This blog is part of the COVID blog in Social Sciences series on the Digital Green Certificate. It will evaluate the implications of the Digital Green Certificate on data protection. Using an analogy with the traffic lights, it will classify the different provisions of the proposal according to their impact on the individual’s fundamental right to data protection.
By Federico Marengo (Bocconi University)
The Commission has recently published a Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate).
As it was explained in the first blogpost of this series, the proposal aims at facilitating the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery.
Both the Parliament and the Council have already adopted their negotiating positions. In addition, several other bodies have expressed their opinions on the matter: the Council of Europe’s Committee on Bioethics issued a Statement on Human Rights Considerations Relevant to a “Vaccine Pass” and Similar Documents, the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) published its Statement on Covid-19 vaccination, attestations and data protection, and, most importantly for data protection purposes, on 31 March 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion (EDPB-EDPS Joint Opinion 04/2021) where they evaluated whether the proposal is consistent with the fundamental right to the protection of personal data, as enshrined in Art. 16 of the Treaty on the Functioning of the European Union (TFEU), Art. 8 of the Charter of Fundamental Rights of the EU (CFR) and the General Data Protection Regulation (GDPR).
In this blogpost, I will briefly summarise the most important privacy and data protection implications of the proposal, since they constitute a fundamental and controversial facet of this initiative.
From the outset, it should be noted that, according to the EDPB-EDPS joint opinion, the Digital Green Certificate should be regarded as a ‘verifiable proof of a timestamped factual medical application or history’ that will enable free movement of EU citizens within the EU, but it should not be understood as an immunity certificate.
While the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery is intended to facilitate the exercise of the right to free movement within the EU during the pandemic, it may collide with the fundamental right to the protection of personal data as it chiefly consists in the processing of personal data.
Since limitations to fundamental rights can only be made subject to the principle of proportionality and necessity (Art. 52 CFR), the Digital Green Certificate needs to attain a fair balance between its objectives and the fundamental rights to respect for private and family life (Art. 7 CFR), data protection (Art. 8 CFR) and non-discrimination (Art. 21 CFR). Any restriction to any fundamental right must respect the principles of effectiveness, necessity and proportionality.
Data Protection Related Matters
The Digital Green Certificate proposal was issued with the General Data Protection Regulation in mind. From now on, I will classify some personal data protection provisions of the proposal, using a traffic light as an analogy. The green light compiles the proposal’s provisions that are compliant with the GDPR, the yellow light turns to those provisions that could be improved but cannot be considered as flagrantly conflicting with it, and, finally, the red light is for those measures that should be amended because they pose imminent risks to the data subjects’ rights.
First of all, it is important to highlight the positive aspects of the proposal. These aspects were underscored by the EDPB and the EDPS in their joint opinion 04/2021.
The proposal addresses the proportionality principle because it establishes that data processing is limited to the minimum necessary (Art. 5 and Annex); it forbids keeping the data after the verification of the certificates (Art. 9); it does not allow for the creation of any sort of personal data central database at an EU level, and it establishes that the certificate framework is temporary.
The proposed Regulation also addresses purpose limitation (Art. 5(1)(a) GDPR) since it mandates that the certificates only contain the personal data necessary to attain the purpose of facilitating the exercise of the right to free movement within the EU during the pandemic. More importantly, it does not constitute a legal basis for keeping personal data collected from the certificate framework to implement national public health measures during the Covid-19 pandemic.
It also permits citizens to obtain and renew the certificates at no cost if their personal data is not or no longer accurate or updated, which is aligned with the principle of accuracy (Art. 5(1)(d) GDPR) and the right to rectification (Art. 16 GDPR).
As a measure to ensure the inclusion of all individuals, the proposal obliges states to issue certificates in a digital or paper-based format (Art. 3(2) of the Proposal)
Finally, as the EDPB-EDPS also welcomed, the proposal sheds light on the roles of the controller and processor in the context of the certificate framework.
While the proposal aims at allowing individuals to move more freely within the EU, it contains some provisions that may interfere with other fundamental rights and freedoms, especially the right to the protection of their personal data. The EDPB and the EDPS pointed out some aspects of the proposal that should be addressed to improve compliance with the EU data protection framework.
As individuals need to be able to easily exercise their rights, transparency of the data processing operations should be clearly established. In order to increase transparency, the proposal could set out that any national entity expected to operate as controller, processor and recipient of the personal data in the Member State concerned should be disclosed to the broader public. This provision would allow data subjects to know in advance where they can file a complaint.
Additionally, the proposal should better clarify the reasons which justify the inclusion of certain categories of personal data to be processed. In particular, concerning the vaccination certificate, the proposal could expand on the merits of including data fields such as the vaccine medicinal product, vaccine marketing authorisation holder or manufacturer and number in a series of vaccinations/doses (points 1(e), 1(f) and 1(g) of the Annex).
Finally, there are some important points of concern that cannot be avoided and should be addressed before the proposal is approved.
First and foremost, as the EDPB and the EDPS highlighted, an impact assessment concerning the effectiveness of existing less intrusive alternatives is missing. Risk management is one of the fundamental pillars of the GDPR, so identification, evaluation and mitigation of risks are fundamental measures that must be taken before processing personal data. Equally important, the proposal should establish that controllers and processors must take technical and organisational measures to ensure a level of security appropriate to the risks of processing (Art. 32 GDPR), e.g. establishing processes to regularly test the effectiveness of the privacy and security of the measures adopted.
Under the proposal, the Commission is empowered to add, modify or remove data fields on the categories of personal data contained in the certificates (Arts. 5(2), 6(2), 7(1), 7(2) of the proposal). This is a flexible mechanism that allows the Commission to assess the most suitable information to be included in the certificates. However, such a mechanism also creates uncertainty and could generate novel risks. The proposal should circumscribe this power so that that the Commission can only add more detailed data fields (sub-categories of data) falling within the already specified categories of data.
Finally, the extra-EU transfer of personal data is one of the most contentious data protection matter, since many of the largest cloud solution providers (who are generally deemed processors under the GDPR) are located outside Europe. Whereas the international transfer of personal data is not forbidden, if data is exported to jurisdictions where no adequacy decision exists (Art. 45 GDPR), like the USA, the transfer is generally carried out through standard contractual clauses which must be accompanied by appropriate safeguards (Art. 46 GDPR). In this context, the proposal should specify clearly, whether and when any international transfer of personal data is expected and include safeguards to ensure that third countries will only process personal data exchanged for the purposes specified by the proposal. Furthermore, the proposal should encourage the use of verification techniques that do not require the transfer of personal data abroad whenever possible.
Data protection, as highlighted in the EDPB-EDPS joint opinion, cannot constitute a hurdle to tackle the Covid-19 pandemic. On the contrary, strong data protection provisions will boost citizens’ trust. While the Digital Green Certificate constitutes a plausible solution to restore some freedoms that every EU citizen used to enjoy before the pandemic, the purposes of the proposal should be balanced with other fundamental rights and, in particular, its provisions must comply with the data protection framework.
Federico Marengo is a lawyer, master in public administration (University of Buenos Aires), LLM (University of Manchester), and PhD candidate (Università Bocconi, Milano). His research deals with the potential and challenges of the General Data Protection Regulation to protect data subjects against the adverse effects of Artificial Intelligence. He is also teaching assistant in a course on European Law and in a course on Legal Argumentation and Economic Analysis of Law at Università Bocconi.