Italy has been the first western democracy to be hit by the spread of COVID-19 and, as a result, from the end of February 2020 the Italian Government has had to quarantine a large area south west of Milan, in the heart of one the most important industrial district[1]of the country. The area was declared a “red zone”, with no access or exit allowed other than to guarantee essential supplies (food, medicines, other medical equipment). On March 1stanother decree extended the duration of the quarantine measures to two small cities in the Veneto region; schools were closed, sport events cancelled, coffee houses, bars and restaurant’s openings were limited, but only in the Northern regions, namely Lombardy, Veneto and Emilia.
Due to the increased spread of the disease, on March 8 the whole nation was declared “orange zone”[2]and severe limitations where imposed on all sectors, with the closing of most industrial activities, schools and Universities and limitation of movements, which were allowed only for “proven reasons” or for “necessity” (purchase of food and/or medicine). Newspapers, grocery stores, pharmacies, supermarkets and food stores could continue their activity, and so could newspapers, TV and radio stations.
The streets of all cities in Italy suddenly were empty, the Unions negotiated with the government and the industry associations which factories were to be declared essentials, and the ones that were allowed to operate had to implement sanitation measures and the use of Personal Protective Equipment (PPE) to assure operations in a safe environment.
These measures have been widely accepted as necessary in the fight against COVID-19, but they have raised some eyebrows to many scholars. In principle in fact all these measures limit some of the basic freedoms of a democracy and are in sharp contrast with the principles of freedom expressed in the Italian Constitution. Under our Constitution, Italians have the right to circulate freely[3]and to go abroad and come back as they wish; since the measures required that people keep a safe distance (1 meter or more from one another) this limits the constitutional right to assembly[4]; schools were closed, albeit the Constitution requires schools to be open to everyone[5]; factories, shops and most commercial and manufacturing activities have been closed as well, whereas the Italian Constitution protects the right to free enterprise[6].
In summary the measures taken by the government (and later on copied by most European and non-European countries) in principle seemed to pose serious limits to the rights protected by the Constitution.
This limitation was possible for several reasons: first of all they have all been taken to protect the right to public health, which is expressly granted and protected in our Constitution[7]; hence, they were not the result of an anti-democratic spree but the result of the actual implementation of a constitutional right. More important, the measures were all declared to be temporary and necessary to fight the epidemic; third, the Constitution must be read in a systematic way, by that meaning that each single right must be balanced with the other rights granted. Therefore in a situation like the one caused by the corona virus the right to public health has been felt to prevail, again because the limitations have been justified and temporary in nature[8].
In other words, the check and balances called for by the Italian Constitution have granted the legal basis for the protective measures taken to fight against COVID -19.
The Right to Privacy vs the Right to Public Health
The fight against the virus has continued for weeks now, and many are pushing for the use of available technologies to trace people, purportedly with several aims, many of which are not very clear. The use of technology has already had a precedent in South Korea, where they used under a model already developed during the Middle East Respiratory Syndrome (MERS) epidemic of 2015.[9]
The idea to use technologies stems from one simple fact: the disease is transmitted from person-to-person contact. In many instances the infection is spread by not-yet symptomatic individuals hence the retrospective tracing of movements and contacts of these persons is key to prevent the spreading of the epidemic. The fact that individuals are the main source of the disease requires the collection and the processing of personal data of almost every individual for this effort to be successful, since everyone could be infected and/or a vehicle of infection, and this raises several issues, the first ones being obviously privacy issues. This has led one well known Italian politician to state publicly that he believed that “stopping privacy laws for one year” was key to allow the fight against COVID – 19.[10]
The right to privacy, under Italian law, is a constitutional right, just as the right to public health. The difference between the two is that section 32 of the Italian Constitution expressly protects the right to public health, whereas the right to privacy is not clearly and expressly protected in the Constitution. Case law, starting from 1963[11], has determined that the right to privacy stems from the fundamentals right of the persons [12], protected by section 2 of the Constitution. Hence, both the right to public health and the right to privacy are constitutionally protected. In similar cases the question is: which one shall prevail? Is the right to health more important than the right to privacy, or is it the opposite?
The question is moot. A right protected by the Constitution is not meant to be interpreted in a way to weaken other constitutional right, in fact it is the opposite. The different rights granted by the fundamental charter must co-exist and each must be interpreted in a way to protect and indeed foster and enhance the others. It is just not conceivable that one constitutional right gets in the way of implementing another constitutional right: very simply the two rights must be interpreted in synchrony so that all values of freedom and liberty each one represents are duly granted to everyone.
Nevertheless, the right to privacy has often been claimed to be in contrast with another constitutional right, namely the right of free speech and the freedom of press. Examining these cases the Supreme Court has established that the Courts must look at the circumstances of each case and strike a balance between the different rights to decide, only on that basis, if and which of the rights must prevail over the other one. Specifically, in one of the cases[13]the Court established that the right to free press cannot prevail over the right to privacy and specifically the publication of the image of a person without consent could be justified only if the publication itself was essential to the news, while the news could be deemed complete with the simple indication of the name (or of the initials) of the suspect.
The COVID – 19 epidemic has highlighted a potential conflict between the right to health and the right to privacy, since many seem to believe that tracing social contacts may be one of the main means to fight against the infection. The fact is that tracing persons almost inevitably does raise privacy issues, since tracing persons and their social contacts creates the risk of gathering information totally unrelated to the risk of the disease, revealing aspects of the personal life of the persons involved that have nothing to do with the infection.
But before getting into the heart of the issue, i.e. the evaluation and the consequences and the effectiveness of using certain technologies to fight and reduce the infection, it is important to understand if there is a real conflict between the right to privacy and the right to public health.
The main legislation on protection of personal data in Europe is the General Data Protection Regulation[14](GDPR) which gives a very precise indication on this very point. Recital number 46 highlights the various circumstances were processing persona data is lawful and expressly states the following:
“The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”[15]
It is clear that public authorities, therefore, have all the legal grounds necessary to collect and process data when the aim of such processing is to fight an epidemic, just as in the case we’re facing, and that there is no conflict between the right to privacy and the right to public health. This principle has been highlighted also by the European Data Protection Supervisor [16]. Therefore, the collection and processing of personal data under the present circumstances is in principle lawful and fully justified.
As I said above, though, all rights have to be harmonized, so that in protecting one right another one is not violated, hence it is necessary to understand what is the processing of personal data that is proposed and what are the technologies of which use is envisaged. Since the main vehicle for transmitting the virus is human contact, tracing people’s contacts is the main goal pursued by the authorities. On the other hand, tracing all the contacts of a person seems to be very difficult, since there is no technical mean to know exactly all the people one has met in her/his movements; lacking a significant infrastructure and massive data bases on all the population, tracing an entire country is therefore practically impossible in our western democratic society. While the output of technologies may therefore be more limited with respect to some of the expectation that have been raised, they can help in many ways. Recording and processing mobility data[17]with different devices and technologies can help achieve some of the goals pursued; it is important therefore to understand what these goals are and to evaluate what each technology can offer.
The Measures Taken, the Aims Pursued and the Technologies
The major aim of all measures taken so far by most European governments has been to stop the spreading of the disease. These measures have basically two pillars: (i) limit the circulation of citizens and (ii) avoid large assembly of persons. Citizens can move only if they have to go to work (assuming they are employed in one of the few activities open) or for strict necessity (buying food, medicines and the like). Jogging and other physical activities have been banned, gatherings of more than two people have been forbidden, dog owners have been required to walk their dogs close to home and to stay out as little as possible, anyone going out has to wear masks, and in selected places (grocery stores and supermarkets) shop owners have been asked to measure the temperatures of employees and of all customers[18].
In this regulatory scenario the technologies envisaged are many, ranging from drones to Wi-Fi, Bluetooth, Cell towers location data, apps to be used on smartphone, CCTV, in essence any technology that can collect mobility as well as location data, with the aim to identify the people who have contracted the disease and the others that have been in contact with these persons, thus isolating infected people and decreasing the rate of infection[19].
The Requirements under the GDPR
GDPR requires data to be processed in a transparent way, which means that the purpose pursued must be known and lawful, that the data must be limited to what is necessary to achieve the purpose that has been declared (data minimization); the data must be accurate and must be kept only for as long as necessary to pursue the purpose declared, and finally secured with appropriate technical and organizational measures[20].
In practical terms, this means to make transparent to all users and to all subjects, with appropriate means:
- the data to be processed: which data will be collected and who should collect them;
- which technology shall be used and why: are there any alternatives? Is the chosen technology the only one that can help achieve the declared purpose?
- The purposes to be pursued: assuming the final goal is to limit the spreading of the disease, why the data collected with that specific technology is needed and how shall it be used to achieve the goal;
- who shall process the data: who are the physical and legal subjects (public health authorities, medical staff, etc) who shall have access to the data?
- How the data shall be used: shall the data be centralized? Shall it be accessible through a network so researchers and medical staff shall have access to it? The data shall be anonymized, or each data subject shall be recognizable?
- What security measures will be taken: what technical and organizational measures must be taken to protect the data from unintended or unlawful use or access?
- How long the data shall be kept: will it be kept for as long as the epidemic continues, or for a predetermined period, or shall it be kept forever for possible, future reference? And in the latter case, who shall have access to it and for what purpose?
While this seems to be legalistic bureaucracy, in practical terms it is not. Anyone developing a software program knows what specific set of data is needed and why, in relation to the purpose to be pursued. Anyone using a given technology has made a choice as to why use that specific technology and not another one; anyone knows the risks if data are not adequately protected, and so on. Therefore, all the requirements listed above are easily met, and in fact they are the necessary prerequisites for any development process.
The Technology Test: Are They Really Useful
Having set the stage in this fashion, let’s see if the technologies commonly indicated as necessary to help stop the virus spread can help, and to what extent; this test must be run against the declared purposes of:
- Limiting mobility by tracing movements;
- Avoiding large gathering of people;
- Tracing contacts to isolate potential infected persons.
The following highlights the pros and cons of some of the technologies used or proposed for use
Technologies | General remarks – Weaknesses/Advantages | Purpose: Tracing movements | Purpose: Avoid excessive gatherings | Purpose: Identifying contacts |
Cell-phone tracing |
The data from cell phones is somewhat limited since it does not establish the exact location, but only an approximate location (i.e. it indicates the presence in a given cell). It can identify and help trace movements, but can hardly identify contacts. Data about people’s gathering can be misleading (people living in large apartment complexes, people shopping in supermarkets or using public transport etc). Extrapolating data can be time consuming, therefore the overall effect is limited since data may not be immediately available. |
YES |
MAYBE |
NO |
GPS |
Better accuracy than cell-phones signal, but nevertheless doubtful (from one meter to 50 meters). Phones do not record location data, unless an App is installed to do that, but in that case a third party has the data. It can trace movements better that simple cell-phone tracing but not identify contacts. |
YES |
MAYBE |
NO |
Bluetooth |
Same as GPS, but weaker signal and limited range. It is used in stores to identify movements of customers, but bluetooth must be turned on, otherwise it does not work. Not all cell phones have blue tooth on, since it consumes battery. |
YES |
NO |
IN LIMITED CIRCUMSTANCES |
Drones |
Drones equipped with TV cameras can single out individuals and their contact but cannot cover all the population and facial recognition is almost impossible without a data base with the image of every person in the nation. |
YES |
YES (in open spaces) |
POSSIBLY |
Wi-Fi |
wi-fi tracking and wi-fi positioning are available technologies developed and used for commercial applications to analyze the signals emitted by a device in order to collect information on its owner such as position, frequency of presence in a given place, etc. Unlike Bluetooth, most devices always have the wifi function on. The presence of a device carried by a person (smartphone, tablet, etc.) that emits signals allows to capture the MAC address of that device and triggers the analysis and processing of personal data. The issue here is the possibility to have access to the data collected by different Wi-Fi antennas.
|
YES |
YES |
YES |
Apps |
The whole world is trying to develop Apps to trace movements of infected people and locate their position. There is no information available at this time since no COVID-specific App has been yet released, mostly for the potential privacy implications. Google and Apple have announced a partnership, to this extent. Both companies have most of the necessary technologies and extensive data bases of their users, so they may be better positioned to exploit these resources to come with a useful result. Some scholars have warned that “a contact-tracing app which builds a memory of proximity contacts and immediately notifies contacts of positive cases can achieve epidemic control if used by enough people”[21]. |
N/A |
N/A |
N/A |
Other technologies or data bases can add additional information to complement the data collected with each of the technologies indicated above, i.e. CCTV, credit card transactions and more. In summary, while every one of the technologies can be used to address some of the purposes pursued, apparently none of them appears to have the possibility to be used to achieve all three purposes. In general, a huge amount of data (location data, mobility data, contacts, etc), use of the same technology (App) and its vast acceptance from the population of it are needed to achieve significant results[22].
The legal scenario is quite clear: personal data like mobility data and other personal information can be used to try to fight the expansion of the disease. It is also clear that tracing an entire population (or a significant part of it) in a scenario where constitutional rights have already been somehow affected, raises serious and justified fears of the creation of a control society. Similar doubts and issues have been raised in many countries, most notably in the US, where various scholars have debated the risks to privacy[23]and some have drafted a bill to guarantee adequate safeguards against a potential control society[24]. Therefore in designing the system or application intended to collect personal data to fight the virus there are substantial safeguards to be applied to the processing of the data. Most of them have been indicated above, but the main ones are anonymization of data, whenever possible, and a clear definition of the retention period. The present limitations to our constitutional right have been accepted because of their temporary nature; likewise, any tracing technology, if anonymity is not possible, must be limited in time, transparent and clear in its scope. In addition, adequate security measures (both technical and organizational) must be implemented to avoid unlawful use of the data, unauthorized access and overall integrity of the data and of the process itself.
[1]Law Decree of Feb. 23, 2020, n. 6.
[2]DPCM of March 8 and DPCM of March 9, 2020.
[3]Sec. 16 of the c Italian Constitution.
[4]Sec. 17 of the Italian Constitution.
[5]Sec. 34 of the Italian Constitution.
[6]Sec. 41 of the Italian Constitution.
[7]Sec. 32 of the Italian Constitution reads: “The Republic protects the health as a fundamental right of the citizen and of the collectivity…(omissis)”.
[8]Sec. 16 of the Constitution foe example, establishes the right of free circulation of citizens but admits limitations to it in case of “the limitations generally required for reasons of public health or safety”; hence the principle that limitation to constitutional rights to protect the health of citizens is expressly stated in the Constitution.
[9][Osong Public Health Res Perspect 2020; 11(1):60-63].
[10]https://www.repubblica.it/politica/2020/03/26/news/zaia_sospensione_privacy-252373104/?fbclid=IwAR0fHk5cVCc-YriBHb5QKUGnWpEHYivW26AkA4TRXAow2AhcYFjYouPnPx4).
[11]Italian Supreme Court (Corte di Cassazione) decision n. 900/1963. This basic principle was confirmed by decision 2129/1975 of the Supreme Court.
[12]Section 2 of the Italian Constitution: “The Republic acknowledges and protects the inviolable rights of the persons […]” (omissis).
[13]Corte di Cassazione Sec. 1, n. 15360/2015, Rv. 636199.
[14]Usually referred to as GDPR, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
[15]GDPR, Recital n. 46, underscore added.
[16]“GDPR states also that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” https://edps.europa.eu/sites/edp/files/publication/2020-04-06_eu_digital_solidarity_covid19_en.pdf.
[17]Mobility data are different from location data, in that they add time end movement to location data. Location data have been defined by Directive 2002/58/EC as “any data processed in an electronic communication network indicating the position of the terminal equipment of a user of a publicly available electronic communication service”, while mobility data do not have a statutory definition and have been defined as “personal data that indicates all the places where a person has been and hence her/his movements in space and time” (R. Zallone, Santa Clara High Technology Law Review, Volume 30, Issue I, 2.25.2014, https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1576&context=chtlj).
[18]Ordinanza of Regione Lombardia n. 514 of March 21, 2020
[19]The efforts to develop SW for tracing people and their contacts are countless. Among others, Google and Apple have declared to have joined forces in this pursuit; in Europe https://www.blog.google/inside-google/company-announcements/apple-and-google-partner-covid-19-contact-tracing-technology/; in Europe several companies have partnered in an effort to develop a so-called Pan European Privacy-preserving proximity tracing https://www.pepp-pt.org/.
[20]GDPR, article 5.
[21]Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing
at https://science.sciencemag.org/content/early/2020/04/09/science.abb6936?rss=1.
[22]That is why I stated that Apple and Google are most likely the only ones to have enough data to this purpose. Google has already volunteered its location data DB to help fight COVID, see https://www.wsj.com/articles/google-offers-user-location-data-to-health-officials-tackling-coronavirus-11585893602?mod=searchresults&page=1&pos=1.
[23]Privacy and pandemic: a thoughtful discussion at https://fpf.org/2020/03/27/privacy-and-pandemics-a-thoughtful-discussion/.
[24]Proposed protection for digital interventions and in relation to immunity certificates, by Lilian Edwards, Michael Veale, Orla Lynskey, Carly Kind, Rachel Coldicutt at https://osf.io/preprints/lawarxiv/yc6xu/.