Immuni, here we are.

Immuni, here we are: from health protection to (false) privacy risks for users

With the release of the relevant APIs (the Application Programming Interface ndr) by Google and Apple, you can now download the contact tracing app “Immuni”. With DL 28 coming into force on 30 April, the operation of the application has been regulated with particular regard to the protection of the personal data of users, who, as is known, can download it on a voluntary basis from a single national platform. The latter specifies that the collection and subsequent use of the data can only take place anonymously and aggregated and exclusively for the purposes of “public health, prophylaxis, statistics or scientific research” (in accordance with Articles 5, par. 1, a) and 9, par. 2, lett. (i) and j), OF GDPR).

How Immuni works and the role of Google and Apple

The API jointly developed by the Mountain View and Cupertino giants adheres to the decentralized system (i.e. it exploits the storage of data on the device rather than on the server) and has the function of enabling tracking applications developed by European Union countries with the aim of monitoring the development of the COVID-19 epidemic. Through the technology of the so-called exposure notification: this allows the app to function particularly accurately through the use of bluetooth low energy (i.e. the “low-power bluetooth”) not resorting geolocation. Once installed, the application creates a random temporary code associated with the device, which in this way cannot be intercepted: at the same time, the bluetooth, via a proximity identifier, transmits a signal that will record the contact (and its duration) with the device on which the same technology is present. Following the possible positivity to the tampon, health professionals provide the user with an authorization code that can be uploaded to a ministerial server: in parallel, the app periodically downloads the codes of the infected and makes a comparison of the codes present on the device on which it is installed, notifying the user of any contact with the subject who tested positive to the tampon and further providing him with practical indications of behavior.

Privacy implications

What has caused a lot of controversy is the impact of the Immuni app on users’ personal data.
On 29 April, the Data Protection Authority, following the advice requested by the Government, gave important indications of the “technical and organisational measures that will need to be taken to ensure a level of security appropriate to the risks to the rights and freedoms of those concerned” in accordance with article. 36 par. 5 of GDPR, as well as art. 2 quinquiesdecies of d.lgs. 196/2003 (as reported by d.lgs. 101/2018). For this reason, stresses the Guarantor, the Ministry of Health will necessarily have to carry out in advance the data protection impact assessment (DPIA) which, in view of the category of data subject to treatment but above all of the systematic monitoring carried out by the application, represents an obligation for the holder of treatment in accordance with the principle of accountability (which is expressed as well as in Article 35 of GDPR also in the guidelines prepared by WP 29 on 4 October 2017). The multiplicity of stakeholders involved also requires a clear division of roles in data management: together with the Ministry of Health, which will act as the controller of the treatment, they will necessarily have to coordinate, as managers (under Article 28 of the GDPR) the Civil Protection Service, the Higher Institute of Health and the accredited public and private health facilities that will materially support users in the phase of data transmission on the central server of positive subjects. From the point of view of protecting the rights of stakeholders, Article 6 of the decree provides for a number of prerogatives to be adopted including the provision of a suitable information that indicates the purpose, manner and period of retention of the data being processed, including measures taken to ensure safety and prevent undue use, including encryption and pseudonymisation; as the decree itself specifies, these techniques ensure both the use of the only data necessary for the purposes pursued by the application itself, but also to avoid the risk of indirect identification of stakeholders. However, as also specified by the Extraordinary Commissioner Arcuri, the success of the tracking system will not depend so much on the percentage of users (since, at first it was assumed a percentage of at least 60%) as to the availability of those who tested positive for the tampon will agree to send their identification codes. In other words, it will be the common sense of the users that will dominate, so that the efforts made by all parties involved in the project are not thwarted.
All useful information about how the app works is available on the website immuni.italia.it.