apps must assure the adoption of specific safeguards. This article aims to illustrate the most relevant privacy issues related to the functioning of the app.
How Immuni works
Immuni uses Bluetooth Low Energy technology to track close contacts between users that could have transmitted a contagion.
After installation, the app generates an encrypted key (so-called temporary exposure key) associated with the user, changing several times within an hour to prevent its identification. The smartphones on which the app is installed continuously send a Bluetooth signal, so that every time two people (who have downloaded Immuni on their phones) stay in close proximity for a pre-set minimum time, both their temporary exposure keys generate and reciprocally exchange an encrypted random code (so-called proximity ID) which identifies the meeting of the two subjects. This code is stored on their respective devices and is associated with metadata concerning the duration of the meeting and the intensity of the perceived signal, which help the app to calculate the risk of contagion.
Moreover, when the user decides to upload his encrypted key to the central server, Immuni also sends epidemiological information (day of contact, duration, signal intensity, level of contagiousness of the subject) and operational information (enabling Bluetooth, consent to receive notifications from the app, occurred notification of risk of contagion after the last download of the encrypted keys) to the server, useful for the Italian National Health System to manage the epidemic.
Guarantees for privacy protection
Immuni complies with the European Data Protection Board’s Guidelines (no. 3/2020 e n. 4/2020) concerning the processing of personal data in the context of the COVID-19 outbreak. On these grounds, the Italian Data Protection Authority authorised the Italian Ministry of Health to commence the processing related to the COVID-19 alert system via Immuni. An analysis of the most relevant privacy issues related to the app is provided below.
The app works entirely on a voluntary basis
There are no restrictions resulting from the non-use of the app and the app itself does not constitute a requirement for exercising any right (e.g. the right to move freely, as happened in certain States). In addition, users who decide to download Immuni and accept its terms and conditions of use – which include, amongst others, activation of Bluetooth and notifications – must also decide to cooperate in the event of testing positive for the virus, by uploading their encrypted key to alert the subjects who are likely to have been infected. Given the high impact of the tracking on individuals, requiring a genuinely free choice by the user, as also underlined by the Italian DPA, the voluntary nature of the platform is an essential requirement of the app.
The Data Controller is a public institution
The Ministry of Health acts as the Data Controller. The data collected via the app will be processed on its behalf by the subjects individuated in Article 6 of Legislative Decree no. 28/2020, appointed Data Processors as per Article 28 GDPR. A clear individuation of the Data Controller complies with the principle of accountability.
Non – use of location data
As underlined in EDPB’s Guidelines no. 4/2020, contact tracing apps do not require tracking the location of individual users. Instead, proximity data can be used. The choice to use Bluetooth technology instead of GPS technology – which would have enabled not only the ability to track a contact, but also to locate it and to quantify its duration – is therefore necessary to comply with the minimisation principle. These apps, in fact, are not aimed at tracking the movements of individuals or at ensuring compliance with rules, but only at checking if you have come in contact with a virus-positive person, so that you can promptly activate all health prevention and treatment protocols.
Data minimisation, pseudonymisation and encryption
Immuni complies with the principle of minimisation of the data processed: the app only collects the data essential to the pursuit of the purposes and such information does not include identification data (i.e. name and surname, date of birth, address, telephone or e-mail address), or, as seen above, location data. In addition, the app tracks meetings lasting more than 5 minutes, capped at 30 minutes per day; therefore, it is not possible to trace back to the duration or frequency of contacts.
Even the operational and epidemiological information uploaded to the central server prevent the user from being identified and, in any case, are subject to specific limitations (for example, the app cannot determine whether the contacts that took place on different days have occurred with the same user).
The app only uses pseudonymous identifiers (i.e. temporary exposure keys and proximity identifiers) that change several times per hour, so as to prevent re-identification of the user. In addition, the transmission of the proximity identifier to another user is encrypted and digitally signed. Lastly, Immuni periodically performs dummy uploads to the central server to mitigate the risk of someone gaining sensitive information about the user through traffic analysis.
Decentralised approach
Contrary to the first version of the app, in which both the proximity identifiers and the encrypted keys were meant to be stored on the central server (centralised approach), the data collected through the app are now stored locally on the devices. Given the neutral position of the EDPB on this point (grounded on the adequacy of both approaches in the presence of suitable security measures), the reasons behind the choice of a decentralised approach are to be found in reduced risk of a data breach.
Legal basis of the processing
The voluntary nature of the app and the user’s freedom to communicate whether he has been infected or not does not imply that the processing is based on the user’s consent. Although, in fact, consent may constitute an appropriate legal basis for the processing carried out by contact tracing apps (see EDPB’s opinion in Guidelines 4/2020), this choice implies the need for the Data Controller to comply with the strict requirements of this legal basis (including: free, specific and explicit consent in relation to health data; right to withdraw).
As an alternative to consent, however, also Article 6(1)(e) GDPR can constitute a legal basis for the processing at issue, i.e. “the performance of a task carried out in the public interest”. Paragraph 3 of the same provision also specifies that such processing must be based on an EU rule or on “the law of the Member State to which the data controller is subject”.
Immuni therefore opted for the second approach and identified Article 6 of Legislative Decree no. 28/2020 as the basis for the processing, in accordance with Article 9(2)(i) GDPR.
The data processed by the app, in fact, are suitable for revealing the user’s health status and are therefore subject to the general prohibition of processing provided for by Article 9(1) GDPR. Paragraph 2 lett. i) of the same article, however, provides for some exceptions to the prohibition, which include the possibility of processing data “for reasons of public interest in the area of public health (…) on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject”. In this respect, Article 6 of Legislative Decree no. 28/2020 is therefore a national provision meeting the requirements of the GDPR, as held by the Italian DPA.
Finally, it should be remembered that Immuni – as well as all other contact tracing apps – requires the storage and/or access to information already stored on the user’s device. These data are subject to Article 5(3) of the ePrivacy Directive (Directive no. 2002/58/EC), which exempts from obtaining the user’s consent when – as in the case of Immuni – such access and storage of information are strictly necessary to allow the app provider to make the service requested available.
Purpose of the processing, secondary usage
The app collects and uses data solely for the purposes referred to in Article 6(1) of Legislative Decree no. 28/2020, i.e. “For the sole purpose of alerting people who came in close contact with subjects who have tested positive and protecting their health through the prevention measures in the context of public health measures related to the COVID-19 emergency”.
The purposes of the processing have therefore been adequately specified so as to prevent further processing of the same data for purposes not related to the management of the epidemiological emergency (for example, for commercial or for law enforcement purposes).
However, without prejudice to this, Article 6 of Legislative Decree no. 28/2020 provided also for the possibility of using the data – in aggregate or anonymous form – for secondary purposes of statistics, scientific research, public health and prophylaxis.
According to the EDPB’s opinion, secondary usages can alternatively be based on the consent of the data subject, or on EU or national laws pursuant to Article 9(i)(j) GDPR.
The first approach requires strict compliance with the conditions set out in articles 4(11) (free, specific, informed and unambiguous consent, expressed by positive action), 6 (1)(a) (for specific purposes) and 9(2)(a) GDPR (explicit consent for the processing of health data). In addition, the data subject should always have the right to withdraw his consent; the Data Controller should therefore interrupt processing of the data and, in the absence of another legal basis for the storage, the data should be erased.
On the other side, Article 9(i) and (j) allows data relating to health to be processed for purposes of public interest in the area of public health or for statistical and scientific research purposes based on an EU or national law providing suitable and specific measures to protect the data subject’s rights and freedoms.
Immuni then opted for the second approach: the legal basis for these kinds of processing is once again Article 6 of Legislative Decree no. 28/2020 (in accordance with the aforementioned Article 9), and users’ rights are protected by (amongst other) the use of data in aggregate or anonymous form.
Storage period
Legislative Decree no. 28/2020 provided specific instructions on this issue: personal data will be stored on servers located in Italy and managed by public institutions, and will be stored only for the time necessary for the pursuit of the purposes, anyway no later than 31 December 2020; after that all the data will have to be erased or permanently anonymised.
Exercise of the rights of the data subject
The data subject can exercise the right to object to the processing at any time, pursuant to Article 21 GDPR, by simply uninstalling the app. As provided for by Article 11(2) of the GDPR, instead, Articles from 15 to 20 GDPR – concerning data subjects’ rights – do not apply, since the exposure keys and the proximity identifiers are automatically deleted after 14 days (also from the central server), making the user unidentifiable. In any case, the user maintains his right to lodge a complaint before the Italian DPA.