The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
Since the breakout of the COVID-19 pandemic, Italy has put in place a number of initiatives to trace, store, and share information on traffic and location data of telephone users in order to alleviate the effects of the pandemic. A national task force composed of different professionals is currently reviewing a national plan with proposals that would be implemented by legislation. The proposed measures include the use of apps on a voluntary and anonymous basis by citizens, as well as tracing and data-sharing technologies. Issues concerning respect for European Union law and Italian constitutional standards are being weighed in the decision to implement new technological measures.
A. Current Statistics on COVID-19
According to Italy’s Health Ministry, as of May 22, 2020, the current situation in the country with respect to COVID-19 is as follows:
- Currently positive: 59,322 cases.
- Dead from COVID-19: 32,616 cases.
- Recovered from COVID-19: 136,720 cases.
B. Mobile Phone Statistics
As of 2020, about 44 million Italians are smartphone users.
II. Legal Framework
A. Privacy and Data Protection
The Italian Constitution guarantees the inviolable freedom and confidentiality of correspondence and of every other form of communication. Other legislation and regulations protect privacy rights and data. The main legislative instruments are the EU Code on Protection of Personal Data, which was adapted by Italy’s national legislation in 2003, and Legislative Decree No. 101 of 2018, which implemented the EU’s General Data Protection Regulation (GDPR) and which broadly provides that personal data processed for public interest purposes or pursuant to official authority may be disseminated or communicated to entities that process such data for other purposes only under qualified criteria.
Legislative Decree No. 101 of August 10, 2018, generally states that personal data may be collected provided that certain guarantees are undertaken considering the purposes for the gathering of the data--specifically, identification of encryption and security techniques including pseudonymization, minimization measures, specifications for selective access to data, and any other measures necessary to guarantee the rights of interested parties.In general, Italian legislation and regulations applicable to the collection and use of personal data mandate that personal data must be treated in a correct and lawful manner according to the express and legitimate purposes for which it was collected and must be preserved in a manner that allows interested parties full access to it and the opportunity to update it when necessary, and that an adequate level of safety and protection from unauthorized access and use must be guaranteed.
In addition, Italy’s Personal Data Protection Code provides that in the case of a personal data breach, providers of electronic communication services that are accessible to the public must give notice of such breach to the authorities without delay. When the breach entails prejudice to the personal data or the confidentiality of a party, the provider must also give prompt notice to such party.
The Italian Data Protection Authority (DPA), an independent administrative authority established by Law No. 675 of December 31, 1996, is the supervisory authority responsible for monitoring application of the General Data Protection Regulation. The DPA is regulated by the Personal Data Protection Code.
B. Data Retention and Location Tracking
Law No. 167 of 2017 regulates data retention in Italy. That law implements EU directives and amends provisions of the Italian Criminal Procedure Code and other legislation to state that telecommunication operators must retain “telephone and telematic traffic data as well as data relating to unanswered calls” for a period of 72 months. The requirement that such voluminous data be retained for this length of time has been criticized on privacy grounds.
The European Data Portal contains information on the portions of Italian territory for which specific COVID-19 containment measures have been adopted. In the case of Italy, mobile carriers are reportedly sharing data with health authorities to fight the coronavirus by monitoring whether people are complying with lockdowns or other movement restrictions. This data is said to be “anonymous and aggregated,” and “make[s] it possible to map concentrations and movements of customers in ‘hot zones’ where COVID-19 has taken hold.” Italians mobile carriers Telecom Italia, Vodafone, and WindTre have offered to gather and deliver aggregated data to the authorities in order to monitor people’s movements.
The Lombardy region has ued such data to determine observance of lockdown measures; movements exceeding 300 to 500 yards are reportedly down by around 60% from late February when the first case was discovered in the Codogno area.
III. Electronic Measures to Fight COVID-19 Spread
According to the Italian Health Ministry, a surveillance network on new COVID-19 cases, controls, and screening is currently active under the coordination of a national task force established to regulate the use of technology to fight the spread of COVID-19. Since January 31, 2020, when a state of emergency was declared, a Special Commissioner for the emergency has been appointed and a technical-scientific committee has been established to deal with emergencies. The national task force is soon to announce potential technological solutions to trace and isolate those who have tested positive for COVID-19. Tech companies and research institutions have provided suggestions to the Italian government, including one proposal “that would analyze user data from Facebook to determine the mass movement of people.” Facebook’s Data for Good unit “has been sharing aggregated data collected from location tracking software on mobile phones with researchers at the University of Pavia,” while an extant proposal would also review ways to use from Facebook’s GeoInsights portal.
A broadly used and voluntary application adopted by the government of Lombardy requests users “to fill out a questionnaire with their symptoms to build a map indicating the risk of contagion.” The app, called “AllertaLOM,” captures “a phone’s IMEI code, the unique serial number that all smartphones carry, and the user’s IP address.” The app is available from the Apple, Google Play, and Huawei stores. It enables all users, whether symptomatic or not, to fill in an integrated questionnaire enabling the collection of data, in an anonymous format, and to make it available to the regional crisis unit and other authorities monitoring the spread of the pandemic in the Lombardy region. The app was developed by the digital company ARIA S.p.A. in collaboration with the San Matteo Hospital and the University of Pavia. It allows the authorities to compile statistic and epidemiological information that can be used to calculate the potential “level of risk contagion, thus reinforcing the protection of all citizens, whether or not symptomatic.”
These and other proposals have triggered an ongoing discussion in Italy as to the level of privacy rights and data protection that these new technologies would afford to citizens. Some argue that, based on the extent of the pandemic in Italy, “concerns about user privacy and data sharing should be temporarily put on hold.” The national Constitution allows for measures aimed at protecting the health of a whole nation.
In April, a company called Webtek released an app called “StopCovid19.” The app traces the movements of users using GPS by having users connect their phone numbers to the app, which in turn uploads their location into a database, so only health authorities may determine the contacts a person who has tested positive with COVID-19 has had in a determined period of time and venue. In particular, the app “would record when the user came into proximity with another smartphone user with the app, for how long and at what distance and if a person tested positive for the coronavirus, authorities would be able to trace the contacts and alert them.” The system would make “it possible to warn someone who comes into close contact with someone who then tests positive for COVID-19, even if they then travel on to another EU country.”
Some observers have raised important issues of privacy and data control. In this context, on April 30, 2020, the Italian government issued Decree-Law No. 28, which creates the COVID-19 Alert System, which is designed to alert people who have had close contact with those who have tested positive for COVID-19 in order to protect their health through preventive measures. The Alert System is based on an application to be installed voluntarily by citizens on their mobile telephones. All data is compiled by several layers of government authorities coordinated by the Ministry of Health, which must ultimately adopt all the measures necessary to guarantee an adequate level of security, considering the risks involved and the rights and freedoms of the concerned parties. Decree-Law No. 28 also makes explicit reference to all the guarantees and safeguards established for the use and protection of personal data by the EU GDPR. The use of the app and of each piece of personal data acquired through it will cease when the state of emergency declared by the Council of Ministers on January 31, 2020, is lifted, and in any case the app cannot be used beyond December 31, 2020, when all personal data must be cancelled or classified as definitively anonymous. The app, “which uses Bluetooth, won’t geo-localize users, and data will only be mined for purposes of containing the virus or for epidemiological study.”
According to Decree-Law No. 28 the process to alert persons potentially contacted by infected individuals is based on the processing of proximity data of the devices, on an anonymous basis or, when not possible, pseudonymized, but at any rate the geolocation of individual users is forbidden. The data collected through the app may only be processed for the purposes stated in Decree-Law No. 28, which includes the possibility of aggregation in an anonymous form, exclusively for public health, prevention, statistical or scientific research purposes.
Italy has also signed a deal with telecoms operators to collect anonymized location data.
The Italian government has stated that ultimately any movement-tracing technological solutions would have to comply with EU regulations and be sanctioned through legislation in the country, and has reiterated that all data gathered during the pandemic will be discarded afterwards.
The Italian Civil Aviation Authority (Ente Nazionale per l’Aviazione Civile, ENAC) has approved the use of drones by local police to monitor social distancing. Drones can be used in urban areas or “where there are small populations exposed to the risk of impact.”
Prepared by Dante Figueroa
Senior Legal Information Analyst
 The EU Code on Protection of Personal Data was made directly applicable in Italy by the Codice in Materia di Protezione dei Dati Personali, approved by Decreto Legislativo 30 Giugno 2003, n.196 recante il “Codice in materia di Protezione dei Dati Personali”, G.U., July 29, 2003, https://perma.cc/AGJ9-3V84, https://perma.cc/3MYV-A3KN (English translation).
 Decreto Legislativo 10 Agosto 2018, n. 101, Disposizioni per l’Adeguamento della Normativa Nazionale alle Disposizioni del Regolamento (UE) 2016/679 del Parlamento Europeo e del Consiglio, del 27 Aprile 2016, relativo alla Protezione delle Persone Fisiche con riguardo al Trattamento dei Dati Personali, nonche’ alla Libera Circolazione di tali Dati e che Abroga la Direttiva 95/46/CE (Regolamento Generale sulla Protezione dei Dati), G.U. Sept. 4, 2018, no. 205, https://perma.cc/37DP-TWY6.
 Decreto Legislativo 10 agosto 2018, no. 101, art. 2 para. 1(f) (adding art. 2-ter (3)).
 Decreto Legislativo 10 agosto 2018, n. 101, art. 2 para. 1(f) (adding art. 2-septies(5)).
 Decreto Legislativo 18 maggio 2018, n. 51, Attuazione della Direttiva (UE) 2016/680 del Parlamento Europeo e del Consiglio, del 27 Aprile 2016, relativa alla Protezione delle Persone Fisiche con Riguardo al Trattamento dei Dati Personali da parte delle Autorita’ Competenti a fini di Prevenzione, Indagine, Accertamento e Perseguimento di Reati o Esecuzione di Sanzioni Penali, nonche’ alla Libera Circolazione di tali Dati e che Abroga la Decisione Quadro 2008/977/GAI del Consiglio, art. 3(1), G.U. May 24, 2018, no.119, https://perma.cc/E6T2-X657.
 Decreto Legislativo 28 Maggio 2012, n. 69, Modifiche al Decreto Legislativo 30 Giugno 2003, n. 196, recante Codice in materia di Protezione dei Dati Personali in Attuazione delle Direttive 2009/136/CE, in materia di Trattamento dei Dati Personali e Tutela della Vita Privata nel Settore delle Comunicazioni Elettroniche, e 2009/140/CE in materia di Reti e Servizi di Comunicazione Elettronica e del Regolamento (CE) n. 2006/2004 sulla Cooperazione tra le Autorita’ Nazionali Responsabili dell’Esecuzione della Normativa a Tutela dei Consumatori, art. 1(3), G.U. May 31, 2012, https://perma.cc/8N5Z-R5NU.
 Regulation No. 2016/679, art. 51.
 Legge 20 novembre 2017, n. 167 Disposizioni per l’Adempimento degli Obblighi Derivanti dall’Appartenenza dell’Italia all’Unione Europea - Legge Europea 2017, G.U., Nov. 27, 2017, https://perma.cc/JNG6-MPV6.
 Id. art. 24(1).
 Coronavirus: La Situazione Attuale, Ministero della Salute, supra note 1, “Sorveglianza e Controlli.”
 Chiara De Cuia, How Is Italy Handling the Coronavirus, Lawfare (Mar. 6, 2020) (referring to article 16 of the Constitution, which “provides for its [freedom of movement] restriction for public health and security reasons”), https://perma.cc/YG9F-YGXH.
 Decreto-Legge 30 Aprile 2020, n. 28 Misure Urgenti per la Funzionalita’ dei Sistemi di Intercettazioni di Conversazioni e Comunicazioni, Ulteriori Misure Urgenti in materia di Ordinamento Penitenziario, nonche' Disposizioni Integrative e di Coordinamento in materia di Giustizia Civile, Amministrativa e Contabile e Misure Urgenti per l’Introduzione del Sistema di Allerta Covid-19 (D.L. No. 28), art. 6(1), G.U. Apr. 30, 2020, no. 111, https://perma.cc/6B6V-NB86.
 Id. art. 6(2).
 Id. art. 6(2)(a), (b) & (f), (3).
 Id. art. 6(6).
 D.L. No. 28, art. 6(2)(c).
 Id, art. 6(3).
Last Updated: 12/30/2020