On Focus

Author: Massimo Maggiore

Personal Data Protection


Download in pdf / printable format



The lockdown of cities and indeed whole countries has been widely adopted as an emergency response to the outbreak of COVID-19, though it is not economically and socially sustainable even in the short run. On the other hand, true herd immunity can be achieved only when a vaccine will be available. 
The consensus is that contact tracing and isolation of those exposed to the infection is to be made part of the complex toolbox necessary to break the chain of transmission, together with mass virus positivity and antibody testing. The velocity of the virus’ spread is such that  traditional investigative techniques based on questioning those found positive are not an option, as they would frustrate the strategy of confining infection to the smallest possible cluster of individuals (the infected and those that have been in contact with them).
The debate around contact tracing technologies has of late taken the centre of the stage. In the past months, examples of deployment of contact tracing solutions have been provided in countries such as China, Singapore, South Korea, Israel. None of those solutions is transplantable as is in the EU context, without due consideration being given to privacy. As is known, the right to privacy and data protection is a fundamental right under the EU legal framework and must be built-in in any tracing solution since the very early stage of engineering (privacy-by-design principle art. 25 of Regulation 679/2016 “GDPR”). 
In spite of certain views that have surprisingly been voiced on the media, out of the otherwise comprehensible anxiety to use technology to suppress the virus spread, sacrificing data protection is not only prohibited under data protection laws in the EU, but most importantly would not even be necessary. Considerable amount of literature has already been produced around the allowances and restraints deriving from the EU data protection laws vis-à-vis any such tracing applications. The aim of this contribution is to summarise the relevant point of laws and to take stock of the state of maturity that the debate has reached on the better placed technological solution, also in light of the recent recommendation of the EU Commission of April 8th last on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data. While this contribution might be at risk of reshuffling the obvious, at least for those familiar with the fundamentals of the law, the unprecedented COVID-19 crisis is offering the opportunity to better understand the logic behind data protection laws in the EU and this is what this contribution will try to do.


In order to weigh-in the legal privacy implications of contact tracing applications, consideration should first be given to the measure of maximum efficacy that should be expected from the tracing application against the purpose of suppressing the virus’ transmission. In other words, the first question to be answered should be: what type of personal data is needed and to what extent should this data be disclosed/made accessible to third parties (i.e. those other than the data subjects themselves) in order for an effective contact tracing strategy to be implemented. The outcome of this speculation would be the identification of the architecture of the ideal tracing application, where “ideal” means an application that would be optimal in terms of control of social interactions for the intended purposes. The analysis should then move forward and tackle the issue of legitimacy of such ideal contact tracing application under the EU data protection perspective. This calls for a balancing exercise, that should test whether the architecture of the ideal application with the limitation of privacy it implies would withstand the test of necessity and proportionality of such limitation in a democratic society (see art. 8 European Convention on Human Rights). Needless to say, that this two-stage appraisal is rather fictional, as the identification of the ideal technical features of the application for the intended purposes and the consideration of privacy implications should be performed simultaneously. The outcome of the evaluation should be to identify the least possible quantum of personal data that would be needed to achieve maximum efficacy. 
From a data protection perspective, the starting point is that any processing of data should be grounded in an appropriate legal basis, which varies depending on the types of data to be involved. In this regard, personal data processed by a tracing application could be health and location related. The legal basis for processing health related data is provided under article 9 of the GDPR, which deals with certain special categories of sensitive data, such as those concerning health, and provides for an array of legal bases, including the data subjects’ consent. The ground for processing of location data collected through public communication networks or electronic communication services (such as GPS data) is instead set out under article 9 of the e-Privacy Directive (Directive EC 2002/58), which as a general rule makes the legitimacy of such processing conditional upon anonymisation or the data subject’s consent. 
Consent as a legal ground for processing may be derogated from in respect of health and location data under both the GDPR and the e-Privacy Directive.
The key provision of article 9 of the GDPR is to this effect letter i) of paragraph 2. This norm legitimises processing of health data subject to two strict conditions: i) the first one is that of necessity of the processing for reasons of substantial public interest in the area of public health. The concept of public interest is further elaborated under Recital 46, where it is materialised in relation to the “monitoring [of] epidemics and their spread”; ii) the second condition is that Union or Member State law should still be adopted, in order to armour such necessitated processing with suitable and specific measures to safeguard the rights and freedoms of the data subjects. This means that necessity for the pursuit of a public interest as a legal basis for the processing of sensitive data is not enough, unless specifically designed safeguards are not also put in place by operation of law. 
The quality of the legislative measure that should provide for the safeguards required under the GDPR art. 9, paragraph 2, let. 1, does not necessarily need to be an act of the Parliament (as clarified under Recital 41 of the GDPR) if this conforms with the Constitutional order of each Member State. Yet, as has been aptly put ( the peculiarity of a tracing technology in Italy would call for a proper legislative act of the Parliament (even in the form of parliamentary approval of a Government’s urgency decree). Such an act pursuant to article 2-septies of the Italian Data Protection Code could then delegate to the Italian Data Protection (DP) Authority the specification of the safeguards for the rights and freedoms of the data subjects.

The safeguards to be specified should in my view be primarily technological in nature. This translates in that the least privacy invasive technology should be preferred to technologies that would instead exact a higher toll on privacy. Article 23 of the GDPR permits limitations of the data subjects’ rights and to the general principles of data processing of article 5 – amongst which those of minimization and purpose limitation - when such restrictions, although justified to safeguard a public interest, are introduced by law, respect the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. Of similar import is the provision of article 15 of the e-privacy Directive. This provision permits temporary restrictions to the data subjects’ rights, in particular allowing the processing of individuals location data short of their consent, when such restrictions are necessary to serve the State’s public interest, provided however that they are appropriate and proportionate by the token of the constituent elements of a democratic society and again are set out under provisions of State or Union law. 

This short summary of the applicable legal principles leaves no room to justify the outright or even temporary suspension of data protection laws, that has been advocated by some as a short-cut response to the Covid-19 crisis. Suspending data protection laws is not conceivable, if not at the expense of running counter certain constitutional principles. Moreover, such suspension is not even necessary to achieve the maximum measure of efficacy of a tracing technology. 
Indeed, a number of technical proposals, along with official position documents of the EU institutions, have accumulated over the last few days, to confirm that while privacy compliance remains necessary, it is not at odds with the aim of achieving the maximum efficacy of the tracing application. The tendency emerging from these proposals and documents is towards the substantial decentralization of the application’s contact tracing functions, based on proximity Bluetooth based solutions that do not collect location data and reduce to the very minimum the exposure of the personal data of both the infected and of those that have come in close contact with the infected. Below a summary of the main positions to date.

On April 8th, 2020 the EU Commission adopted the above mentioned Recommendation, to offer a common approach at EU level, with particular respect to the use of mobile applications. The Recommendation at paragraph 16 singles out a list of guiding principles, that would give substance to the safeguards that the GDPR and the e-privacy Directive require as enabling factors for the processing of personal data in the interest of the COVID-19 crisis management. The Recommendation advocates “preference for the least intrusive yet effective measures, including the use of proximity data and the avoidance of processing data on location or movements of individuals, and the use of anonymised and aggregated data where possible” as wells as “technical requirements concerning appropriate technologies (e.g. Bluetooth Low Energy) to establish device proximity, encryption, data security, storage of data on the mobile device, possible access by health authorities and data storage; “uploading of proximity data in case of a confirmed infection and appropriate methods of warning persons who have been in close contact with the infected person, who shall remain anonymous; and finally “transparency requirements on the privacy settings to ensure trust into the application”.
In the eyes of the privacy savvy, the Commission Recommendation follows a clear logic: as a tracing mobile application is more invasive than manual tracing, because of vulnerabilities that can be exploited by malicious third parties and because, with respect to those who could legitimately have access to personal data (the Government, third parties that act for the Government and the data subjects themselves), it is necessary to restrain access to data to the minimum necessary or preclude access altogether when data’s disclosure is redundant to achieve the objective.


At this junction the discussion should take note of the contributions made by software and privacy law experts that have joined together to offer the building blocks of a technology that would enable tracing for the control of the virus’ spread, while preserving the data subjects’ privacy. Worth mentioning is the PEPP-PT informal initiative (Pan-European Privacy-Preserving Proximity Tracing), consisting of an inclusive European team of experts to offer the building blocks and coding of privacy preserving technological solutions in the fight against COVID-19. The high-level information of the PEPP-PT mechanism available on their website ( describes the following elements of the solution: a) creation of an anonymous proximity history on a user’s phone. Thus, the history should reside on the user’s device and not elsewhere, thereby giving the maximum level of direct control to the data subject herself. To this end, an anonymous identifier is created, distances from other phones of PEPP-PT users are estimated via measured radio signals (Bluetooth et al.) and recorded only if there is sufficient proximity; b) the anonymous proximity history 
remains encrypted on the phone of the PEPP-PT user for no longer than necessary considering the virus infection latency (say 14 days) and can never be viewed by anyone, not even the PEPP-PT user. No location data is collected; c) once a PEPP-PT user (user “A”) has been deemed SARS-CoV-2 positive, the health authority will convey an activation code to the PEPP-PT user A, with which the encrypted proximity history is transmitted - in encrypted form - to a national trust centre in order to trace the contacts PEP-PT user A to other PEPP-PT users, e.g. PEPP-PT user B; d) the anonymous identifier is linked to a unique App-ID of PEPP-PT user B, who will then receive an encrypted and anonymized notification message and will be informed about the possible exposure. The notification message contains risk scores. From there, the operational follow-up process with the health authorities can be conducted, which is entirely country-dependent, i.e. independent of the PEPP-PT mechanism.
The PEPP-PT model may support both centralized and decentralized approaches, depending on whether the back-end system (e.g. the server that matches the unique identifiers that are recorded in the users’ own devices with actual individuals) is controlled by a central authority that could access data. One of the solutions proposed under the umbrella of PEPP-PT is the open protocol DP-3T promoted by a group of scientists and academic researchers. This is of particular interest in my view for the inherent privacy enhancing properties deriving from the decentralization in proximity tracing that DP-3T’s logic is built upon. The details of the DP-3T’s proposed solution may be consulted at, where also an overview of the data protection aspects of the design is available. The gist of the DP-3T’s proposal minimizes to the maximum possible extent the sensitive data processed through the application, by limiting the function of the backend server to that of transmitting encrypted and anonymous data (the ephemeral identifiers generated by the application and communicated via Bluetooth to the proximate app enabled devices of other users) to the device of the app’s user, who will be in a position to determine whether she was in contact with an infected person. The DP-3T consortium explains that no entity beyond the user’s own devices processes any personal identifiable information, so that, under normal circumstances, none of the data used to determine proximate tracing would qualify as personal data, because re-identification would not be reasonably likely to happen, as the means to be used to this end would be technically complex, costly and would be illegal. Yet DP-3T proposes a cautious approach and to nevertheless treat such data as personal identifiable information and make them subject to the obligations under the applicable data protection laws. On account of ethical considerations, DP-3T also suggests seeking the user’s inform consent at every critical point, even though it is acknowledged that legal grounds other than the user’s consent would likely subsist, as mentioned above in this article.
On April 10th, 2020 a further prompt for the technical viability of the Bluetooth based application discussed thus far has been generated by the joint statement of Apple and Google  The two leaders have announced the release in May of APIs that will enable the interoperability between Android and iOS devices using applications from health authorities and in the coming months a joint effort to enable a Bluetooth based contact tracing platform by building the functionality into their respective platforms.
The available technological means therefore permit tracing and anonymity or quasi anonymity to coexist. This determines that the measure of maximum efficacy of a tracing application may be espoused with the principles of data minimization and proportionality. Yet if the line of reasoning proposed at the beginning of this contribution holds water, data protection laws in the face of a critical public interest such as that of combatting a lethal pandemic, would permit less privacy respectful solutions, were no other reasonable alternatives available (which as shown is not the case). 
A question that has been raised is whether the adoption of any such contact tracing application should be voluntary and therefore the processing of personal identifiable information be based on the users’ consent. The DP-3T initiative, as mentioned, has replied in the affirmative to the question, even though the GDPR and the e-Privacy Directive both pave the way for processing short of consent, on the basis of public interest grounds. Yet, I endorse the voluntary adoption solution, first because in a democratic society making the application’s adoption mandatory would realistically translate into an unenforceable obligation and might even be counterproductive, as it could be perceived by users as a way for the State’s authorities to surreptitiously control them. Inevitably the uptake of the application  would be partial but might still be sufficient for the application’s efficacy if its deployment is supported by consistent public messages that encourage its adoption by citizens, on the basis of transparent and verifiable information on its functionalities and purposes and possibly even incentives (as for example permitting more freedom of movement when the user uses the application).

The above provides a photograph to date of the technological and legal discussions around a contact tracing application for the fight against the Covid-19 spread. The case is of the outmost interest for privacy professionals, because the underlying quasi-existential threat posed by the COVID-19 pandemic presents the occasion for a stress test for data protection laws and its principles. One might in fact be brought to believe that data protection poses unreasonable a hurdle to the adoption of an application that helps tracing infected people and their proximate contacts. The numerous contributions that, as described in here, have piled up and should expect to accumulate further, show that doing away with privacy is illegal and moreover un-necessary, in particular because technology may well work as an ally of privacy. As a matter of fact, the technological solutions that have been proposed would liberate individuals from the (false) alternative between privacy and health. As discussed, the measure of maximum efficacy that can be expected from a tracing application is that it makes users aware that they have been in proximity with an infected person and this finality may be pursued without public authorities harvesting location data or health data and by substantially respecting data subjects’ anonymity. What comes before that point in time (seamless testing) and afterwards (quarantining in appropriate isolated conditions of those at risk of infection), calls for an integrated, much wider strategy, that must accompany the tracing technology.