The European Data Protection Board and European Data Protection Supervisor have published a joint opinion on the data protection aspects of the European Union's proposals for a Digital Green Certificate, a form of COVID-19 vaccine certification that aims to facilitate the free movement of people within the European Union and kickstart international travel.
Though the joint opinion notes that data protection should not be an obstacle to fighting the COVID-19 pandemic, it stresses the importance of full compliance with the EU General Data Protection Regulation (GDPR) so that the proposal for a Digital Green Certificate (Proposal) does not directly or indirectly jeopardize the fundamental right to the protection of personal data. The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) make a number of recommendations to ensure that the Proposal is legally sound, and underscore that the overarching principles of effectiveness, necessity, and proportionality are central to mitigating risks to data subjects in member states.
The Digital Green Certificate aims to establish a common framework for the issuance, verification, and acceptance of interoperable COVID-19 vaccination, testing, and recovery certificates. It will be available, free of charge, in a digital or paper format and will include a QR code to ensure security and authenticity. If implemented, the Proposal would facilitate third country nationals legally staying or residing in member states and who are entitled to travel within the European Union to provide reliable proof of vaccination.
The Proposal is currently pending the approval of the European Parliament and has been examined by the EDPB and EDPS to ensure that it is aligned with the GDPR. At the end of April, the European Parliament is expected to adopt its first reading position and informal trialogue negotiations are expected to commence thereafter.
Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework. At the same time, both bodies suggest that the EU Commission take a holistic and ethical approach to the Proposal in order to encompass the sensitive issues that data protection and privacy rights present.
Key concerns of the EDPB and EDPS include the fact that issuing the Digital Green Certificate may create unintended secondary uses, and give rise to direct or indirect discrimination against individuals if they choose not to have the vaccine. The EDPB and EDPS state that there should be a common approach across all member states to accept all three types of certificate (vaccinated, recovered, and tested); otherwise, clear discrimination based on health data would occur, resulting in a fundamental breach of rights.
The joint opinion includes specific recommendations to the legal privacy framework for establishing the Digital Green Certificate:
The recommendations included in the joint opinion demonstrate that clear and precise rules governing the scope and application of the Digital Green Certificate are paramount. As reiterated by the EDPB and EDPS, an impact assessment of the Proposal is required in order to substantiate the impact of the measures being adopted as well as the effectiveness of the safeguards included to protect personal data. Effective, necessary, and proportionate measures will reassure citizens that the Digital Green Certificates will strike a balance between achieving the aims of the Proposal and protect the fundamental right to personal data.
It remains to be seen if the United Kingdom’s supervisory authority, the Information Commissioner’s Office (ICO), will issue a similar proposal now that the United Kingdom has left the European Union. We consider this is likely, particularly in light of the ICO’s stated commitment to help UK organizations operate within the data protection framework and navigate the pandemic.
Morgan Lewis has experience in navigating data protection laws. If your organization is interested in finding out more about the support we can provide, please contact one of the lawyers listed below.
Sharing insights and resources that help our clients prepare for and address evolving issues is a hallmark of Morgan Lewis. To that end, we maintain a resource center with access to tools and perspectives on timely topics driven by current events such as the global public health crisis, economic uncertainty, and geopolitical dynamics. Find resources on how to cope with the globe’s ever-changing business, social, and political landscape at Navigating the NEXT and Coronavirus COVID-19 to stay up to date on developments as they unfold. Subscribe now if you would like to receive a digest of new updates to these resources.
Trainee solicitor Christina Lewes contributed to this LawFlash.
If you have any questions or would like more information on the guidance discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Melis S. Kiziltay Carter