The dramatic evolution of the health crisis linked to Covid-19 in Italy has required the Government to put in place exceptional measures to deal with this emergency, including the use of new technological tools never previously used by national institutions.
On March 20, 2020, the Ministry for Technological Innovation, together with the Ministry of Economic Development and the Ministry of University and Research, issued an invitation to all operators in the Italian digital ecosystem to help simplify the management of the pandemic through the development of digital platforms and other data processing systems.
Thus the mobile app "SOS Italia" was launched, a project developed by the Italian Digital Revolution Association, in collaboration with the software house Sielte, which is expected to be soon available on the digital stores of iOs and Android operating systems.
"SOS Italia" aims to monitor and contain the spread of Covid-19 through a user-friendly interface (log in via Google, Facebook, SMS with OTP on phone number and native integration with SPID) that will allow citizens to easily find the official communications made by the Government, the rules of conduct to be adopted, the numbers to call in case of emergency and other useful information.
Citizens will be able to fill in a questionnaire for self-diagnosis purposes and communicate to the authorities their state of compulsory or preventive isolation, the presence of symptoms and positivity to the virus.
Each user will also be able to choose to digitize their self-diagnosis for permitted travel and receive notifications if there is a risk of infection. This will be possible because, once the subject has voluntarily downloaded the app, GPS functionality will remain active even if the user is not using the app. In this way it will be possible to create a mapping of all the places frequented by the individual and build a register of the people with whom the subject has come into contact.
Similarly to what has already been experimented in South Korea, also in Italy, therefore, a technological response is attempted, based on the use of Big Data and algorithms, to put a brake on the contagion curve. But, if, on the one hand, the technical functionalities of the application provide tools of undisputed importance for the monitoring and containment of the pandemic, on the other hand, the inevitable implications in matters of data protection are worrying.
During a national and global health crisis, the protection of the primary right to health is potentially at odds with a number of other values worthy of protection. The management of the current emergency inevitably entails the restriction by the authorities of fundamental rights, including personal freedom and the protection of personal data (privacy).
Let us look at the privacy aspects. GDPR provides for the lawfulness of data processing, even for special categories, even without the express consent of the data subject, when the processing is necessary to safeguard his/her vital interests (or those of another natural person), or when it is indispensable for the performance of a task in the public interest. On the basis of this provision, therefore, the processing of the natural person's data, including data relating to his/her health, may take place independently of the granting of consent when the purpose of such processing is to limit the dissemination of Covid-19.
With regard to the processing of telecommunications data, such as location data, national laws implementing the ePrivacy Directive must also be respected. The ePrivacy Directive allows Member States to introduce legislative measures to safeguard public security.
Legislative Decree 14/2020, which contains urgent provisions for the strengthening of the National Health Service in relation to the Covid-19 emergency, provides for the possibility that the subjects operating in the National Civil Protection Service, the offices of the Ministry of Health and the Istituto Superiore di Sanità and all other subjects in charge of monitoring and ensuring the implementation of the pandemic containment measures, may share and exchange among themselves personal data of citizens (including those relating to their state of health) that are necessary for the performance of their duties. They may also omit to provide the privacy policy (as well as instructions to data processors) or provide it only orally.
This decree also makes clear that personal data processing must in any case be carried out in accordance with the principles of lawfulness, transparency and correctness provided for in Article 5 of the GDPR, reducing their processing to a minimum (principle of minimisation).
To date, however, it is not clear how these principles will be punctually implemented and who, among the various authorities at stake, will in fact be identified as the data controller and which entities, public and private, will be responsible for the aforementioned processing.
One of the issues of greatest concern is the processing of data relating to the location of citizens and how these data can be used by the authorities.
In various interviews, the Privacy Guarantor, in the person of its president, has reiterated that the right to privacy may be subject to certain limitations in the face of a collective interest, provided that the necessary balance is ensured between the protection of individual rights and the safeguarding of collective legal assets, including by providing that any law in derogation has a defined duration and coincides with the emergency period.
Moreover, an inevitably related issue concerns the data retention time, which will also have to be limited to the aforementioned emergency period and it will have to be clarified beforehand what processing operations will be allowed at the end of the emergency period and what will happen to the data collected.
The Privacy Guarantor has clarified that "data protection can even be a very useful tool in the fight against the epidemic, when this action is based on data and algorithms, of which accuracy, quality and "human" review must be guaranteed, where necessary, as in the case of wrong automated decisions based on bias".
In this regard, continues the Privacy Guarantor, a decree-law could combine timeliness of the measure and parliamentary participation. It goes without saying that the duration must be closely linked to the continuation of the emergency.
In the joint statement of the President of Convention 108 and the Commissioner for Data Protection of the Council of Europe there is an interesting indication on the use of preliminary tests in "sandbox", namely the advice to test the app in a safe and private environment before releasing it to the public.
The Privacy Guarantor may, if necessary, be involved in prior consultation, but in any case, the logic of processing and security measures must be verified by expert consultants able to develop correct privacy architectures and set up processing operations - by design and by default - respecting our fundamental rights.
In conclusion, privacy is not an obstacle to the massive processing of data, even sensitive data, but such operations, which affect our fundamental rights, must be effective, gradual and adequate.