Covid and Data Protection Authority: from Immuni App to the Digital Green Certificate

Sep 1, 2021

The pandemic has been our daily ghost for several months now. Since the first days, the protection of health and the interest of the community has been the rights demanded by citizens who, terrorized by an event whose boundaries are not yet defined, have requested the maximum safeguard. It is precisely in this context that one of the major debates on the balancing of rights has found space between the right to privacy and the right to health. We do not yet have an exact idea of when we will leave Covid-19 behind us, but we can say that, never before, the role of the Data Protection Authority has been decisive. This Authority has been called upon several times to pronounce on the applications and requests of the two main sides trying to balance the interests of both. If it is now accepted that health data are sensitive information and, as such, not to be disclosed, it is true that the health emergency has compressed some of the fundamental freedoms exposing us to violations of privacy. On this point, it has been repeatedly stated by the Data Protection Authority that it is possible to disclose data related to contagion as long as the same are made anonymous and managed by “insiders” in order not to run into situations of a dangerous chase for information. One of the proposals of the Ministry of Health to stem this medical emergency in Italy was the introduction of a tool potentially accessible to all citizens and approved by the Data Protection Authority (prov. No. 65 of February 25, 2021): the Immuni APP.

Immuni is a contact tracing app that allows users to be warned of a possible infection, enabling them to isolate themselves to avoid infecting others, or to alert, through a notification of the potential risk, those who have been in close contact with a user who has tested positive for the COVID-19 virus. This notification is made without collecting data on the identity or location of the user through the use of Bluetooth Low Energy technology. This App, despite being granted by virtue of the technical and organizational measures necessary to ensure the security of processing, is in compliance with Article 5 lett. f) and Article 32 of EU Regulation 2016/679, with specific reference to the tracking and identification of the measures necessary to ensure the protection of personal data, found a small approval from citizens who decided not to download the application on their devices. In fact, it was necessary to fear in Italy the essentiality of the exhibition also in public places from 06.08.2021 of the Digital Green Certificate – The Digital Green Certificate system covers three different types of COVID-19 certificates: a vaccination certificate, a test certificate, and a certificate of recovery issued by the national platform of the Ministry of Health – to push a much higher number of citizens to download the App Immuni (increased from 11,194,798 downloads of 28.06.2021 to 12,678,266 downloads of 28.07.2021) and the App IO. The IO App is the result of a project created by the Minister for Technological Innovation and Digital transition (MITD) provided by public bodies to citizens (e.g. payment of taxes or a fine, etc.). This App, adopts a push technology, similar to an instant messaging technology, which allows the user to receive a notification and a subsequent message to consult the Digital Green Certificate through a QR code and that, recently, has been the subject of the positive opinion of the Data Protection Authority for the recovery of Covid-19 certifications, in accordance with the legislative provision (Dpcm) on the release and verification of green certifications (prov. of June 16, 2021). Despite the Digital Green Certificate has encountered numerous difficulties regarding the protection of personal data, expressed also by the Data Protection Authority, above all due to the absence of the purposes pursued by this Certificate, the traceability of data processing and the owner of the processing, these critical points have been overcome with the issue of certain legislative provisions. These provisions have specified, for example, the ownership of data processing by the Ministry of Health, the list of personal data processed, the technical specifications of the structure of the QR Code, etc. and have allowed the Digital Green Certificate to be suitable with Regulation (EU) 2016/679.

Conclusion

We all await the end of Covid-19 but, without a doubt, we can say that this experience has allowed us to know the importance of our rights by demanding that the exercise of one does not imply the consequent renunciation of another.

References

1. https://www.immuni.italia.it/

2.“Soro: la privacy dei pazienti va difesa ma non è un totem” https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9287748

3.“Provvedimento di autorizzazione al trattamento dei dati personali effettuato attraverso il Sistema di allerta Covid 19- App Immuni a seguito dell’aggiornamento della valutazione di impatto effettuata dal Ministero della salute su cui l’Autorità si era espressa con provvedimento del 1° giugno 2020 – 25 febbraio 2021 [9555987]” https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9555987

4.REGOLAMENTO GENERALE SULLA PROTEZIONE DEI DATI Regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio del 27 aprile 2016Arricchito con riferimenti ai Considerando Aggiornato alle rettifiche pubblicate sulla Gazzetta Ufficiale dell’Unione europea 127 del 23 maggio 2018 https://www.garanteprivacy.it/documents/10160/0/Regolamento+UE+2016+679.+Arricchito+con+riferimenti+ai+Considerando+Aggiornato+alle+rettifiche+pubblicate+sulla+Gazzetta+Ufficiale++dell%27Unione+europea+127+del+23+maggio+2018

5.Provvedimento del 16 giugno 2021 https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9670061

https://www.dgc.gov.it/web/

6.Questions and Answers – Digital Green Certificate https://ec.europa.eu/commission/presscorner/detail/en/qanda_21_1187