App Immuni: the approval of the Italian Data Protection Authority

The Immuni App is available for download in the Apple and Google App Stores.

The app was preceded, even before the expectations on its possible effectiveness to fight the pandemic, by the doubts on its possible violation of privacy.

Doubts that must have been now resolved, at least in theory, given that the Italian Data Protection Authority (DPA) after having examined the App Data Protecion Impact Analysis (DPIA) – that is the ultimate document that analyzes the risks connected to the use of any mean –  determined that Immuni complies with the GDPR.

Apparently, the Immuni App does not ask for any personal data: it does not know our names, surnames, e-mail addresses, telephone numbers, geographic locations, nothing.

The user downloading the app receives a code which is sent – via bluetooth – to other Immuni App within a certain range, memorizing at the same time the codes coming from the other ones.

When a person that installed Immuni contracts Covid-19, the app sends a message to all the other apps it intersected in the last days, which will show on the smartphones of the anonymous recipients a message that invites them to get a medical check-up.

No one will know who the intersected people by the Covid-19 contractor are and it will be their choice to contact their doctor or not, even though it is a good rule to do so.

Obviously, the system verifies the proximity between smartphones but it can’t know more than this.

Thus, if two phones are close, maybe because they were put on the same piece of furniture, without the respective owners ever getting close to each other, in case one of them contracts the virus the alert message will be generated even though there could not be any immediate danger. Vice versa, the app will never identify people intersected by the infected subject if they do not have their phones with them.

This is a technical and objective limit and the Italian DPA made sure the users to be aware of this:

The authority asked that the users be adequately informed on the functioning of the calculation algorithm used to evaluate the risk of exposition to the infection. Users have to be informed that the system could generate alerts of exposition that might not always reflect an actual danger situation”.

“Technical and organizational measures have to be adopted to mitigate the risks deriving from false positive cases. Particular attention must be dedicated to the information sheet and the alert message, taking into account that the System will be used even by minors below the age of 14”.


The collected data could then be processed only for the purposes provided for by the regulation that rules the App, and the Italian DPA highlights that:

“The transparency of the collected data processing for statistical-epidemiologic purposes must be guaranteed and adequate modalities to protect them must be individuated. This is to avoid any form of data re-association to identifiable subjects and adopt appropriate security measures and anonymization techniques. Measures to assure the tracing of operations carried out by the system administrators on the operating system, the network and databases must also be introduced”.

It should be noted that there is data processing even in case of pseudonymization, that is even if a data becomes anonymous there is still a way, even indirectly and with many steps, to identify the subject to whom the data belongs.

In the case of the Immuni App, it seems that there is a real anonymization and the DPA, not surprisingly, suggests to avoid any possibility to trace back the anonymous data to the identifiable subjects, thus ensuring a real anonymization.

It is true that the App cannot avoid the tracing of the IP addresses that, as we know, are effective tools for the identification of individuals, but the Italian DPA stated that:

“The conservation of the smartphones’ IP addresses shall be proportionate to the time strictly required to detect anomalies and attacks”.


With the recommendations above cited, the Italian DPA approved the Immuni App and stated that:

“On the basis of the DPI relayed by the Minister, the personal data processing performed in context of the System can be considered proportionate, having provided measure to sufficiently ensure the respect of rights and freedom of the subject that mitigate risks that could derive from data processing”.

If the DPA says so, we must trust it, unless one wants to challenge the prestige of the leading authority in the matter, feared often for its rigour.

There is no doubt that the Immuni App raised an interest on privacy protection that we could only be happy about.

One can hope that finally many users will start to ask questions on the processing of their own data even when using social networks, pedometers and heartbeat sensors or those funny apps that show one’s older look.

On these apps, which in contrast with the Immuni App do not have the purpose of saving lives, one really must wonder and reflect.