Right to health, contact tracing and privacy

8 May 2020 | Insights

Since the declaration of a state of emergency on 31^st January, privacy has been at the center of the debate. the adoption of measures of an extraordinary and urgent nature is justified by the need to safeguard the collective interest in public security, including the protection of the personal data of natural persons.

The right to privacy, therefore, as well as other constitutionally guaranteed rights and freedoms, must be subject to a balance with other legal assets which, from time to time, come to the fore.

In the present historical moment, the right balance can only be sought with the right to health which, indeed, is the only one to be defined by the Constituent as “fundamental” and for this reason it is an object of protection in a primary and unconditional way, being the indispensable prerequisite for the enjoyment of all the other constitutionally guaranteed rights.

With the entry into force of the GDPR, the protection and processing of personal data relating to the health of the individual is regulated more strictly; article 9 of the GDPR prohibits its processing, with some specific exceptions.

With specific regard to health, the same article authorize treatment in the letters:

– g) if necessary, for reasons of public interest provided that appropriate and specific measures are provided for the protection of the rights and freedoms of natural persons;

– h) if necessary, for preventive medicine or occupational medicine purposes;

– i) where it is intended to protect against serious cross-border threats to health or used to ensure high standards of quality and safety of healthcare and medicinal products and medical devices;

– j) if necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes provided that it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.

In this context, there is also Article 14 of Decree-Law no. 14/2020 which, precisely because of the primacy of good health, lays down provisions on the processing of personal data in the emergency context, authorizing the persons deputies to ensure the execution of the measures ordered by the State to carry out processing of personal data even through more simplified means, provided that this is done until the end of the emergency and for reasons of public interest.

Once the relations between health protection and privacy protection have been reconstructed in this perspective, it is necessary to analyze the issue of contact tracing as a way of analyzing epidemiological trends and reconstructing the chain of infection.

In this contest, at European level, the Pepp-pt team (Pan-European Privacy-Preserving Proximity Tracing) has been created, composed of scientists from some EU countries with the aim of offering standards and technologies suitable for the creation of apps that can be downloaded on mobile phones to track people to avoid the spread of Coronavirus.

The European Committee for Data Protection (EDPB) also expressed its opinion on this initiative on 15 April last, and welcomed the initiative which, in its opinion, aims to define a coordinated approach at European level. In particular, the EDPB clarified that apps must meet accountability criteria, documenting, through a data protection impact assessment, all the mechanisms put in place considering the principles of privacy by design and by default. An impact assessment that according to Art. 35 of the GDPR must be carried out by the data controller when the latter provides for the use of technologies that may present a high risk to the rights and freedoms of individuals.

The EDPB also welcomed the provision to adopt these apps only on a voluntary basis, through a choice made by individuals, specifying, moreover, that the legal basis for the use of apps could be the enactment of national laws promoting the use of apps on a voluntary basis without any penalty for those who do not intend to use them.

The President of the EDPB also pointed out that the objective that apps must pursue is the identification of individuals who have come into contact with individuals who have tested positive for the virus and not, on the other hand, the geolocation of individual users to collect travel data (this would constitute a violation of the principle of data minimization).

In our country, by order no. 10 of 2020 issued on April 16, 2020, the Extraordinary Commissioner for the implementation and coordination of measures to contain and combat the epidemiological emergency COVID-19, arranging to proceed with the signing of the contract for the free license to use contact tracing software and free service contract with an Italian company, explained that contact tracing can be a public health action for the prevention and containment of the spread of many infectious diseases as it can help to identify potentially infected individuals before symptoms emerge and prevent subsequent transmission from secondary cases.

The last 29^th April, the Italian Privacy Authority has also articulated its opinion on this point and, at the request of the Presidency of the Council of Ministers, has expressed its opinion on a legislative proposal for the tracking of contacts within the framework of the containment strategies of the Covid-19 epidemic.

In particular, it considered the prefigured contact tracing system not in contrast with the principles of personal data protection as:

a) provided for by a sufficiently detailed legal provision as to the articulation of the processing, type of data collected, guarantees granted to the data subjects, temporariness of the measure;

b) it is based on the voluntary adherence of the data subject;

c) it is predetermined for the pursuit of public interest purposes indicated with sufficient determination and excluding secondary processing of data thus collected for other purposes, without prejudice to the possibility (within the general terms provided by the Regulation) of use, in anonymous or aggregate form, for statistical or scientific research purposes;

d) appears to comply with the principles of minimization and the criteria of privacy by design and by default in that it provides for the processing of data to be carried out in pseudonymous form (where it is not possible to do so completely anonymously), excluding the use of geolocation data and limiting its storage to the time strictly necessary for the pursuit of the indicated purpose, with automatic deletion upon expiry of the term;

e) complies with the principle of transparency towards the data subject, ensuring that the data subject is duly informed.