Pago PA S.p.A – Violation Found (Italy, 2021)

“IO” is an app run by the Italian public payment system “PagoPA S.p.A” (S.p.A is the Italian equivalent of PLC, Public Limited Company). The app IO offers access to all of the digital services of the Italian Public Administration, and has been downloaded by more than 11,5 million of users. It offers access to over 12,000 services, such as tax payment systems, which are provided by more than 5,000 national and local institutions. The Italian DPA (Garante per la protezione dei dati personali) previously recognized some weaknesses in the IO app, in an opinion issued on June 12th, 2020 ([https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9367375 9367375]). For this reason, after the decree of May 31st, 2021—which established the digital COVID-19 Green Certifications— the Italian DPA reserved the right to conduct further investigation of the app IO, since citizens can use the app to receive and demonstrate their Green Certifications. Through investigation, the Italian DPA detected some critical issues in the app’s interactions with Google LLC and Mixpanel Inc. These interactions include a tracking system that allows the app to link frequent behavioral patterns to certain identified (or identifiable) individuals while using the different services offered by the app IO. On the one hand, use of the app on an Android device automatically triggers Google's Firebase Analytics services, which allow Google to monitor installation of the app and to send push notifications. On the other hand, Mixpanel's tracking libraries, imbedded in the app IO, automatically sends data about a wide variety of app-based actions tied to a unique identified user back to Mixpanel systems. Both of these functions are triggered automatically during the user’s first access of the app IO, and it is up to the users themselves to disable the services if they are not interested in them. The Italian DPA opined that data processing by Google and Mixpanel on the app IO do not conf