EU: Digital Green Certificates – problem-solver or problem-creator?
On 17 March 2021, the European Commission announced a proposal for a legislative framework1 that would allow the bloc's 450 million people to travel freely within the EU during the ongoing COVID-19 pandemic. The proposal introduces the so called "Digital Green Certificate" which will use a QR code for security and authenticity and will be supplied to EU residents2 as proof that they have been vaccinated, received a negative test result, or have recovered from COVID-19. The said certificate will, in essence, operate as a health passport permitting its holders to travel freely between Member States. Grigoris Sarlidis, Senior Lawyer at A.G. Erotocritou LLC, discusses the Commission's proposal and the associated privacy challenges.
The Commission's proposal has been warmly welcomed by the aviation sector as well as the tourist-reliant Member States amid the upcoming summer season. However, although QR codes and health certificates have been a part of our lives even prior to the COVID-19 era, the introduction of a health passport such as the Digital Green Certificate is not without challenges - particularly because of the data privacy concerns it gives rise to.
On 6 April 2021, the European Data Protection Board ('EDPB') and European Data Protection Supervisor ('EDPB') published a joint opinion3 on the subject highlighting such concerns and provided their recommendations in aligning the proposal with the applicable EU data protection framework. The key message that the EDPB and EDPS communicated through the opinion was that the proposal, as well as any other measure that involves processing of personal data in the fight against COVID-19, should primarily be guided by the principles of effectiveness, necessity, proportionality, and non-discrimination.
In this regard, the EDPB and EDPS noted that the lack of scientific evidence surrounding the efficiency of vaccinations and immunity obtained (if any) from the virus, whether with or without a vaccine, together with the absence of an impact assessment accompanying the proposal, raises doubts as to how effective, necessary, and proportional the Digital Green Certificate is under the circumstances. To this end, it was further noted that the certificate should operate merely as a 'verifiable proof of a timestamped factual medical application or history' rather as an immunity attestation which, in case of the latter, would potentially result to discriminatory practices based on health data.
From a purpose limitation standpoint, the view of the EDPB and EDPS was that the proposal should make it expressly clear that the use of personal data collected in relation to the Digital Green Certificate following the end of the pandemic is strictly prohibited. The proposal is not restricted to COVID-19. This is because of the power afforded to the European Commission thereunder to declare the further application of the framework in the future if the World Health Organization ('WHO') declares a public health emergency of international concern in relation to a COVID-19 variant or 'similar infectious diseases with epidemic potential'. On this basis, the EDPB and EDPS consider it appropriate that the proposal be limited to the current pandemic and current restrictions on free movement of persons within the EU.
Secondary use at member state level
Although the proposal does not cover any secondary use of the framework, the possibility for Member States to implement the same in their domestic legal systems is evident. In particular, extending the application and use of the Digital Green Certificates for a purpose other than as covered by the proposal, such as use of the certificate for permitting entry into private and public establishments (e.g. pubs, restaurants, gyms etc.) will be possible provided that any such extension and use respects Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and complies with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), including Article 6(4) thereof.
Security and integrity
An additional and critical parameter that will have to be addressed from an operational and functioning perspective (including by way of the relevant system or app that will issue and maintain the QR code) is that of security and integrity. The information technology infrastructure, solutions, and systems that will be used by Member States and data subjects alike should encompass such tools and methodologies to ensure a safe, hack-free and fraud-free environment. Admittedly, no infrastructure, measure, or tool is risk-free; however, the more safeguards put in place and measures adopted, the fewer risks of an attack and misuse of the framework exist.
The Digital Green Certificate is a major step towards opening the borders and economies in the EU and regaining the right to free movement. Unquestionably, it is a problem-solver in that regard if guided by the above principles, ensuring at the same time that the vulnerabilities and inequalities exposed by the pandemic are not transmitted to digital environments. A data privacy compliant Digital Green Certificate will instil public trust and confident in the process - particularly in times like these where COVID-19 measures and restrictions have raised doubts.
Grigoris Sarlidis Senior Lawyer
A.G. Erotocritou LLC
1. The proposal consists of two Regulations as follows: (a) Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0130; and (b) Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to third-country nationals legally staying or legally residing in the territories of Member States during the COVID-19 pandemic (Digital Green Certificate), available at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM:2021:140:FIN
2. It can also be introduced in Iceland, Liechtenstein, Norway as well as Switzerland.
3. EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_edps_joint_opinion_dgc_en.pdf.