By World Healthcare Journal-
Contact-tracing apps need to have almost total uptake to be successful, say Vincenzo Salvatore and Giulia Tenaglia of international law firm BonelliErede.
Many say personal data protection was born when Brandeis and Warren published “The Right to Privacy” in the Harvard Law Review way back in 1890. The authors were alarmed at what they considered an overstepping of boundaries by the press, the government and other public bodies – constant invasions of privacy that led them to theorise about “the right to be let alone”.
Flash forward to the 21st century and we see that in the midst of a pandemic, our deepest fears and anxieties of our private lives being invaded have once again risen to the surface. In some countries, even the mere act of wearing a mask has become a symbol of government intrusion. So what about contact tracing?
Simply put, contact-tracing apps and technologies are a hotly debated issue with legal, social, medical and technological implications.
The most common mistake in the public debate is to put a private company’s use of tracking technology (like Google’s GPS tracking) to sell a service on the same level as the tracking by governments to better manage infection risk during a pandemic.
This comparison is neither fair nor useful. As is demonstrated below, governments and EU institutions are well aware of the delicate nature of contact-tracing apps and have done what they can to reduce intrusion to the minimum necessary and protect people’s personal data.
With that in mind, this article first examines the EU’s role as coordinator and then takes the example of Italy to highlight the following key aspects that any analysis of contact-tracing apps must take into account:
- The person responsible for the tracing (i.e., the data controller);
- The purpose for which a contact-tracing app is used;
- The utility of contact-tracing apps and balancing that with people’s privacy.
The EU’s role
EU institutions have understood that data protection is an indispensable part of building trust and creating the conditions needed to make any contact-tracing solution socially acceptable and ensure its effectiveness. They have thus taken stances (through the publication of recommendations and guidelines) to help coordinate the use of contact-tracing technologies by European lawmakers and to indeed put an EU-wide framework of pandemic risk management in place. The key publications are:
- The European Data Protection Board’s (EDPB) first statement (19 March);
- The EDPB’s Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (21 April);
- The European Data Protection Supervisor’s (EDPS) TechDispatch 1/2020: Contact Tracing with Mobile Applications (7 May);
- The European Commission’s Recommendation 2020/518 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis (8 April), and its subsequent guidance and informal statement.
Member states have taken this guidance to heart, including Italy.
The Italian case
The government and Data Protection Authority (DPA) adopted the European institutions’ same prudent approach from the pandemic’s outset.
Under the Italian authorities’ risk management framework, public health authorities alone are in charge of verifying and managing the chain of infection and, consequently, any contact-tracing app.
When the government announced that it would be using the app ‘Immuni’ to carry out contact tracing during the Covid-19 pandemic, it specified (under Art. 6 of Law Decree 28/2020) that the Ministry of Health would be the data controller and be responsible for making Immuni available to citizens. It justified the Ministry taking on this role on the fact that it is in the public interest to manage the pandemic in the best way possible.
Italian legislation makes it clear that data processed through Immuni can be used exclusively by the Ministry of Health to implement safeguards to prevent and contain Covid-19. However, aggregated and anonymised data can be used for purposes related to public health – including the prevention of future outbreaks – in addition to statistical and scientific research.
The use of Immuni is voluntary, with only around 4m people having downloaded it to date. The app uses Bluetooth Low Energy technology (no geolocation whatsoever), which ensures a proper balance between the public interest of reducing the risk of infection and people’s privacy. The app does not (and cannot) collect any data that identifies the user (e.g., name, date of birth, address, phone number, and email address).
Indeed, Immuni is designed to determine that two users came into contact without knowing who those users are or where the contact occurred. When two phones with Immuni on them come within 1.5 metres of each other, each phone sends the other random codes that do no more than let each other know that they have crossed paths.
The phones store each other’s codes for 14 days; if one of the phones’ owners subsequently tests positive for Covid-19, the competent public health authority asks that person if he/she wants to alert other users he/she exchanged random codes with. In any case, an alert – just as the exchange of random codes – does not (and cannot) reveal users’ identities.
The government has yet to issue specific instructions regarding what to do if you receive an alert – the general recommendation is that you contact your general practitioner.
The government published Immuni’s source code on the app’s website to comply with transparency duties, which is also in keeping with the EDPB’s suggestions.
One of the main points of discussion concerns the voluntary basis of Immuni’s use and the lack of specific instructions to follow when an alert is received. The roots of this discussion lie in the balance of interests mentioned above and in the now all-too-familiar dichotomy that has emerged around the world in the management of this health emergency, i.e. between measures that depend on citizens acting responsibly and those imposed by law.
With Immuni, the government has opted for the responsible citizenry approach. And given the high impact contact-tracing technologies could have on fundamental rights and freedoms, it was probably the best option.
The discussion changes when it comes to voluntary self-screening apps/software (the results of which are automatically sent to the government). Several regions have adopted this kind of technology, but it has not met with much public success. The DPA has stated that having multiple contact-tracing and self-screening apps is not a good strategy to ensure the efficiency and effectiveness of what this technology is trying to accomplish, let alone the security of personal data.
No Italian laws permit the use of contact-tracing technologies in the private sector. Indeed, as the DPA clarified on 6 June, the only current provision on contact tracing concerns Immuni. The DPA did clarify that employers may use technologies that do not record any kind of data, such as social distancing wristbands.
Technology certainly has the potential to make contact tracing much less onerous, but if the number of Immuni users is any indication, not enough people are using this technology to ensure effectiveness. Public authorities are hopeful that downloads will increase before the feared ‘second wave’ this autumn – but that will require a new communication strategy.
In the meantime, private solutions such as wristbands will likely be used more and more as businesses attempt to stave off infection within their organisations.
Vincenzo Salvatore, Healthcare and Life Sciences Focus Team leader
Giulia Tenaglia, Associate
#whjnews #whjfeature #whjinternational #whjdigitalhealth #coronavirus