EDPB and EDPS Advise the EU On Digital Green Certificates

The EU’s data protection regulators critique the EC’s vaccine passport proposal.

The European Union’s data protection authorities have rendered their joint opinion on “Digital Green Certificates,” the European Commission’s (EC) proposal for COVID passports.

Twitter

Vaccine passports; not the Green New Deal.

Cocktail Party

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have poked some holes in the EC’s plan for vaccine passports. Not surprisingly, the EU’s data protection watchdogs see data protection problems that contravene EU law. It remains to be seen whether the EC, European Council, the Parliament, or the EU nations will enshrine these critiques in the proposal that gets enacted.

Meeting

The EU has been grappling with how to allow its residents to exercise their fundamental right of free movement while also having measures in place to stop the spread of COVID, especially the newest variants. Central to these consideration is the type of proof an EU resident would need to present to authorities at borders to show she has been vaccinated, tested negative recently, or has already had COVID. Last fall, the EC began considering how to establish an EU wide system that would allow its residents to carry standardized documentation allowing them to travel across the European Economic Area (EEA). Hence, the present proposal requiring EU nations to offer its citizens vaccine passports in either paper or digital format, the formal name notwithstanding. However, the EC took care to emphasize that if one if not carrying a vaccine passport, his right to free movement cannot be abridged, meaning he may be legally required to quarantine and get tested.

The EDPB and the EDPS articulated their concerns about some language in the proposal for the Digital Green Certificates that may weaken data protection and possibly endanger the rights of those in the EU. Namely, they expressed their objection to language that could be used to justify the use of so-called vaccine passports in the future during other health emergencies. The privacy watchdogs made the case for eliminating ambiguity in the text of the proposal allowing for this outcome. They may be worried about a future in which everyone in the EU would carry a portable, possibly digital record of their health status that would then be collected and processed by national and local authorities. The EDPB and EDPS also suggested that the EC conduct an impact analysis to see if there are less intrusive alternatives available and to predict likely impingements of rights in order to eb able to remedy them beforehand. The two regulators also wanted tighter language laying out those entities who may be controllers and processors under the proposal beyond the nations issuing the Digital Green Certificates.

Geek Out

The EDPB and EDPS issued their “EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery.” The regulators had been asked by the EC to vet the proposal, but before we get to the proposal, let us take a look at the proposal.

As the EC explained in March:

Today the European Commission is proposing to create a Digital Green Certificate to facilitate safe free movement inside the EU during the COVID-19 pandemic. The Digital Green Certificate will be a proof that a person has been vaccinated against COVID-19, received a negative test result or recovered from COVID-19. It will be available, free of charge, in digital or paper format. It will include a QR code to ensure security and authenticity of the certificate. The Commission will build a gateway to ensure all certificates can be verified across the EU, and support Member States in the technical implementation of certificates. Member States remain responsible to decide which public health restrictions can be waived for travellers but will have to apply such waivers in the same way to travellers holding a Digital Green Certificate.

In its proposal, the EC explained the policy backdrop and the efforts that led to the Digital Green Certificate:

  • To show compliance with the different requirements, travellers have been asked to provide various types of documentary evidence, such as medical certificates, test results, or declarations. The absence of standardised and secured formats has resulted in travellers experiencing problems in the acceptance of their documents, as well as reports of fraudulent or forged documents being presented.
  • These issues, which can lead to unnecessary delays and obstacles, are likely to become even more prominent as more and more Europeans are being tested for and vaccinated against COVID-19 and receive documentary proof to this effect. This has been a growing concern for the European Council. In their statement adopted following the informal video conferences on 25 and 26 February 2021, the members of the European Council called for work to continue on a common approach to vaccination certificates.
  • There is consensus among Member States on the use of such certificates for medical purposes, such as to ensure proper follow-up between a first and second dose, as well as any necessary subsequent booster. Member States are working on developing vaccination certificates, often using information available in immunisation registries.
  • The Commission has been working with the Member States in the eHealth Network, a voluntary network connecting national authorities responsible for eHealth, on preparing the interoperability of vaccination certificates. On 27 January 2021, the eHealth Network adopted Guidelines on proof of vaccination for medical purposes, which it updated on 12 March 2021. These guidelines define the central interoperability elements, namely a minimum dataset for vaccination certificates, and a unique identifier. The eHealth Network and the Health Security Committee established by Article 17 of Decision No 1082/2013/EU of the European Parliament and of the Council have also been working on a common standardised set of data for COVID-19 test result certificates, guidelines on recovery certificates and respective datasets, and an outline on the interoperability of health certificates.
  • Based on the technical work carried out so far, the Commission proposes to establish an EU- wide framework for the issuance, verification and acceptance of vaccination certificates within the EU as part of a “Digital Green Certificate”. At the same time, this framework should also cover other certificates issued during the COVID-19 pandemic, namely documents certifying a negative test result for SARS-CoV-2 infection as well as documents certifying that the person concerned has recovered from a previous infection with SARS- CoV-2. This allows persons who are not vaccinated or who have not yet had the opportunity to be vaccinated to benefit from such an interoperable framework as well, facilitating their free movement. While children, for example, cannot benefit from COVID-19 vaccination for the time being, they should be able to receive a test or recovery certificate, which could also be received by their parents on their behalf.

The EC explained the Digital Green Certificate:

The interoperable Digital Green Certificate shall allow for the issuance and cross- border verification and acceptance of any of the following certificates:

(a)  a certificate confirming that the holder has received a COVID-19 vaccine in the Member State issuing the certificate (‘vaccination certificate’);

(b)  a certificate indicating the holder’s result and date of a NAAT test or a rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Council Recommendation 2021/C 24/0121 (‘test certificate’);

(c) a certificate confirming that the holder has recovered from a SARS-CoV-2 infection following a positive NAAT test or a positive rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Recommendation 2021/C 24/01 (‘certificate of recovery’).

Member States shall issue the certificates referred to in paragraph 1 in a digital or paper-based format, or both. The certificates issued by Member States shall contain an interoperable barcode allowing for the verification of the authenticity, validity and integrity of the certificate. The barcode shall comply with the technical specifications established in accordance with Article 8. The information contained in the certificates shall also be shown in human-readable form and shall be, at least, in the official language or languages of the issuing Member State and English.

The EC enshrined the provisions on protecting personal data in Article 9:

  1. The personal data contained in the certificates issued in accordance with this Regulation shall be processed for the purpose of accessing and verifying the information included in the certificate in order to facilitate the exercise of the right of free movement within the Union during the COVID-19 pandemic.
  2. The personal data included in the certificates referred to in Article 3 [Digital Green Certificate] shall be processed by the competent authorities of the Member State of destination, or by the cross-border passenger transport services operators required by national law to implement certain public health measures during the COVID-19 pandemic, to confirm and verify the holder’s vaccination, testing or recovery status. For this purpose, the personal data shall be limited to what is strictly necessary. The personal data accessed pursuant to this paragraph shall not be retained.
  3. The personal data processed for the purpose of issuing the certificates referred to in Article 3, including the issuance of a new certificate, shall not be retained longer than is necessary for its purpose and in no case longer than the period for which the certificates may be used to exercise the right to free movement.
  4. The authorities responsible for issuing the certificates referred to in Article 3 [Digital Green Certificate] shall be considered as controllers referred to in Article 4(7) of Regulation (EU) 2016/679 [The General Data Protection Regulation].

The EC is proposing legislation to bring the Green Digital Certificate system into being:

To ensure uniform conditions for implementation of the trust framework established by this Regulation, the Commission shall adopt implementing acts containing the technical specifications and rules to:

(a)  securely issue and verify the certificates referred to Article 3;

(b)  ensure the security of the personal data, taking into account the nature of the data;

(c)  populate the certificates referred to Article 3, including the coding system and any other relevant elements;

(d)  lay down the common structure of the unique certificate identifier;

(e)  issue a valid, secure and interoperable barcode;

(f)  ensure interoperability with international standards and/or technological systems;

(g)  allocate responsibilities amongst controllers and as regards processors.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 13(2).

It should be added that the EC also released a companion framework for vaccine passports for non-EU residents living or legally residing in the EU that applies the Digital Green Certificate proposal to this other class of individuals.

In the EDPB and EDPS joint opinion, they express their gratitude that the EC is not proposing “the creation of any sort of personal data central database at EU level.” Nonetheless, they asked the EC to delete language in the proposal that would allow the EC to use the Digital Green Certificate system if there is a similar pandemic in the EU. The EDPB and EDPS took issue with the lack of an impact assessment to accompany the proposal, which they argue would address allow for the weighing of the likely costs of the system as well as the examination of any less intrusive alternatives. The agencies stress that the Digital Green Certificates must be available in both digital and paper formats to ensure all EU residents can take advantage of the system. The EDPB and EDPS laud the EC’s recognition that necessity, proportionality, and minimization inform the proposal but advise the EC to make more explicit the legal basis of the processing of personal data in the proposal (i.e. references to Articles 6(1)(c) and 9(2)(g) of GDPR.)

The EDPB and EDPS advised the EC that its proposal needs to provide a justification for the categories of data that would be collected and processed “such as the vaccine medicinal product, vaccine marketing authorisation holder or manufacturer and number in a series of vaccinations/doses to be included in the certificate for the purpose of facilitating the exercise of the right to free movement within the EU during the COVID-19 pandemic.” Likewise, the agencies would like the EC to tighten language allowing the certificate to have information regarding “disease or agent the citizen has recovered from;” they would prefer that the wording be limited just to COVID-19.

The EDPB and EDPS asserted that “the Proposal should state that the controllers and processors shall take adequate technical and organisational measuresto ensure a level of security appropriate to the risk of the processing, in line with Article 32 GDPR.” The EDPB and EDPS added “[t]hese measures should consider for example the establishment of processes for a regular testing, assessment and evaluation of the effectiveness of the privacy and security measures adopted.” The agencies also called for the proposal for to include language listing “all the entities foreseen to be acting as controllers, processors and recipients of the data” other than the nations themselves. The EDPB and EDPS also advised the EC to implement provisions spelling out whether and when personal data could be transferred to third countries and the limits on any use or processing of these data.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Markus Winkler on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s