A green, a yellow, or a red light for the data protection implications of the Digital Green Certificate proposal?

This blog is part of the COVID blog in Social Sciences series on the Digital Green Certificate. It will evaluate the implications of the Digital Green Certificate on data protection. Using an analogy with the traffic lights, it will classify the different provisions of the proposal according to their impact on the individual’s fundamental right to data protection.  

By Federico Marengo (Bocconi University)

The Commission has recently published a Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate).

As it was explained in the first blogpost of this series, the proposal aims at facilitating the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery. 

Both the Parliament and the Council have already adopted their negotiating positions. In addition, several other bodies have expressed their opinions on the matter: the Council of Europe’s Committee on Bioethics issued a Statement on Human Rights Considerations Relevant to a “Vaccine Pass” and Similar Documents, the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) published its Statement on Covid-19 vaccination, attestations and data protection, and, most importantly for data protection purposes, on 31 March 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion (EDPB-EDPS Joint Opinion 04/2021) where they evaluated whether the proposal is consistent with the fundamental right to the protection of personal data, as enshrined in Art. 16 of the Treaty on the Functioning of the European Union (TFEU), Art. 8 of the Charter of Fundamental Rights of the EU (CFR) and the General Data Protection Regulation (GDPR).

In this blogpost, I will briefly summarise the most important privacy and data protection implications of the proposal, since they constitute a fundamental and controversial facet of this initiative.


From the outset, it should be noted that, according to the EDPB-EDPS joint opinion, the Digital Green Certificate should be regarded as a ‘verifiable proof of a timestamped factual medical application or history’ that will enable free movement of EU citizens within the EU, but it should not be understood as an immunity certificate.

While the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery is intended to facilitate the exercise of the right to free movement within the EU during the pandemic, it may collide with the fundamental right to the protection of personal data as it chiefly consists in the processing of personal data. 

Since limitations to fundamental rights can only be made subject to the principle of proportionality and necessity (Art. 52 CFR), the Digital Green Certificate needs to attain a fair balance between its objectives and the fundamental rights to respect for private and family life (Art. 7 CFR), data protection (Art. 8 CFR) and non-discrimination (Art. 21 CFR). Any restriction to any fundamental right must respect the principles of effectiveness, necessity and proportionality. 

Data Protection Related Matters

The Digital Green Certificate proposal was issued with the General Data Protection Regulation in mind. From now on, I will classify some personal data protection provisions of the proposal, using a traffic light as an analogy. The green light compiles the proposal’s provisions that are compliant with the GDPR, the yellow light turns to those provisions that could be improved but cannot be considered as flagrantly conflicting with it, and, finally, the red light is for those measures that should be amended because they pose imminent risks to the data subjects’ rights. 


First of all, it is important to highlight the positive aspects of the proposal. These aspects were underscored by the EDPB and the EDPS in their joint opinion 04/2021.

The proposal addresses the proportionality principle because it establishes that data processing is limited to the minimum necessary (Art. 5 and Annex); it forbids keeping the data after the verification of the certificates (Art. 9); it does not allow for the creation of any sort of personal data central database at an EU level, and it establishes that the certificate framework is temporary. 

The proposed Regulation also addresses purpose limitation (Art. 5(1)(a) GDPR) since it mandates that the certificates only contain the personal data necessary to attain the purpose of facilitating the exercise of the right to free movement within the EU during the pandemic. More importantly, it does not constitute a legal basis for keeping personal data collected from the certificate framework to implement national public health measures during the Covid-19 pandemic.

It also permits citizens to obtain and renew the certificates at no cost if their personal data is not or no longer accurate or updated, which is aligned with the principle of accuracy (Art. 5(1)(d) GDPR) and the right to rectification (Art. 16 GDPR). 

As a measure to ensure the inclusion of all individuals, the proposal obliges states to issue certificates in a digital or paper-based format (Art. 3(2) of the Proposal)

Finally, as the EDPB-EDPS also welcomed, the proposal sheds light on the roles of the controller and processor in the context of the certificate framework. 


While the proposal aims at allowing individuals to move more freely within the EU, it contains some provisions that may interfere with other fundamental rights and freedoms, especially the right to the protection of their personal data. The EDPB and the EDPS pointed out some aspects of the proposal that should be addressed to improve compliance with the EU data protection framework.

As individuals need to be able to easily exercise their rights, transparency of the data processing operations should be clearly established. In order to increase transparency, the proposal could set out that any national entity expected to operate as controller, processor and recipient of the personal data in the Member State concerned should be disclosed to the broader public. This provision would allow data subjects to know in advance where they can file a complaint

Additionally, the proposal should better clarify the reasons which justify the inclusion of certain categories of personal data to be processed. In particular, concerning the vaccination certificate, the proposal could expand on the merits of including data fields such as the vaccine medicinal product, vaccine marketing authorisation holder or manufacturer and number in a series of vaccinations/doses (points 1(e), 1(f) and 1(g) of the Annex).


Finally, there are some important points of concern that cannot be avoided and should be addressed before the proposal is approved. 

First and foremost, as the EDPB and the EDPS highlighted, an impact assessment concerning the effectiveness of existing less intrusive alternatives is missing. Risk management is one of the fundamental pillars of the GDPR, so identification, evaluation and mitigation of risks are fundamental measures that must be taken before processing personal data. Equally important, the proposal should establish that controllers and processors must take technical and organisational measures to ensure a level of security appropriate to the risks of processing (Art. 32 GDPR), e.g. establishing processes to regularly test the effectiveness of the privacy and security of the measures adopted. 

Under the proposal, the Commission is empowered to add, modify or remove data fields on the categories of personal data contained in the certificates (Arts. 5(2), 6(2), 7(1), 7(2) of the proposal). This is a flexible mechanism that allows the Commission to assess the most suitable information to be included in the certificates. However, such a mechanism also creates uncertainty and could generate novel risks. The proposal should circumscribe this power so that that the Commission can only add more detailed data fields (sub-categories of data) falling within the already specified categories of data.

Finally, the extra-EU transfer of personal data is one of the most contentious data protection matter, since many of the largest cloud solution providers (who are generally deemed processors under the GDPR) are located outside Europe. Whereas the international transfer of personal data is not forbidden, if data is exported to jurisdictions where no adequacy decision exists (Art. 45 GDPR), like the USA, the transfer is generally carried out through standard contractual clauses which must be accompanied by appropriate safeguards (Art. 46 GDPR). In this context, the proposal should specify clearly, whether and when any international transfer of personal data is expected and include safeguards to ensure that third countries will only process personal data exchanged for the purposes specified by the proposal. Furthermore, the proposal should encourage the use of verification techniques that do not require the transfer of personal data abroad whenever possible. 


Data protection, as highlighted in the EDPB-EDPS joint opinion, cannot constitute a hurdle to tackle the Covid-19 pandemic. On the contrary, strong data protection provisions will boost citizens’ trust. While the Digital Green Certificate constitutes a plausible solution to restore some freedoms that every EU citizen used to enjoy before the pandemic, the purposes of the proposal should be balanced with other fundamental rights and, in particular, its provisions must comply with the data protection framework.

Federico Marengo is a lawyer, master in public administration (University of Buenos Aires), LLM (University of Manchester), and PhD candidate (Università Bocconi, Milano). His research deals with the potential and challenges of the General Data Protection Regulation to protect data subjects against the adverse effects of Artificial Intelligence. He is also teaching assistant in a course on European Law and in a course on Legal Argumentation and Economic Analysis of Law at Università Bocconi.

Photo by Jonny Rogers on Unsplash


Broadening access to Covid-19 vaccines: intellectual property dilemmas and the role of the EU

Steering intellectual property rights and EU action towards a bolder approach to achieving global immunisation

By Giuseppe Mazziotti (Trinity College Dublin)

In the past few months, the World Health Organization (WHO) has been claiming that the only effective solution to immunize the world’s population from the SARS-CoV-2 virus is a vaccine intended as a common or public good, accessible to everyone without geographical and economic discriminations. However, it has been hard to achieve such an ambitious goal at a time global intellectual property law, as defined under the TRIPS (Trade Related Aspects of Intellectual Property Rights) Agreement administered by the World Trade Organization (WTO), conceives drugs mostly as a form of private property subject to patent protection.

Unfortunately, none of the limitations of pharmaceutical patent protection embodied in the TRIPS Agreement applies to a health emergency with no geographical boundaries, such as the current pandemic. A specific solution to this problem might derive from the adoption of a pandemic treaty, an idea that the WHO will start discussing in an assembly in May 2021. Such an unprecedented instrument could pave the way for international obligations enabling free access to life-saving drugs, such as vaccines, and effective standards of supranational sharing of scientific knowledge on a free or at least sustainable basis for all the world’s countries. 

At government level, the disruptive effects the Covid-19 pandemic has had even within the most-developed countries have spurred a predominantly nationalist approach to public health protection, to the detriment of an international cooperation and solidarity. This approach has made the wealthiest countries compete in securing the largest supplies from each of the vaccine manufacturers for their own peoples, to reach a long-awaited (although purely territorial) herd immunity. In this scenario, least developed countries and other poor economies have been benefiting from initiatives that public-private institutions and consortia such as Medicines Patent Pool (United Nations), the WHO’s Technology Access Pool (TAP) and the Global Alliance for Vaccines and Immunisation’s (GAVI) Covax initiative are currently putting in place to broaden distribution of available vaccines. 

Compulsory licensing in international law

In this unprecedented situation – at least in the past century – it is hard to understand why the European Union and its Member States have not tried to implement powerful legal instruments that are expressly contemplated under the TRIPS Agreement, such as compulsory licences of pharmaceutical patents. The sole fact of openly taking them into consideration or threatening their use within their own borders, while negotiating with pharmaceutical companies, would have allowed EU members to obtain better prices and conditions for their vaccine supplies.

According to the original version of the TRIPS Agreement (1994), each WTO member was entitled to allow uses of a patented drug without the right-holder’s consent in cases contemplating national emergencies or circumstances of extreme urgency, predominantly for the supply of the domestic market. This exception entailed that countries without domestic manufacturing capacity in the pharmaceutical sector could never have used this tool to enable access to generics. It was South Africa that, in 1997, amended its patent law to allow its Minister of Health to provide affordable generic forms of essential drugs, including anti-HIV therapies,triggering a harsh reaction from pharmaceutical groups and the US government, which claimed a violation of WTO law. It was in that historical context that the 2001 Doha Declaration on the TRIPS Agreement and Public Health amended the Agreement to allow WTO members not only to locally manufacture but also to import (and export) generic versions of patented medicines. The EU strongly supported this amendment by passing Regulation 816/2006, which enables EU Member States to readily respond to help requests coming from third countries having no manufacturing capacity and legalize production and export of generics within the limits justified by each health emergency.    

The approach of the EU

What should the EU have done, and what it could still do, to make access to available Covid-19 vaccines faster, fairer, and wider, even in least developed and developing countries that, for obvious historical reasons, look at Europe in situations of health and humanitarian crises?

Serious delays in the current vaccine rollouts are not entirely the European Union’s fault. The Commission and other EU bodies have found themselves facing the Covid-19 pandemic emergency without having the competence to control two essential areas which are fundamental to the development and distribution of vaccines, namely: (i) health systems, which are strictly state-owned, and (ii) the European patent system, whose organization, the European Patent Organisation (which includes the European Patent Office) is not a EU institution and does not pursue full harmonization (or unification) of national patent laws, especially in the domain of patent exceptions and compulsory licences. 

The purely contractual path the EU Commission has decided to take, with the support of its complex bureaucracy, by centralizing all acquisitions and supplies of vaccines for the EU population, proved to be much less effective and timely than vaccination campaigns in the United States and the United Kingdom. 

The restrictions EU Member States took, in an uncoordinated and very often anti-European fashion, established unprecedented exceptions to the principles of free movement of people and unity of the Single Market, which are authentic cornerstones of the European Union. This nationalist approach has resulted in immeasurable damages to European economies and the sacrifice of European citizens’ fundamental rights that national authorities have imposed without adequate justification and a reasonable time limit. The fact that the Commission intends to re-establish free movement of tourists and other travellers through a Digital Green Certificate without seeking to ensure a significant acceleration of vaccine rollouts is a further blow to citizens’ fundamental rights and to the Schengen agreement (for more on the Digital Green Certificate, see here).

If vaccination campaigns are being so heavily delayed and widely unpredictable, causing so much economic harm, why has not the European Union discussed and tabled intergovernmental or legislative initiatives that could have significantly increased production and supplies of Covid-19 vaccines on an EU-wide basis? Why has not it encouraged Member States to plan a concerted application of Regulation 816/2006, to help third countries produce and import life-saving vaccines? Even more importantly, why has not the EU immediately endorsed the proposal for a temporary waiver of Covid-related pharmaceutical patents that India, South Africa and dozens of other countries made before the WTO Council, from October 2020 onwards? Having expressly acknowledged the relevance and desirability of a relaxation of patent rights and having advocated, one year ago, the idea of vaccines as public goods through its President Von der Leyen, the EU should have taken the lead in supporting compulsory licences or temporary waivers at international level. A lead that is now being taken by the US trade representative before the WTO following a statement of President Biden on May 5th, 2021. 

The position of EU Member States  

Given this inaction at the EU level, and lack of uniformity under national patent laws, national governments found themselves in very different situations. Most EU countries (including Austria, Belgium, Czech Republic, Denmark, Spain, Finland, Greece, Croatia, Netherlands, Poland, Portugal, Romania, Sweden) already had provisions in their legislation allowing compulsory licences to enable access to essential drugs on public health grounds or, through a broader definition, in the public interest. Other EU members (such as France, Germany, and Hungary) took a step further by reforming their patent laws to be able to broaden and streamline use of this powerful tool for specific purposes related to the Covid-19 pandemic. Other EU countries, instead, did not take any measures in this field, buying the argument of the pharmaceutical industry that vaccine manufacturers could have coped with the ongoing emergency doing their business as they usually do, i.e., through voluntary licences. The fact that countries like Ireland and Italy are part of the latter group should not come as a surprise if one considers how strong and influential the lobbying of large pharmaceutical companies headquartered in both countries can be on governments, political parties, and the media. 

A policy agenda under the control of the EU

Within the policy areas entirely under the control of the European Union, two of them could play a greater role in improving and broadening access to vaccines in the current pandemic. The first is the pharmaceutical law concerning quality and safety controls, as well as market authorizations, based on the federal regulatory power of the European Medicines Agency (EMA), whose acts are uniformly valid throughout the EU. The second one is competition (or antitrust) law.

As regards pharmaceutical regulations, one can only imagine the administrative and public health chaos the EU would have faced if a pandemic like Covid-19 had broken out before the establishment of a centralised procedure for market authorisations in 2004. Twenty-seven national pharmaceutical agencies would have made potentially conflicting decisions, making the actual harm even bigger than it has been. In this context, the authority of EMA ensured not only uniformity but also availability of ad hoc and fast-track procedures, where all the relevant data and clinical trials related to Covid-19 vaccines have been examined as soon as their manufacturers submitted them (rolling review). What could be done at this stage is a reform of the EU regime of market exclusivity, which currently grants pharmaceutical companies a proprietary right to control access to their drugs’ clinical trials and data and to prevent third parties from producing generic versions.[1] In a context such as a pandemic, these exclusive rights should be limited or suspended to make compulsory licences immediately effective.

As far as antitrust is concerned, the EU Commission has extensive powers of investigation, inspection, and sanction against companies to verify whether serious delays and failures in the supply of Covid-19 vaccines to EU countries are in any way linked to any refusal to grant licences or to agreements (which would clearly be illegal) aimed to slow down the sale on the market of much larger amounts of vaccines. A thorough investigation on this front would be much more effective than any lawsuits like those that the EU Commission and some national governments (including Italy) have threatened against manufacturers because of their delays and failures to provide contractually agreed supplies. 


Exceptional circumstances such as a pandemic justify limitations of the scope of intellectual property rights, whose strict enforcement has harmful consequences on people’s right to health and other fundamental rights. It is time for EU institutions and national governments to act in a much more coordinated way and to use exceptional powers they have at their disposal or whose availability depends on reforms and policy changes that, especially at international level, would greatly help face global health emergencies in the future. 

[1] Article 14(11) Regulation no 726/2004/EC of the European Parliament and of the Council laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency, O.J. L 136/1.  

Giuseppe Mazziotti is a Fellow and Professor of intellectual property law at Trinity College Dublin. He specialises in intellectual property, EU law, information technology law, and cultural policies. Born in Cosenza, he holds a Ph.D. in law from the European University Institute in Florence, a cum laude law degree from the University of Perugia and master’s degrees in clarinet performance and chamber music from the Perugia Music Conservatory.

Photo by Kendal on Unsplash

What is the ‘Digital Green Certificate’, why you should not call it a ‘vaccine passport’ and why should you care?

A new blog series on the Digital Green Certificate

By Fulvia Ristuccia (Bocconi University) and Alina Trapova (Bocconi University)

As vaccination campaigns roll out across the EU with different paces and effectiveness and amidst fierce discussion over contentious approaches to vaccine procurement and supplies, the European Commission – prompted by the European Council – has put forward a proposal for a Regulation on the ‘Digital Green Certificate’, otherwise known as the ‘vaccine passport’. Its aim is to facilitate the restoration of free movement within the EU, which has been greatly limited (quarantine, test reporting, etc.) in the last troubled year.

We are starting a new blog series to trace the various issues entangled in the discussion on the Digital Green Certificate. This first blogpost aims at briefly summarizing the Commission’s proposal, which is now following the ordinary legislative procedure pending approval by the Council and the European Parliament. We will give you the overall panorama and point out some general misconceptions, i.e. what the ‘Digital Green Certificate’ is not. Our next posts in this series will treat specific issues such as free movement of persons and discrimination, data protection and the implications of the Digital Green Certificate beyond the EU.

One aspect that needs stressing from the outset is that the proposal is neither a ‘passport’, nor does it concern only vaccines. The term ‘vaccine passports’ is misleading. It has enhanced public anxiety as the idea of a passport reminds of times where frontiers for EU citizens between Member States were much more tangible than they have been in the last twenty years. Instead, the proposed Regulation does not mention the word ‘passport’ at all; neither does the Commission’s dedicated webpage.

With this in mind, let us understand what is the proposal about, namely the ‘Digital Green Certificate’ (and not a ‘vaccine passport’).

What is the ‘Digital Green Certificate’?

In the EU, free movement of Union citizens is a fundamental right protected by Article 21 of the Treaty of the Functioning of the European Union (TFEU), but also Article 45 of the Charter of Fundamental Rights of the European Union. And of course, Article 21 TFEU is the legal basis of the proposed Regulation, aimed at restoring the exercise of this right after a year of significant restrictions. Hence, only EU citizens and their family members – those who enjoy free movement rights under the Treaty and Directive 2004/38 – are covered by the proposed Regulation and may be ‘certificate holders’ (Recital (16) and Article 2).

The proposal puts in place a system of mutual recognition of certificates across Member States allowing travellers to avoid bureaucratic hurdles when crossing a border, by facilitating the provision and recognition of documentary evidence concerning immunity to Covid-19 or, in the alternative, a negative Covid-19 test result. It provides for a ‘Digital Green Certificate’, which is a framework of ‘interoperable certificates containing information about the vaccination, testing and/or recovery status of the holder issued in the context of the COVID-19 pandemic’ (Article 2). Member States authorities will be obliged to issue free of charge these certificates to those who fulfil the conditions set by the proposal. The national health authorities must sign digitally the certificate to avoid forgery and the system will allow for the cross-border verification of the truthfulness of the certified facts and the digital signatures.

There are three types of certificates covered by the proposal. Member States must or may, depending on the circumstances, recognise certificates issued by other Member States’ authorities, when presented by travellers crossing an intra-EU border.

First, there is the vaccination certificate (Article 5). Member States must issue vaccination certificates, which, in order to be recognized across the EU under the Regulation, have to contain some information such as the name of the vaccinated person and the type of the specific vaccine. Member States must recognize vaccination certificates when the administered vaccine has an EU-wide marketing authorisation granted centrally by the Commission on the basis of the European Medicines Agency’s assessment (based on Regulation 726/2004). At the time of writing, four vaccines have been approved by EMA and three are undergoing review. Member States may also recognise vaccination certificates when the administered vaccine has been authorised only nationally, on the basis of Directive 2001/83/EC, or has received temporary national authorisation (Article 5(2) of Directive 2001/83/EC). This means that persons vaccinated with vaccines authorised only nationally may see their certificates refused, subject to each Member State’s individual evaluation. Member States shall also issue a vaccination certificate when Union citizens and their family members have been vaccinated in third countries, if the administered vaccine is among those authorised nationally by some Member States or at Union level and if the person provides reliable proof of vaccination (Article 5(6)).

Second, the proposal envisages mutual recognition of COVID-19 test certificates (Article 6). The certificate shall contain information about the administered test and, again, identification of the certificate holder. The test may be either a rapid antigenic test or a Polymerase Chain Reaction (PCR) one, but it has to be a test listed in the common and updated list of Covid-19 tests established by Council Recommendation 2021/C 24/01. The proposed Regulation does not contain information on the period of validity of the test certificate, leaving it to the Member States’ discretion to determine the timeframe within which the test has to occur (e.g. two days before crossing the border) and the validity of the certificate in time. It is unlikely (and unwise) that a negative test result will have long-term validity.

Finally – there is a certificate of ‘recovery’ (Article 7). If someone has tested positive for COVID, Member States will issue a certificate of recovery after minimum eleven days from the first positive test upon request of that person. Through a delegated act, the Commission can modify the minimum number of days. At the same time, since there is only a lower time limit to issue the certificate (it cannot be issued before eleven days have passed from the first positive test), issuing Member States are still free to set the threshold for certifiable recovery at a longer period. Those who have tested positive and have ‘recovered’, within the meaning of the Regulation (i.e. at least eleven days have passed from the first positive test) will not have to show a negative COVID-19 test in addition. In this respect, across Member States,  practices differ as to the so called ‘negative exit tests’ (the necessity to have a negative PCR test result to end the period of self-isolation after a person has tested positive). Since the Regulation does not require a negative exit test, it may be concluded that Member States should issue the recovery certificate under Article 7 even in the absence of a such exit test. In turn, Member States should not require negative exit tests to those with a recovery certificate. This means that a person may still be COVID-19 positive, but, according to the Commission’s proposal, scientific evidence has shown that after ten days of infection with the virus, one ceases to be contagious in most cases. As for the validity of the certificate of recovery, Recital (32) of the proposal specifies that the certificate is valid for 180 days. This time-limit is then repeated in Annex I on the data to be included in the certificate, but not in the text of the Regulation.

What the vaccine passport is not?

First of all, the EU Digital Green Certificate is not a condition to travel, neither a barrier to receive services, nor another limitation or condition to EU Treaty rights or national constitutional rights. It is an obligation on the Member States to issue and recognise certificates to facilitate free movement rights within the EU and EEA (and possibly, also outside, but this aspect is still to be clarified [1]). If Member States decide to require a certificate to access  services or places within their national territory, as some Member States intend to, then this will be subject to scrutiny under the free movement provisions and principles.

Second, it is not an obligation to introduce restrictions, nor to require certificates of vaccination, testing or other forms of immunity such as recovery. If, and only if, Member States require testing, vaccination or recovery proof, then the Digital Green Certificate provisions kick in and the Member State requiring such evidence is obliged to follow the provisions in the proposed Regulation. In other words, if a Member State grants free and unrestricted access to its territory, without requiring prior testing or proof of vaccination, then the Regulation is not an obligation to introduce such requirements.

Third, the proposal does not limit per se the possibility for Member States to introduce restrictions such as quarantine obligations. Member States retain the competence to limit free movement as per the general rules under the relevant Treaty Articles (21, 45, 49 and 56 TFEU), subject, of course, to compliance with EU law, the principle of proportionality and fundamental rights. Yet, when Member States wish to reintroduce quarantine, self-isolation or test requirements for Digital Green Certificates holders, they have to notify the Commission, specifying the reasons that justify such restrictions (Article 10).

Finally, the proposal for the Digital Green Certificate is not a legal basis to create a database of health-related data. It is only a legal basis for processing such data to the extent necessary for the operation and verification of truthfulness of the certified health status.


Against this background, of the three types of proof explained above, the recovery certificate attracts immediately severe criticism. Virologists keep underlining the importance of getting vaccinated even when the person has already been infected with COVID-19 in the past. Nonetheless, the World Health Organisation has warned that there is no conclusive evidence that individuals who have been infected with Covid-19 are fully immune and do not transmit if reinfected. Each individual immune system has different strength and duration of protection post-infection may vary. Then, there is the issue of new variants – we still have no data regarding the immunity against these (both post-infection and post-vaccination). And yet, from the point of view of the proposed Regulation, it appears that proving that you have had the virus is an alternative to being vaccinated or to having tested negative for the purposes of free movement. This may encourage excessive trust in immunity post-infection and may indeed increase the risks of transmission.

The Digital Green Certificate has been highly supported by countries strongly reliant on tourism (such as Greece, which in fact has started working on its own national ‘vaccine passport’). There is a strong push to have the EU system operational by June – a rather unrealistic timeframe, despite the fact that the European Parliament will shortly vote on the Commission’s proposal using an urgent procedure, without parliamentary committee written report (thus, skipping entirely or reducing to an oral debate the committee-level process and streamlining the proposal directly to the plenary). Some MEPs have pointed out that such ‘bypassing’ is yet another aspect that may raise further mistrust in the proposed framework.

Nevertheless, things are moving fast. The Council has already approved the mandate for negotiation with the European Parliament specifying the suggested amendments to the Commission’s proposal. The Parliament has scheduled discussion on its 1st reading position on the proposal for its plenary session on the 26-29 April.

In this post, we presented the proposal as it is very important to have the basic picture clear. In our next post, we will focus on the specific issues for free movement. Facilitating this right is purportedly the objective of the Regulation, but does the proposal address it adequately?

Watch this space!

Fulvia Ristuccia is a PhD Student at Bocconi University. Her research focusses on free movement of persons in the EU. She graduated from Università degli Studi Roma Tre in Rome and holds an LLM in European law from the College of Europe in Bruges.

Alina Trapova is a PhD Candidate at Bocconi University. She researches EU copyright law and currently coordinates Bocconi’s LLM in European Business and Social Law.

[1] Under Recital (18) and Article 3(5), the Commission will have implementing powers to adopt a decision of equivalence, under conditions of reciprocity, for certificates issued by third countries that have a free movement agreement with the EU and do not have automatic EU law incorporation mechanisms, e.g. Switzerland. Article 4(3) empowers the Commission to adopt an implementing act concerning the recognition of certificates issued by third countries to Union citizens and their family members, as long as they are interoperable with the Regulation’s trust framework.
For third country nationals who are not covered by the proposed Regulation, the Commission also put forward a complementary proposal based on Article 77(2)(c) TFEU.
The Council’s mandate for negotiation proposes the introduction of an article on this aspect, in order to clarify the treatment concerning certificates issued to Union citizens and their family members and legally staying third-country nationals vaccinated in third countries. See more here.

Photo by Lukas on Unsplash

The Virus – a lot to process

By Rubén Cano

by Rubén Cano

The role of data protection in the pandemic with a focus on scientific research

Personal data protection plays a fundamental role in the “data economy” which, now more than ever, constitutes a crucial asset in designing effective pandemic plans and identifying appropriate solutions. In this vein, the dichotomy between public health and data protection, the latter recognized as a fundamental right in Article 8(1) of the Charter of Fundamental Rights of the European Union, becomes today more important than ever. However, the tension between the restrictions to data processing and the need, or convenience, of their processing to achieve certain purposes, is a challenge for authorities and individuals.

Who said data?

At the apex of the pandemic, we all became familiar with data processing activities such as geolocation of individuals, mobile applications for collecting infected persons’ information, infection self-assessments, immunity passports or infrared cameras. In addition to the above, directing our view to the future, there are also issues such as: (i) the use of biological data collected from infected individuals with the only purpose to find the vaccine, excluding ulterior uses of such data; (ii) the use of health data and biological samples, initially collected for another purpose, could now become relevant to manage the health crisis – e.g., blood analysis data from individuals affected by a regular flu are now used to compare its effects against the particularities of the coronavirus; or (iii) the processing of data for categorization of individuals, so that more vulnerable people are first served with vaccines following a risk-based approach. In this line, many initiatives related to data aggregation were also launched, such as platforms aimed at sharing coronavirus related data for researchers to upload, access and analyse datasets to accelerate research (see, for instance, Covid-19 Data Portal).

Consider point (iii) as an example. One cannot exclude that, now that the vaccine is a reality, there might be certain restrictions on its purchase and supply due to lack of availability. The latter could induce regulators, again, to prioritize more vulnerable segments of the population, based on, inter alia, the location of the individual, profession, age, previous pathologies and whether the patient already has the antibodies. In this sense, although vaccination criteria are constantly being updated and revisited, some countries or organizations have already issued their respective recommendations or strategies as: (i) the recommendations issued by the Centers for Disease Control and Prevention the in the United States; (ii) the guidelines issued by the Italian Ministry of Health; or (iii) the Vaccination Strategy issued by the Inter-Territorial Counsil of the Health System in Spain.

As could not be otherwise, data protection would necessarily also play a role in the selection and identification of the appropriate profiles and the supply of the corresponding vaccines.

In this context, monitoring the different applicable regulations together with an assessment of the proportionality, necessity, and adequacy of data processing activities constitutes an obligation for data controllers and processors. This is considering, inter alia, the particularities of health data, which has a special status and protection.

Here, different regulations interact creating a hieroglyphic ecosystem: (i) Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (“GDPR”); (ii) regulations implementing the GDPR at a national level; and (iii) sectorial / special regimes regulating health and uses that make data processing necessary for the management of the crisis.

It goes without saying that, although there is no general prohibition to carry out practices entailing personal data processing in the coronavirus context, data controllers and processors must comply with the above-mentioned legislation, which may include obligations such as (i) having the appropriate legal basis for the data processing; or (ii) informing data subjects about the processing of their personal data.

For a non-expert in data protection law, the above means that, in the current system, there are mechanisms providing flexibility to regulators in order to enable the processing of personal data for health-related purposes. These mechanisms, with greater or lesser effectivity, make health research or management possible. However, to some extent the practical application of such flexibilities highly depends on regulatory guidance and ad hoc interpretation from local authorities. As a result, a heterogeneous application of such flexibilities may generate doubts and divergences when it comes to its implementation in the different national legislations, which eventually could hinder the achievement of a “pan-European” solution: a heterogeneous answer to a common problem. This could, for instance: (i) make it challenging for data controllers and processors conducting their businesses in different EU countries – they will have to evaluate and adapt to the particularities of every jurisdiction; (ii) result in the inconsistent interpretation and application of data subjects’ rights throughout the EU; or (iii) facilitate the emergence of Private International Law issues as forum shopping.

The case of data processing and scientific research

Both the above-mentioned flexibilities and the complexities in complying with the applicable legal regime may be illustrated through the example of scientific research, where data is being processed to fight against the SARS-CoV-2 and its new strains, in an attempt to return to the new normal. One clear example is the processing of data for clinical trials. Here, many legal issues arise as, for instance: (i) the definition of “scientific research” definition; (ii) the legal grounds based on which data processing for scientific research purposes can be conducted; (iii) the proper mechanism to carry out international transfers of data; (iv) the necessity to notify (or not) such processing to the relevant Data Protection Authority; (v) the organizational and security measures the data controller has to put in place; or (vi) the retention period of personal data for this very purpose.

In the area of scientific research, the European Data Protection Board (“EDPB”) recently shed light on the matter, indicating, inter alia, that:

  • Countries of the European Union may approve legislation to enable the processing of special categories of personal data (including health data) for research purposes: (i) out of necessity for “reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to ensure high standards of quality and safety of health care and medicinal products or medical devices“; or (ii) because it is necessary for “archiving purposes in the public interest, for scientific or historical research or for statistical purposes“;
  • Limitations and exceptions to rights in the area of data protection must be interpreted with caution and in a restrictive manner;
  • Potentially, there may be a need to conduct a Data Protection Impact Assessment (“DPIA”);
  • Calculation of data retention periods has to be carried out in a proportionate manner and periodically revisited;
  • Regarding international transfers of personal data, Article 49(1)(a) or 49(1)(d) of the GDPR could be applied when this is necessary for important reasons of public interest or by explicit consent.

Although such guidelines are more than welcome, their development, interpretation and application, currently, greatly depend on the specific characteristics of each case, national Data Protection Authorities guidelines, the influence of complementary local legal frameworks and sectorial legislation applying to, for instance, the approval of pharmaceutical products. Thesecreate a complex regime that, definitely, affects the ability to adopt a uniform approach compliant with personal data protection regulations which at the same time fosters research within the European Union.

Acta est fabula?

Exceptional situations require exceptional measures. However, while it can be argued that the system must ensure some flexibility for health management and achieve efficiently and effectively a cure against the virus, minimum standards must be met to prevent or mitigate the risk for individuals connected to the processing of their data. On the other hand, excessively restrictive interpretation could lead to ineffective crisis management and the loss of opportunities to use technology and data to fight the virus.

The circumstances of the specific case will determine issues such as the application of complementary legislation, requirements such as anonymization or pseudonymization, or further obligations determined by the characteristics of the case, for example, if it is a public or private entity.

Moreover, it is worth reminding that data protection is not an end in itself but, as indicated in Recital 4 of the GDPR, “the processing of personal data must be designed to serve humanity“. The development of the pandemic is setting in motion unprecedented mechanisms that, as in many other legal fields, have had a minor impact until now. In the use of such unprecedented flexibility mechanisms, a proportional approach will be necessary to adequately weigh, on the one hand, health and public interests and, on the other, the protection of personal data, providing a cross-jurisdiction solution to a common problem.

As we had the opportunity to explore throughout this text, nature has a devastating capacity to show us that law always follows societal trends, and not the other way around. The pandemic has shown how current EU regimes do not have the answer to all potential scenarios and, as such, legislation has to be flexible enough to bridge societal needs to legal structures, making sure law serves society. The future will show with more accuracy how these flexibility mechanisms were used by regulators and market operators in order to make sure we win the battle against the pandemic. Sadly, this is not finished yet. In the meantime, doubts about the heterogeneous practical implementation of GDPR flexibility provisions, the complex interaction between multi-level legal regimes, and the particularities of the approaches adopted by Data Protection Authorities will continue to emerge.

Rubén Cano currently practices as an Associate at Baker McKenzie in the areas of Intellectual Property and ITC. He studied at the universities of Alicante, Panthéon-Sorbonne and Bocconi. He holds an LL.M. in Intellectual Property and IT (University of Alicante) and an LL.M. in Law of Internet Technology (Bocconi University). He regularly writes academic and business oriented articles, and participates in events and seminars on technology and IP law related issues.

Photo via Unsplash. Image created by Samuel Rodriguez. Submitted for United Nations Global Call Out To Creatives – help stop the spread of COVID-19.

Will the COVID-19 crisis cripple the geographical indications´ law?

by Anastasiia Kyrylenko

Since early 2020, the world’s eyes and ears have been focused on the SARS-CoV-2 pandemics. First, through the constant exposure to news pieces and (expert) analysis, we all became knowledgeable of basic notions in epidemiology. Later, as vaccines were gradually being elaborated, IP-related notions also start resounding: “patentability of pharmaceuticals” “compulsory licensing”, and, eventually “investor-state disputes”. But now that many of us head into a second lockdown, a topic closer to our hearts (and stomachs) can also be addressed: will the COVID-19 pandemic have an impact on the geographical indications’ law?

In the European Union, geographical indications (also generally referred to as ‘quality schemes’) are regulated by four autonomous acquis acts, one per each category of products eligible for protection: agricultural products and foodstuffs (Regulation (EU) No 1151/2012), wines (Regulation (EU) No 1383/2013), aromatized wines (Regulation (EU) No 251/2014), and spirits (Regulation (EC) No 110/2008). Depending on the depth of the link between a registered name and a given territory, such names are either registered as a Protected Designation of Origin (PDO), or as a Protected Geographical Indication (PGI). The overarching objective behind these quality schemes is to preserve traditional heritage and know-how, which is contained in the processes and methods, used by local farmers across the European Union in the production of food products and alcohol beverages. In this, geographical indications are placed at the heart of the EU’s agricultural policy. 

As part of the registration process of PDOs and PGIs, associations of producers shall submit the so-called ‘product specifications’ (Art. 7 of Regulation No 1151/2012), where they minutely lay down the production processes and methods, as well as the geographical area of production. Under Art. 7 of Regulation (EU) No 1151/2012 a product specification shall include the name for the PDO/PGI; a description of the product, including the raw materials; the definition of the geographical area delimited with regard to the link to origin; evidence that the product originates in the defined geographical area; a description of the farming or production method, as well as information concerning packaging and labelling. Essentially, product specifications are rules of production, self-imposed by the associations of producers with the aim of “codifying” the traditional production methods. For instance, the product specifications for the PDO ‘Camembert de Normandie’ set out that this cheese shall be in the shape of a flat cylinder, 10.5 centimeters to 11 centimeters in diameter. The PDO ‘Oignon de Roscoff’ requires that the seeds shall only be planted from March 10 to April 10 every year. The application for registration of a PDO or a PGI, including the product specifications among other documents, undergoes a strict scrutiny by the European Commission before the protection is granted. 

After the registration, amendments to product specifications are allowed (Art. 53 of Regulation No 1151/2012), but non-minor amendments undergo a procedure similar to the one foreseen for the initial registration. Non-minor amendments relate to the essential characteristics of the products, alter the origin link of the PDO or the PGI, include a change to its name, affect the defined geographical area of production, or represent an increase in restrictions on trade in the product or its raw materials. These strict registration rules, explains Recital 18 to the Regulation No 1151/2012, are needed to ensure that consumers receive, through the quality schemes, clear information on products with specific characteristics linked to geographical origin. This information enables consumers to make more informed purchasing choices.

At the same time, associations of producers are allowed to introduce temporary amendments to their product specifications (Art. 53(3) of Regulation No 1151/2012), where such temporary changes result from the imposition of obligatory sanitary or phytosanitary measures by local public authorities. Temporary amendments allow association producers to modify the product specification to (temporarily, as its name indicates) put in place more flexible rules. This means that, despite not complying with the original requirements, products, produced under the temporary amendments, will still be eligible to carry the corresponding PDO or PGI. Due to their urgent character, temporary amendments to product specifications are not subject to any formal approval by the Commission and shall only be communicated to the Commission by the corresponding Member State (Art. 6(3) of Delegated Regulation (EU) No 664/2014). 

As one may notice, temporary amendments are not something specifically introduced in light of the SARS-CoV-2 pandemics: associations of producers made use of this procedure even before 2020, mostly because of unfavorable weather conditions, which prevented them from performing necessary productions steps following the established schedule. Nevertheless, it was due to the COVID-19 crisis (and the underlying movement restrictions and labour shortages) that a sudden upsurge in temporary amendments to product specifications occurred.

Such temporary amendments were mostly observed in France, Spain, or Italy, countries most affected during the first wave of restrictions, but also traditionally most active in registering PDOs and PGIs and defending the interests of national producers. Examples of granted temporary amendments include the use of frozen instead of freshly milked milk in the Italian PDO ‘Mozzarella di Bufala Campana’, or the authorization to exceptionally congeal the surplus of the Spanish PGI for veal ‘Ternera Gallega’. The previously mentioned French PDO ‘Oignon de Roscoff’ was allowed to push forward the date for planting seeds, as it originally fell at a period with most strict movement restrictions. Some of the temporary amendments were granted only for the duration of the Spring lockdown and were lifted afterwards, while others were extended throughout the 2020, allowing the producers to cope not only with the restrictions themselves, but also with the subsequent slumping of sales caused by the economic crisis.

But is there an immediate relevance of such changes in the production methods for the consumers?  The four Regulations on the ‘quality schemes’ do promise the consumers a certain quality of the products, marketed under the PDO/PGI labels. Nevertheless, a closer analysis of the provisions shows that this promise of quality would only concern the geographical origin of the products. As long as the PDO/PGI-protected products are still produced in the originally defined geographical areas, their quality, in the eyes of the EU legislator, remains unaffected.

A different question is whether, from the perspective of the consumers, said temporary amendments to the methods of production had a real impact on the products’ quality, in terms of taste, structure, or other qualities. Now that the products, produced under the Spring lockdown measures, are gradually entering the market, consumers will be able to answer this question by themselves. Voices are heard, especially on the other side of the Atlantic, that the PDO/PGI protection is already excessive enough and eventually leads to market foreclosure. If no noticeable decline in quality is observed, could it be that some of the production rules, self-imposed by the associations of producers, are too strict and have no real impact on the final qualities of the product, while at the same time blocking other local farmers from joining the elite PDO/PGI club? If so, may certain modifications to the current legal regime, either at the level of product specifications, or at the level of protection granted to PDO/PGI-covered products, be thought of?

This entry is based on an earlier essay, “COVID-19 and Geographical Indications: Is the Promise of ‘Quality’ in ‘Quality Schemes’ Undermined?”, which won the AIPPI 2020 Student Essay Prize.

Anastasiia Kyrylenko is a PhD researcher at the Universities of Alicante (Spain) and of Strasbourg (France), dealing with intellectual property provisions in trade agreements, which are negotiated by the European Union. She is also consulting the Ukrainian government on the intellectual property reform, as part of the Reform Support Team at the Ministry for Development of Economy, Trade and Agriculture. 

Photo by Louis Hansel @shotsoflouis on Unsplash

How can States avoid being sued by the investors for having taken Covid-19 measures? Past experience and recommendations for the future

By Nazlicicek Semercioglu

State measures to curb the spread of the pandemic can lead to a detrimental impact on foreign businesses. Instead of having to defend costly claims filed by investors, States should more carefully tailor the dispute prevention mechanisms.

The current emergency has forced governments to take measures for the protection of public health with repercussions on national and international business interests. Indeed, certain undertakings operating in sectors not deemed essential were required to cease activities. In addition, financial or fiscal incentives were made available to domestic companies including small and medium sized enterprises and those engaged in the production of medical equipment to the exclusion of their foreign counterparts. Likewise, foreign direct investment (“FDI”) screening in Covid-19 relevant industries has been reinforced and export bans have been imposed to ensure the sufficiency of the resources at governmental disposal for countering the emergency.

The current state of International Investment Law

In certain cases, governmental actions taken to safeguard national interests can detrimentally affect the profitable ventures originating from another State. These are deemed to be in violation of a bilateral investment treaty (“BIT”) signed by the governments in question for the promotion and protection of reciprocal investment flows. This, in turn, leads investors to trigger certain provisions safeguarding them against host State conduct. The latter may, among others, be deemed unfair, non-transparent, discriminatory (due to more favorable treatment accorded to nationals or other foreigners), or expropriatory by investor state dispute settlement (“ISDS”) tribunals consisting of arbitrators. However, due to the broad nature of these concepts and the lack of appellate mechanisms or institutions ensuring uniform interpretation, often diverging conclusions have been reached in comparable cases.

In addition, inconsistency of the regime was exacerbated by two factors. First, most of the BITs do not stipulate the regulatory autonomy States need to fulfill human rights obligations they owe to their local populations. As a result, in these cases, arbitrators are not expected to take into account the public interests at stake when determining whether or not the conduct complained of is wrongful.  Secondly, under the BITs that refer to such regulatory autonomy, no rules were established as to how a balancing exercise should take place. However, arbitrators need guidance when they weigh evolving social, environmental and economic conditions that would require amendments of the legal regime on the part of governments and legitimate expectations of investors. Consequently, in the absence of clear provisions, foreseeing the outcome of a claim has become increasingly challenging for states. Likewise, this has made it harder for them to decide whether to defend or settle a claim.

 In this regard, it has been argued that the importance attached to preserving the profitability of foreign investments by investment tribunals  has led to the perception that arbitrators are biased in favor of foreign investors to the detriment of host States interests, throwing the system in a legitimacy crisis.

Consequently, State parties losing an ISDS case have been obliged to pay compensation the plaintiffs. Its  amount has proven to be burdensome for the developing and least developed countries. Therefore, efforts have been made to draft provisions striking a fairer balance between the public and private interests. For instance, some of the so-called new generation treaties oblige the foreign investors to respect human rights where they operate. Similarly, they include sections exclusively dealing with States’ right to take measures in the public interest for the fulfillment of human rights obligations and others designed to place limits on the standard of conduct expected from States.

Besides, with respect to the procedural fairness of the adjudication, provisions in recent treaties state that proceedings are permitted, or required to be conducted on an open basis, pleadings are to be publicly available and tribunals are entitled to accept third-party submission should they choose so. Nonetheless, the regime is currently not satisfactory from the point of view of transparency and proposed reforms such as the EU’s Multilateral Investment Court Project are yet to materialize.

However, the practice related to the enactment of new treaties is quite novel and does not always lead to favorable outcomes for the states due to the approach adopted by the arbitrators as explained above. Indeed, even governments with treaties that pay due regard to their interests can end up losing the cases filed on the basis of their Covid-19 related measures. This, in turn, renders the minimization of disputes imperative.

The Brazilian dissatisfaction with the BITs Regime

Although increased Foreign Direct Investment (“FDI”) inflows have traditionally been linked to a legal instrument in force between two States providing for the ISDS, Brazil presents a counterexample. Accordingly, it has succeeded in receiving significant amounts of capital despite having never ratified a BIT. It has developed Cooperation and Facilitation Investment Agreements (“CFIAs”) that boldly depart from their contemporary counterparts. This State’s choice to remain as an outsider stems from the non-compliance of the international investment law’s main rules with its constitution. The ‘Calvo Doctrine’, that has impacted many Latin American States after gaining their independence, has also inspired such choice. It was born as a reaction to the perceived imposition of certain rules to States by the formerly imperial powers. The Calvo Doctrine, in turn, considered it illegal for aliens to be entitled to rights and privileges that were not accorded to nationals, such as the possibility of suing a host State before an arbitral tribunal without having to first seek redress before local authorities.

In this respect, elimination of the ISDS altogether may also prove to be useful for States that have taken measures to counter the pandemic. Indeed, this would decrease the susceptibility of their actions to legal claims.


It goes beyond any doubt that the measures that have been and will be imposed by governments in order the mitigate the adverse impact of Covid-19 on general welfare will negatively affect the profitability or feasibility of certain foreign investments. As a result, unless an appropriate course of action is followed, investors will file claims against states requesting large sums of compensation. The payment of such damages often fundamentally jeopardizes public spending on areas such as housing and health that are of vital importance for the local populations. In order to avoid a legal confrontation in response to the precautions taken for the protection of public health throughout and following the health crisis, States should endeavor to take steps towards enhancing their relationship with the investors and resolving differences amicably. To this end, in some jurisdictions, administrative burdens and bureaucratic obstacles for firms have been alleviated and COVID-19 related information services have been set up.

In this respect, Brazil’s CFIAs are notable – they innovate by making the prevention of disputes a core element in the effort of promoting bilateral FDI flows. They aim to ensure that parties can find common ground with the assistance of institutions that act as intermediaries. In this regard, the national focal points or ‘ombudsman’ under the agreements were created in light of South Korea’s positive experience with them. Indeed, in the latter case, they have received 400 cases on average since their creation in 1999 and succeeded in resolving 90% of them between 2007 and 2011, a substantial increase from the initial rate of 25%. In addition, it has been recognized that the virtual absence of ISDS claims filed against this country (only one for around 90 treaties) stems from the proper functioning of these entities. In both Brazil and South Korea, they serve as the main point of contact for foreign investors and, are tasked with a wide array of assistance services. These include the provision of timely and useful information on investment projects, assessment of the suggestions and complaints and provision of recommendation of actions to improve the investment environment. Nonetheless, if it is considered that a specific measure adopted may potentially constitute a breach of the CFIA in force and the outcome delivered during the first stage does not prove to be satisfactory,  the matter can be brought to the attention of the Joint Committee composed of government representatives of both sides. In the event that no settlement occurs upon the completion of the time frames set forth under the CFIAs or there is a non-participation of a party in the previous meeting, the dispute may be submitted to state-to-state arbitration. Therefore, the CFIAs offer a great model that can be adapted to the national exigencies of states whose Covid-19 related measures are at risk of being subject of legal actions.

Nazlicicek Semercioglu is a PhD Candidate in Legal Studies at Bocconi University (International and  European Law Curriculum). Her research focuses not only on the business and human rights movement and the international investment law reforms, but also on how these two regimes can reinforce one another to ultimately end corporate impunity.  She graduated from the LLM in Sustainable Development at the University of Milan with a thesis entitled “Brazil’s Historic Resistance to the BITs and the ICSID Convention and the Path Leading to the Adoption of the Cooperation and Facilitation Investment Agreements”. She also holds a bachelor degree in law at the University of Istanbul and she is also an Istanbul-qualified lawyer.

Photo by Micheile Henderson on Unsplash

Fool me once, shame on you; fool me twice, shame on me: COVID-19 data and the log scale

By Alessandro Romano, Chiara Sotis, Goran Dominioni and Sebastian Guidi

After some months of relative calm, countries like France, Spain, and Italy seem to be  facing a second wave of COVID-19. In countries that experienced a drop in the number of cases, people seem to have relaxed their precautions, which helps foster a new spread of the virus. For the public to engage in protective behavior it is vital that people understand the situation. It is essential, therefore, that the media conveys information to the public in a way they understand and allows them to make informed choices on their behavior. But is this happening?

Imagine being in Spain and seeing this graph on the total number of COVID-19 cases in the country:

Alternatively, imagine seeing this one:

The two graphs look and feel very different, despite displaying the same data. The last graph plots the information on an old good linear scale, of the type many people learn to read in elementary school. The first one, instead, deploys a logarithmic scale. This scale, some media and experts explain, is better to show exponential growth: a straight line shows a constant growth rate, which in turn makes it easier to spot deviations from the exponential trend.

Although the logarithmic scale may have this theoretical advantage, it does a poor job at showing the second wave of cases in Spain: it is only when we look closely that we see a bump in the line of total cases in August, despite the fact that the amount of daily new cases in the country is similar to that of April. The key issue is that the information these graphs are allegedly good at conveying is no longer the relevant one. What matters is not how much the cases are growing with respect to the total amount of cases, as this includes cases that took place months ago. What matters to understand if a second wave is on the way is whether the speed at which the virus spreads is increasing at a significant rate. But a graph that uses a logarithmic scale to plot total cases hides this information, and hence it may induce people to underestimate the gravity of the situation in their area. This could lead them to make choices that they would have not made otherwise; choices that can be consequential for the spread of the virus, the economy, and politics. This problem exists also for countries where the second wave has been much more severe than the first one, such as Japan:

In fact, logarithmic scale graphs plotting total cases will become increasingly inadequate to show future waves. As the number of total cases grows and reaches higher intervals on the Y axis, an increase of, say 3000 cases (which would have been extremely salient at the beginning of the pandemic) becomes increasingly less visible. Sticking to this way of reporting cases, as done for example by the Financial Times and the CNN, might be confusing to the public.

Admittedly, the problem is more serious because many newspapers only show the number of total cases. Using these graphs even large and significant increases in the number of cases become very hard to notice, once the overall number of cases becomes sufficiently high.  To address this issue, some media show a rolling 7 day average of daily new confirmed cases per million population.

This seems a better way to use the log scale at this point of the pandemic, as it shows clearly when the number of cases is growing. However, the logarithmic scale has also another significant downside. Research shows that even experts do not fully grasp logarithmic scales, and our recent article confirms this finding when it comes to the general public and COVID-19 information. In a survey with 2,000 Americans, participants showed much better understanding of linear scale than logarithmic ones – despite the fact that both groups stated similar levels of confidence in their answers. More importantly, people who were shown different graphs with the same data state different attitudes and policy preferences. Therefore, the scale in which the data is represented has important real world consequences.

Research suggests caution in using logarithmic scale charts to communicate with the public. The use of this scale combined with a focus on total cases hides the beginning of a second wave. Focusing only on recent data partially addresses this issue, but research shows that people still cannot understand the logarithmic scale, and hence information conveyed in this way does a poor job in helping the public make informed choices. As we move to a phase likely to experience peaks and valleys of cases, carefully thinking about something as seemingly innocuous as the graphs we use to inform people of the epidemiological situation is and will remain very important.

Alessandro Romano is Assistant Professor at Bocconi Law School. He has published in leading journals in the areas of law, business, environmental science, political science, economics and multidisciplinary.

Chiara Sotis is a PhD Candidate in Environmental Economics in the Geography and Environment Department (LSE) and the EC201 Course Manager in the Economics Department at LSE.

Goran Dominioni is Assistant Professor at Dublin City University. He holds a PhD from Erasmus University Rotterdam.

Sebastián Guidi is a doctoral student and graduate tutor at Yale Law School.

Photo by United Nations COVID-19 Response

COVID-19: Antitrust Policy on the Test Bench

By Federico Ghezzi and Laura Zoboli 

As is well known, the Covid-19 pandemic is causing not only a severe health emergency for citizens and countries around the world, but also an unprecedented shock to the global economy. Sudden changes in the demand and supply of certain products, interruptions in production, restrictions on imports, transport and distribution, uncertainty about the duration of lockdowns… all of this has challenged the ability of companies to react. Antitrust policy can play a role in this and, depending on the economic context and on the occurrence of a new crisis, it may be required to evolve – in particular with regard to the possible cooperation between competitors. 

A glance at the past and the present 

Looking back, the New Deal policies launched by Roosvelt in 1933 resulted in a de facto suspension of antitrust law, allowing collusion through codes of conduct.1 Many scholars nowadays consider that such a suspension has contributed to keeping the US economy depressed long after 1933.2 

The European Commission reacted to the financial crisis of 2007/2008 differently: it did not modify competition rules, but only enhanced the procedure’s efficiency and prioritized the sectors with the greatest impact on household spending, where possible. 

Similarly, in 2009 the Assistant Attorney General of the Antitrust Division of the United States’ Department of Justice, Christine Varney, stated “there is no adequate substitute for a competitive market, particularly during times of economic distress. Second, vigorous antitrust enforcement must play a significant role in the Government’s response to economic crises to ensure that markets remain competitive”. 

The crisis caused by the pandemic is partly different from the economic ones that antitrust policy faced in the past, chiefly for its cause – which is not of an economic nature, but rather it stems from public health concerns, which in turn brought governments to adopt restrictive measures.  

In particular, firms are at the mercy of the decisions of public authorities and cannot control the factors that determine these decisions, mainly public health. In this context, most competition authorities have published communications aimed at clarifying the framework of competition law, with the primary purpose of guiding firms in their actions. Moreover, the focus of these temporary responses is linked to the nature of the crisis, having as a central point the cooperation between competitors for the supply of products and services that are essential in the fight against Covid-19, for which there is a public interest. 

The response of the antitrust policy at the European level 

At the European level there are two central milestones in the antitrust policy reaction, with specific regard to the possible cooperation between competitors during the pandemic.  

First, the declaration adopted by the European Competition Network (ECN)3 brings together the main competition authorities in Europe. The ECN recognized the need for companies to cooperate to make up for shortages in the supply of scarce products and to ensure their fair distribution. For those firms with concerns about the compatibility of their initiatives with competition law, moreover, the ECN authorities expressed their availability to provide further guidance, through informal advice. Nevertheless, the ECN statement strongly condemned those firms that take advantage of the crisis by creating cartels or by abusing their dominant position. 

Secondly, at EU level, the European Commission adopted a temporary framework,4 where it clarified the parameters and priorities that will guide its enforcement action – with a focus on the cooperation between competitors aimed at resolving the shortage of essential products and services. Moreover, the Commission introduced a temporary procedure to provide comfort letters to firms in relation to specific cooperation projects on a case-by-case basis. In addition, the Commission reiterated its condemnation of opportunistic conducts of exploitation of the crisis to cover anti-competitive collusion or abuse of dominant position, such as, for example, applying prices above ordinary competitive levels or limiting production to the detriment of consumers. 

What happens next? 

The actions taken by European authorities in response to the pandemic are consistent in safeguarding competition. More broadly, we are convinced that maintaining a sound antitrust policy is essential to increase the resilience of the markets and to promote a faster recovery of the economy from the crisis. 

In that respect, it will also be essential to carefully monitor the cooperation activities that have been (or will be) authorized during the pandemic through comfort letters or for which the authorities have established that the enforcement was not a priority. The risk, otherwise, is that once cooperation and exchange of information between firms are allowed, such relations may turn into real collusive activities. To this end, it is necessary that the authorities provide for sunset clauses, i.e. conditions for ending cooperation activities when/where they are no longer essential, because the market failures that were justifying them have been surpassed. 

In addition, while the authorities can certainly intervene ex post, by initiating investigations and condemning colluding companies, in times of crisis these interventions risk being ineffective. During a crisis, in fact, firms could have great difficulty in paying sanctions (and damages), which would result in a distortion of the market, for example in the form of a reduction in the offer or an increase in prices, which would persist. In this sense, we think it is essential that authorities invest in awareness campaigns to prevent anti-competitive conducts, even more so in times of crisis.5 In other words, we believe that it is essential to legitimize antitrust action in times of crisis, as an intervention that, while not against companies, is for the protection of consumers and citizens. 

For an in-depth analysis of antitrust policy in times of Covid-19, see: L. Zoboli, F. Ghezzi, L’antitrust ai tempi del Coronavirus: riflessioni sulle esperienze internazionali e sulle iniziative italiane, in Rivista delle società, 2020 (in Italian). For a focus on the reaction of antitrust policy in circumstances of cooperation, see: L. Zoboli, Covid-19 e regole antitrust: tra incentivi alla cooperazione e rischi collusivi, Concorrenza e Mercato, 2020 (in Italian). 

[1] National Industrial Recovery Act 1933, Chapter 90, Title I, § 3, 48 Stat. 195 (15 U.S.C. §§ 703–12 (1934)).

[2] R. Lucas jr., L.A. Rapping, Unemployment in the Great Depression: Is There a Full Explanation?”, in 80 J.P.E., 1972, 186–91; A.A. Alchian, Information Costs, Pricing, and Resource Unemployment, in Microeconomic Foundations of Employment and Inflation Theory, ed. E.S. Phelps et al. Norton, 1970; M.Friedman, A. Jacobson Schwart, A Monetary History of the United States, Princeton, N.J., 1963, 1867–1960. S.W. Wallace, The Antitrust Legacy of Thurman Arnold, St. Johns Law Review, vol. 78 n. 3, 2004.

[3] ECN, Joint statement by the European Competition Network (ECN) on application of competition law during the Corona crisis, 23 March 2020, https://ec.europa.eu/competition/ecn/202003_joint-statement_ecn_corona-crisis.pdf

[4] Communication from the Commission, Temporary Framework for assessing antitrust issues related to business cooperation in response to situations of urgency stemming from the current COVID-19 outbreak (2020/C 116 I/02), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0408(04)&from=FR

[5] The UK Competition and Markets Authority stood out for its proactivity.

Federico Ghezzi is Professor of law at the Department of Legal Studies, Bocconi University, and his main research interests are at the intersection between antitrust and corporate governance. 

Laura Zoboli is Assistant Professor of European business law at the University of Warsaw and scientific coordinator of the Centre for Antitrust and Regulatory Studies (CARS). Her main research interests focus on the overlaps between competition law and IP within digital markets and the data economy.

Photo by Matteo Vistocco on Unsplash

When Technology met Proportionality: the juggling act of digital contact tracing

by Maria Chiara Meneghetti

Italy, alongside other European countries, has now entered the post-lockdown phase, relaxing its pandemic-related restrictions. After weeks of planning and discussions, the time has come to see contact tracing apps in action and assess their effectiveness in those European countries – like Italy, Spain or the United Kingdom – mostly affected by the pandemic.

Immuni, the designated Italian contact tracing app, has made its grand debut at the beginning of June. It is too soon to tell whether this choice will be useless or valuable to curb the virus contagion. However, the debate on people tracking technologies has once again confirmed that, even when confronted with a global emergency that affected the European Union as a whole, Member States have chosen to move in different directions. The fragmented national solutions taken by European countries on the necessity and proportionality of tracking measures is just one such example. At the same time, despite copious case-law on the concepts of “necessity” and “proportionality” in various legal contexts and jurisdictions, their practical assessment has proven to be challenging. When different interests need to be balanced against the background of complex technological solutions, proportionality turns into a delicate juggling act.

Back to the origins: what are tracking technologies?

Tracking technologies have dominated the headlines ever since “contact tracing apps” became a thing. Despite the current spike in popularity, this kind of technology has been around for longer than this pandemic.

“Tracking technologies” is a broad umbrella-concept that encompasses a range of systems whose main function is to track the location of objects, vehicles, or devices and, consequently, the position of their owners or users. They span from passive systems like radio-frequency identification (“RFID”) tags on packages, which only transmit data when prompted by a reader, to more active systems such as GPS tracker that send location data in real-time. As our lives became increasingly digitized, this technology evolved into cookies, web beacons and other tracking systems that enabled to monitor not only locations of Internet users’ (e.g. through IP addresses), but far more valuable information like user behaviors and preferences. Whether consciously or not, our data is already ingested and processed daily when we use city-mapping or food-deliveries apps, as we navigate from one website to another or when we use our smart devices.

Many argue that privacy concerns around contact tracing apps are at odds with people’s inclination to sell (off) their personal data for the business purposes of hungry digital companies. Yet, I would argue that if such measure stems from state law rather than a private action, it has a different impact and it needs to be subject to specific legal safeguards. With contact tracing apps we are in fact facing the deployment of tracking technologies that enable governments to massively collect and access citizen sensitive data and monitor segments of their lives at an impressive scale and degree.

Why digital contact tracing?

The speed and intensity of the Covid-19 spread has created a number of trade-offs among different rights and liberties that governments have been trying to address. Freedoms of movement and association were the first rights to suffer severe restrictions to safeguard public health. However, the limits of self-isolation and social distancing measures have led many to believe that “digital contact tracing” mechanisms were the optimal alternative to monitor and contain the virus. Contact tracing is nothing new for the public health sector. This is generally the process of manually tracing and identifying persons who may have come in contact with an infected person (i.e. “contacts”) to alert them, test them and thus monitor the spread of a virus.

The digital translation of contact tracing procedures was therefore believed to improve and speed up the identification, tracking and management process, providing a better control on the virus spread. This in turn would have allowed a swifter loosening of lockdown restrictions. Nevertheless, a state measure that may ultimately give central governments the means to monitor people’s movements and social interactions risks severely impacting the citizens’ rights to privacy and data protection, raising the fears of a new NSA-like scandal.

Countries around the world approached contact tracing in different ways. Pioneers in the roll out of tracking technologies were Asian countries (like China,[1] South Korea,[2] and Singapore[3]), partly as they experienced the first virus outbreaks, partly due to their lax privacy protection frameworks. Other countries soon followed with contact tracing solutions that spanned from deeply intrusive measures to milder alternatives.[4] Hard-hit European states have also moved towards tracking technologies. However, contrary to other legal systems, in the European Union the deployment of intrusive state-backed measures that entail massive data processing and expose individuals’ privacy needs to meet a high threshold of legitimacy that finds one of its pillars in the principle of proportionality.

The European threshold of the proportionality principle

Under the EU framework, while privacy and data protection bear the status of fundamental rights, there are cases in which they can be legitimately limited as a result of a balancing against other conflicting rights. Article 15 of the European Convention of Human Rights, as well as Article 52 of the EU Charter of Fundamental Rights allow for limitations to fundamental rights, as long as they (i) are provided by law; (ii) leave the essence of the right intact; (iii) pursue an objective of public interest or safeguard the rights and freedoms of others; and (iv) comply with the proportionality principle. Hence, limitations are “appropriate” to protect the interest that require protection, “necessary” as there is no less restrictive alternative to achieve the same result, and “proportionate stricto sensu, namely the restriction must not be disproportionate to the result to be achieved. If during a health crisis, the first three conditions are not difficult to meet, what is “appropriate”, “necessary” and “proportionate” to tackle this health crisis is the question which the debate on contact tracing technologies has been revolving around. The European Court of Human Rights and the Court of Justice of the EU case-law provide guidance on how this assessment needs to be conducted.

Further guidance recently came from the European Data Protection Supervisor (“EDPS”) with the adoption of a “Necessity Toolkit”[5] and, more recently, of its “Guidelines on proportionality”.[6] Yet, its practical application by national legislators has proven to be challenging and lacking a consistent approach. This was especially the case since the object of the proportionality assessment was a technology-driven legislative measure, which led to two consequences. First, there was absence of a clear-cut distinction between the definition of the tracking solution (which has undergone various modifications on the run) and the evaluation of its proportionality (which on the contrary would assume that a measure has already been identified). Second, there was a – fatally – strict connection between the proportionality of the measure and the technical features of the different proposed alternatives. In other words: an assessment process that lacked a clear phase structure and was mainly technically focused.

In fact, while EU countries generally agreed on the appropriateness and necessity to implement digital mass tracking measures to safeguard public health, when it came to identifying in practice what technological solution met these thresholds, in terms of effectiveness and less intrusiveness, countries split. Less intrusive measures based on the collection of non-sensitive data (e.g. Bluetooth low-range device interactions instead of real-time GPS data or telecommunication data), on decentralized data retention models (instead of centralized) and on voluntary adoption (instead of mandatory one) were preferable from the privacy perspective. However, these solutions generally mean less control or less precision, affecting the overall effectiveness of the measure, and thus, the achievement of the public interest objective. Doubts on the effectiveness were raised as far as the digital nature of the chosen solution, as it might be unable to reach precisely the categories of people that most needed to be protected (i.e. the elderly). Also, it has been claimed that traditional manual contact tracing measure were just as effective, while less intrusive.

The result was a puzzle of national solutions, each apparently stemming from a different balancing of rights and none seemingly able to appropriately address the claims of the different views of the debate. On one side, criticisms have been levelled against the un-balanced proportionality assessment of the measure, for privacy concerns unduly overweighed other fundamental rights at stake, leaving the final solution substantially ineffective (thus, unnecessary). On the other side, privacy watchdogs are already voicing their concerns over these apps, claiming they have a number of failures that dangerously expose citizens’ personal data.

What happens next?

Despite the overall proportionality debate, at the end of the day, the success of contact tracing apps will depend on a number of variable and unpredictable factors. Citizens trust in their national authorities will be a fundamental element to ensure the app has adequate take-up. The evolution of the virus will itself determine the usefulness of this solution compared to traditional forms of manual contact tracing (which states are still heavily relying on). Leaving aside any rushed judgment, what this situation has once again shown is the struggle of national legislators to balance different rights when faced with the implementation of complex technological solutions. Although laws and regulations are usually drafted under the principle of technological neutrality, the Covid-19 emergency offered an interesting example of states having to choose a specific technological product. Moving towards an increasingly digital society, we can expect that EU states will be required to assess the impacts of new technologies on the fundamental rights of their citizens in a growing number of cases. The challenges this scenario comes with are not few. The difficulty to assess ex ante the possible impact of complex technological systems will increase. This will add up to the risks that the assessment becomes obsolete – therefore inaccurate – very fast, considering the rapid pace of digital changes. And, above all, the danger still remains that faced with the uncertainties of new technologies, EU states may reach different conclusions on how to balance conflicting rights, leading to fragmented protection regimes and a patchwork of national approaches towards digital developments.

[1]For a general overview on China’s contact tracing “Alipay Health Code”, see  https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html  and , https://edition.cnn.com/2020/04/15/asia/china-coronavirus-qr-code-intl-hnk/index.html .

[2] After the deprecation of “Corona100m”, South Korea has currently two apps, namely “Self-Quarantine app” and “Self-diagnosis app”. For more information on how contact tracing works is performed in South Korea see : https://www.technologyreview.com/2020/03/06/905459/coronavirus-south-korea-smartphone-app-quarantine/ and https://www.bbc.com/news/technology-52681464.

[3]  More details on Singapore’s contact tracing app, “Trace Together” at  https://www.tracetogether.gov.sg/.

[4] Among the other countries that adopted contact tracing apps: Iceland (“Rakning C-19”, https://www.covid.is/app/en) Israel (“Hamagen”, https://govextra.gov.il/ministry-of-health/hamagen-app/download-en/ ), India (“Aarogya Setu”, https://www.mygov.in/aarogya-setu-app/ ), Australia (“CovidSafe” https://www.covidsafe.gov.au/ ), New Zeland (“NZ COVID Tracer”, https://tracing.covid19.govt.nz/ ) and Saudi Arabia (“Corona Map”, https://www.arabnews.com/node/1652171/saudi-arabia ).

[5] European Data Protection Supervisor, “Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit”, 11 April 2017, available at: https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en_0.pdf.

[6]  European Data Protection Board, “Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data”, 19 December 2019, available at: https://edps.europa.eu/data-protection/our-work/publications/guidelines/assessing-proportionality-measures-limit_en.

Maria Chiara Meneghetti is a PhD Candidate in Legal Studies – International Law and Economics curriculum – at Bocconi University. She is interested in studying the impacts of digital and technological developments in several legal areas including privacy & data protection, cybersecurity, and contract law. Her research focusses on the challenges of ensuring the right to data protection in the digital age. She graduated from the University of Bologna and enjoyed her Brussels experience at the European Data Protection Supervisor. She is a qualified lawyer at the Bar of Milan.

Image created by Russell Tate. Submitted for United Nations Global Call Out To Creatives – help stop the spread of COVID-19.

ApartTogether: Study on the Impact of Covid-19 on Migrants and Refugees

Collective, for more information please contact Prof. Ilse Derluyn: Ilse.Derluyn@UGent.be

The Covid-19 pandemic is having a strong global impact but affects even more some already fragile populations. Among them, migrants and refugees have to cope with over 52000 mobility restrictions that have been implemented by 215 countries, territories and areas around the world. However, some Covid-19 related measures enable migrants to get temporary residence and work permits in countries such as Portugal and Italy. Beyond the residential status, the World Health Organisation, in a recent report, stressed the importance to consider migrants and refugees’ health in the setting of public health policies, particularly in the current circumstances. Migrants and refugees are categories made of really heterogeneous individuals but who may face some common challenges and develop subsequent coping strategies. Therefore, how can we measure the impact of Covid-19 and related measures on migrants and refuges?    

This is the aim of the ApartTogether global study coordinated by Ghent University and a research consortium of academics linked to several European and American universities. The objective of the study is to better understand how refugees and migrants experience the psychosocial impact of Covid-19 and how they deal with challenges that have arisen in the current situation. To this end, the research consortium has set up a survey made of 30 questions focusing on socio-demographic details, Covid-19-symptoms and preventive measures, daily stressors, psychological and social well-being, stigmatization and coping. 

Insights from the survey will be used to inform organisations and decision makers on how they can better support migrants and refugees during and after this pandemic. The survey runs until 30 June 2020.

To take and/or share the survey, please visit https://www.aparttogetherstudy.org/ (available in 30 languages). The survey can be distributed globally.

Disclaimer: Participants can respond anonymously to the survey, and all the information they provide will be stored and processed confidentially. The data coming out of the questionnaires will be stored on REDcap – a server at Ghent University. The server stores data in accordance with the GDPR regulations. Sharing of data between the research partners will be done through secured servers.