On March 17, 2021, the European Commission presented a proposal for a regulation to create a digital green certificate to facilitate free movement within the European Union in the current context of the COVID-19 pandemic.
This contemplated digital tool was discussed in a joint opinion from the European Data Protection Board and the European Data Protection Supervisor dated March 31, 2021, published on April 6, 2021.
This digital green certificate would serve as a digital proof issued by the health institutions and competent health authorities of each Member State to evidence that a person has been vaccinated against COVID-19 / has received a negative test result / has recovered from COVID-19, and to facilitate travels and movements within the EU.
This certificate would take the form of a QR code containing a digital signature and would allow for a coordinated and interoperable use among EU Member States as regards its issuance, verification and acceptance.
As this digital proof requires the processing of personal data (and sensitive data since the data at stake relate to the health of individuals), the European Commission has sought the opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS).
Compliance with the principles of necessity and proportionality
The EDPB and the EDPS firstly recalled that the implementation of this device must be carried out in full compliance with the General Data Protection Regulation (“GDPR”) and that the principles of necessity and proportionality must guide any measures to be put in place.
Both bodies consider that these principles seem to be respected since the European Commission’s proposal provides for:
- A collection of personal data limited to the minimum necessary (Article 5 of the proposal and annex);
- The impossibility to retain the data when verifying the certificate (Article 9 of the proposal);
- The absence of a central database that would store the transmitted data;
- The temporary nature of the device which is intended to disappear once the COVID-19 pandemic is over (Article 15 (2) of the proposal).
On this last point, the opinion is unambiguous: The proposal must expressly provide that access and subsequent use of the data by Member States once the pandemic has ended shall not be permitted under the to-be-adopted Regulation.
A warning is given to the Member States in that respect: Any possible further use other than the intended purpose of facilitating free movement within the European Union does not fall within the scope of the proposal between EU Member States and may lead to unintended consequences and risks to the fundamental rights of EU citizens.
Any further use of the digital green certificate by Member States, e.g., to enter shops, restaurants, clubs, places of worship or gyms, etc., must be in compliance with the provisions of the GDPR and implemented following a proper impact assessment in order to avoid any risk of discrimination and to prohibit any unjustified retention of data.
On this last point, the EDPB and the EDPS welcome the fact that the proposal expressly mentions that the to-be-adopted Regulation will not create in any way a legal basis for retaining personal data collected by the Member States of destination or the cross-border passenger transport services operators.
Compliance with the purpose limitation principle
In accordance with the purpose limitation principle established with the GDPR, the EDPB and the EDPS specified that the proposal should define and describe more precisely the purpose of the digital green certificate.
This principle also prevents the contemplated device from being reused in a context other than the COVID-19 pandemic, in particular in the event the World Health Organization declares a new health emergency related to an infectious disease similar to COVID-19.
Article 15 of the proposal, which opened the door to this possibility, should therefore be revised.
Compliance with the principle of minimization of personal data
According to the EDPB and the EDPS, the principle of minimization of personal data also implies additional substantiation as to the need for collecting certain types of data and including them in the certificate, such as the vaccine medicinal product, the vaccine marketing authorization holder, the vaccine manufacturer or the vaccine serial number.
Technical and organizational guarantees and identification of data controllers
The EDPB and the EDPS consider that the proposal should specify that the data controllers and processors must take adequate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, as per Article 32 of the GDPR.
In line with the principles of data protection by design and by default, these measures should be implemented both at the time of the determination of the means for processing as well as at the time of the processing itself.
Finally, the EDPB and the EDPS recommend that the list of all the entities acting as controllers, processors and recipients of the data in each Member State be made public to allow EU citizens to properly exercise their fundamental right to data protection.
Fight against discriminations
To ensure the inclusion of all EU citizens, the EDPB and the EDPS consider that the certificates should necessarily be available both in digital and paper-based formats.
They also underlined the compliance of the proposal with the GDPR as three types of certificates are being contemplated, i.e., vaccination certificate, negative test certificate and certificate of recovery, which would limit the risk of discrimination, in particular against people who do not wish to be vaccinated.
Author: Pauline Kubat, Esq.