Protecting privacy and data while tracking COVID-19 in Europe: which cooperation? A focus on Italy and Czech Republic

Within the Europe Union (EU), almost all countries have released national tracking apps. While they can help governmental authorities in monitoring the spread of the virus, they bring along legal concerns about the collection and use of data and the respect of the right to privacy.

This policy paper focuses on the tracking apps that are being developed in the EU, the attempts of cooperation that have been put in place and the relevant debate about the right to privacy and data protection. In particular, the analysis focuses on Italy and the Czech Republic, which are very interesting for a number of reasons: both countries have been particularly hit by the COVID−19 pandemic (Italy was the first European country to be hit by COVID−19 in February 2020, while the Czech Republic suffered particularly during the so-called second wave in fall 2020, and both of them have been among the countries with the highest COVID−19 transmission and death rates in the world) and they have been among the pioneers in Europe to develop and release tracking apps – though without much success.

First, this paper analyses the main initiatives that have been promoted at the EU level. Second, it looks at the experiences of Italy and the Czech Republic. In the final part, this paper offers a number of recommendations, highlighting how EU institutions and national governments should engage more in joint
initiatives and share their best practices. In particular, Italy and the Czech Republic should strengthen their efforts towards more transparency in the development and implementation of their tracking apps, with a major involvement of the national Data Protection Authorities.

Analysis

Europe

At the EU level, despite a couple of attempts to develop a common protocol for tracking apps – like the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) and the Decentralised Privacy-Preserving Proximity Tracing (DP−3T) initiatives –‚ almost each member state (with the exception of Sweden and Luxembourg) has developed and launched its own contact-tracing app.

In September 2020, the European Commission has also launched an interoperability gateway service, with the aim to connect the tracking apps of the member states – the first group of states who joined this initiative were the Czech Republic, Denmark, Germany, Ireland, Italy and Latvia. This new gateway service makes it possible for the different apps to ʻdialogueʼ among each other; however, to date only 11 of 27 member states have joined the service. Still, it has served as a common platform for a number of member states to coordinate their efforts in developing their technologies.

In order to ensure a common approach to the development and use of these mobile apps, the Commission adopted a recommendation on 8 April 2020 calling for a coordinated approach on the use of tracking apps among EU member states, making it clear that any “restrictions on the exercise of the fundamental rights and freedoms laid […] must be justified […] proportionate […and] temporary”.

This is in line with the current EU legislative framework: article 8 of the EU Charter of Fundamental Rights recognizes the right to protection of personal data, while Regulation 2016/679 (General Data Protection Regulation or GDPR) on the protection of personal data of natural persons regulates the conditions under which personal data, including data related to health, can be processed. In particular, “such data may be
processed […] when a data subject gives her explicit consent or when processing is in the public interest as specified in Member State or Union law” (articles 6(1)(c), (e) and article 9(2) (i) of GDPR).

Following the European Commission recommendation, the eHealth Network – established under Directive 2011/24/EU in order to provide a platform for member states’ competent authorities dealing with digital health – issued, on 15 April 2020, a Common EU Toolbox for Member States with the aim to avoid “[…a] fragmented and uncoordinated approach to contact tracing apps [which] risks hampering the effectiveness of measures aimed at combating the COVID−19 crisis”. According to the Toolbox, the apps should present the following “essential requirements […] namely […] they [should] be: voluntary; […] privacy-preserving […];
and dismantled as soon as no longer needed”. Additionally, the eHealth Networks calls for a special attention to cybersecurity, with a suggestion to “carry out a national risk assessment to identify and mitigate possible risks of abuse”.

Based on this Toolbox, and on further consultation with the European Data Protection Board (EDPB), on 16 April 2020, the European Commission issued a set of guidelines for the development of contact tracing apps, making it clear the apps should comply with EU data protection rules, in particular with the GDPR provisions. All these requirements have been then reiterated in the guidelines adopted on 21 April 2020 by the EDPB.

When it comes to tracking mobile apps, two main questions should be answered, namely (1) whether the use of the mobile application will be mandatory or not and (2) whether the right to privacy is respected, namely which data will be collected (e.g. location data and/or other identifiable information), by whom and through which forms, for how long and for which purposes – indeed, tracking apps can be “in dialogue” with a central
platform gathering information from the private citizens’ smartphones, where the apps will be downloaded and installed; this means that data will flow between private devices and a central (governmental) server.

EU member states have generally employed two different types of protocols to develop their tracking apps: centralized (Bulgaria, France and Hungary) and decentralized protocols (all the other member states). Under the centralized model, anonymized data from smartphone devices are gathered in a central server, which sends alerts to those app users who have had significant contact with an infected person; on the other hand,
in the decentralized model, all data remain stored on each smartphone device. Generally, a decentralized approach guarantees much protection in terms of privacy, since it reduces the amount of data exchanged (thus, reducing also the risks of data breaches and cyberattacks) – which was also outlined by the eHealth Networkʼs Toolbox, the EDPBʼs guidelines and the Commission’s recommendation, according to which “public health authorities […] should process personal data only where adequate, relevant and limited to what is necessary, and should apply appropriate safeguards such as pseudonymisation, aggregation, encryption and decentralization”.

These guidelines have generally been well received, among others, in Italy and Czech Republic, as the following sections illustrate, though some concerns still remain.

Italy

On 15 June 2020, the Italian government launched the “Immuni” app, developed by the Italian company Bending Spoons and the Italian Ministry of Innovation. This app uses Bluetooth technology to register in an anonymous way the codes from the devices it is close to and it is based on a de-centralized system.

In a nutshell, this is how the app works: the mobile devices – on which the app has been installed – register the encrypted anonymous codes corresponding to other devices they are in contact with; when a user is tested positive for COVID−19, healthcare officers give her/him an authorization code through which the user can upload – at her/his own discretion – his/her encrypted anonymous code to the central ministerial server through the app; all devices ‘receive’ from the central server the list of codes of those who have been tested positive; each device then compares these codes with the ones that it has stored and if there is a match, the app notifies the user that she/he may be at risk and provides advice on the next steps.

The use of the mobile application is regulated by Legislative Decree No. 28 of 30 April 2020, which was adopted after the favorable opinion from the Italian Data Protection Authority: the Legislative Decree specifies that the use of mobile application is voluntary (article 6.4) and that the data gathered by the app will be cancelled, at the latest date, by the end of December 2020 (the date was then postponed to December 2021).

Overall, the app was not very successful. At the end of May 2021 – after almost one year from its release –, around 10 million people have downloaded it.

In June 2021, the “Immuni” app was updated with a new function – according to the Decree of the President of the Council of Ministers of 17 June 2021 –, namely the possibility to receive the EU Digital Covid Certificate – the certificate attesting either vaccination against COVID−19, or a negative test result or the fact to have been recovered from COVID−19. However, this additional function of the app has not incentivized its download and use by Italian citizens – indeed, the EU Digital Covid Certificate can be obtained also through other official channels (including through a dedicated website of the Italian
government).

Overall, the “Immuni” app seems to respect the main technical characteristics suggested at the EU level – and it is in line with the national legal framework on the right to privacy and data protection, namely Legislative Decree 101/2018, which implements at the national level the GDPR: according to the Legislative Decree 28/2020, the app is not mandatory (Article 6.4); it uses a decentralized system of collecting data; the data collected will be cancelled at the end of the health emergency and will be used “only for the purpose of the app itself” and “for statistical or research purposes, in an aggregate and anonymous way”
(Article 6.3).

However, some questions are still unanswered. A first issue concerns the anonymization of data: since anonymized data can be combined with other data to re-identify individuals, it would be necessary for the government to clearly prohibit the practice of “re-combination” of anonymized data. The Italian Data Protection Authority has also warned against the cybersecurity (like malware or identity theft) and data breach risks of the app: even though the government has introduced some cybersecurity safeguards, the
Data Protection Authority has called for a more transparent communication of such risks to all users and for the enhancement of further safeguards (for example, establishing for how long the single mobile devices should store the data gathered from other devices, and keeping track of all operations of the governmental data protection officers when collecting and processing the data). Furthermore, the Data Protection Authority has insisted on gathering feedback from the users of the mobile application and taking into due account the opinions received in the further development of the “Immuni” app.

Czech Republic

On 20 April 2020, the contact tracking app “eRouška” was released in the Czech Republic, as a result of a joint effort by the COVID19CZ – an informal group of experts, including Czech tech companies – and under the auspices of the Ministry of Health. The National Agency for Communication and Information Technologies (NAKIT) joined the Ministry of Health to work on a second version, which was launched in September 2020 – the new version of the app has made it suitable to join the above mentioned EU interoperability gateway service.

The use of the mobile app was regulated by a Resolution of the Czech government (Resolution No. 250 of 18 March 2020), which indicated the Ministry of Health as the institution responsible for the relevant implementation.

Unlike in Italy, where the duration of the implementation of the “Immuni” app is connected to the duration of the state of emergency linked to the spread of the COVID−19 pandemic – which was declared on 31 January 2020 and since then reiterated until 31 December 2021 –, the use of the “eRouška” app in the Czech Republic continued also after the end of the state of emergency – which was first declared between 12 March 2020 until 17 May 2020, and then from 5 October 2020 until 11 April 2021.

Like the Italian “Immuni” app, “eRouška” uses Bluetooth – in the way already described above – and is based on a de-centralized system; its use is voluntary.

However, the mobile tracking application was not very successful in the Czech Republic, as happened in Italy. At the end of October 2021, the Ministry of Health decided to suspend the operation of “eRouška”; until then, the mobile app has been downloaded by 1.7 million people, even though, as reported on the app official website, “only dozens of people would enter information in it every day”. As stated in the official website, “[a]ll aggregated anonymised user data were deleted before October 31, 2021”.

The first version of “eRouška” was reviewed on the basis of data protection by the Czech IT Agency Ackee, experts from the Czech Technical University and the think-tank IDEA (The Institute for Democracy and Economic Analysis), which confirmed that the tracking app satisfied the guarantees of data protection. As regards the final version of the app released in September 2020, the Czech Association for Personal Data Protection indicated that the technical solution of the app was in line with the requirements of the GDPR and the relevant national regulations on data protection – most notably, Act No. 110/2019 Coll., which has implemented the GDPR at the national level.

However, critical points have been raised by the Czech Data Protection Authority, who blamed the Ministry of Health for not having adequately consulted with them in the development process of the app. In particular, the President of the Data Protection Authority has warned the government on the risks in using anonymized data, as well as on the relevant cybersecurity risks and has called on the competent authorities to perform a risk assessment analysis.

Moreover, as in the Italian case, no survey has been conducted among users in order to get feedback on the operation of the app.

Conclusion and Policy Recommendations 

The experiences of Italy and the Czech Republic in the development and implementation of tracking apps – and their compliance with the respect of the right to privacy and data protection – show a number of positive lessons learnt, together with several shortcomings:

→ As regards the positive lessons learnt, what emerges is that when clear guidelines are provided by a supernational institution – in this case, the EU – states are more likely to follow similar approaches (in this regard, the revision, by the Czech Republic, of its national mobile app to allow it to ʻdialogueʼ with other EU apps through the EU gateway service has to be praised as a good signal of cooperation);

→ As regards the current shortcomings, and in particular the failure of cooperation in some EU initiatives to create, first, a unique tracking app, and then to put all EU tracking apps ʻin communicationʻ with each other, what emerges is (1) the lack of a constant dialogue among the several national actors involved in the development and implementation of the apps, which in turn has led to (2) the development of different national strategies on how to create, develop and implement the apps (this is quite evident, for example, in the different involvement of the national Data Protection Authorities in the development and implementation of the national apps). Indeed, the EU guidelines on the tracking apps have been mostly focused on the technical requirements of the apps themselves. And while the eHealth Networkʼs Toolbox has made it clear that “an integrated governance is useful to prepare and implement the measures [related to the tracking mobile applications]”, no EU initiative has followed up in order to provide a common vision on how such ʻintegrated governanceʼ should work in practice. Moreover, there seems to have been reduced interests of the EU institutions and member states in sharing their best practices – for example, the EU website collecting information on EU tracking apps is currently not up to date.

Accordingly, the following steps should be taken into consideration for a more uniform approach at the EU and national levels:

At the EU level

→ Using the existing international platforms of discussion (like the eHealth Network) to discuss more on the ʻintegrated governanceʼ in the development of tracking apps
→  Encouraging member states to constantly share their best practices

At the national level

→ Making constant use of EU platforms and initiatives to share best practices and lesson learned

In particular, for Italy

→ Making publicly available all data and reports on the use of the “Immuni” app, including when it comes to risk assessment analysis and feedback from the users
→ Involving the national Data Protection Authority also in the implementation and evaluation phase of the app

In particular, for the Czech Republic

→ Making publicly available all data and reports on the use of the “eRouška” app – including risk assessment analysis and feedback from the users
→ Involving the national Data Protection Authority in all the processes of development and implementation of the app

Overall, establishing an effective dialogue with all the relevant stakeholders at the national and European levels will ensure not only that the different apps will be similar in their use, but also that they offer the same level of privacy, in order to avoid discrimination among citizens living in different countries and having access to different apps.