EU Digital Green Certificate: Data Protection Considerations

The European Data Protection Board and European Data Protection Supervisor have published a joint opinion on the data protection aspects of the European Union's proposals for a Digital Green Certificate, a form of COVID-19 vaccine certification that aims to facilitate the free movement of people within the European Union and kickstart international travel.

Though the joint opinion notes that data protection should not be an obstacle to fighting the COVID-19 pandemic, it stresses the importance of full compliance with the EU General Data Protection Regulation (GDPR) so that the proposal for a Digital Green Certificate (Proposal) does not directly or indirectly jeopardize the fundamental right to the protection of personal data. The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) make a number of recommendations to ensure that the Proposal is legally sound, and underscore that the overarching principles of effectiveness, necessity, and proportionality are central to mitigating risks to data subjects in member states.

The Digital Green Certificate aims to establish a common framework for the issuance, verification, and acceptance of interoperable COVID-19 vaccination, testing, and recovery certificates. It will be available, free of charge, in a digital or paper format and will include a QR code to ensure security and authenticity. If implemented, the Proposal would facilitate third country nationals legally staying or residing in member states and who are entitled to travel within the European Union to provide reliable proof of vaccination.

The Proposal is currently pending the approval of the European Parliament and has been examined by the EDPB and EDPS to ensure that it is aligned with the GDPR. At the end of April, the European Parliament is expected to adopt its first reading position and informal trialogue negotiations are expected to commence thereafter.

EDPB and EDPS Recommendations

Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework. At the same time, both bodies suggest that the EU Commission take a holistic and ethical approach to the Proposal in order to encompass the sensitive issues that data protection and privacy rights present.

Key concerns of the EDPB and EDPS include the fact that issuing the Digital Green Certificate may create unintended secondary uses, and give rise to direct or indirect discrimination against individuals if they choose not to have the vaccine. The EDPB and EDPS state that there should be a common approach across all member states to accept all three types of certificate (vaccinated, recovered, and tested); otherwise, clear discrimination based on health data would occur, resulting in a fundamental breach of rights.

The joint opinion includes specific recommendations to the legal privacy framework for establishing the Digital Green Certificate:

• The Proposal must not lead to the creation of a central database of personal data. The EDPB and EDPS warn against the establishment of a central database under the pretext of the establishment of the Digital Green Certificate framework. The joint opinion states that specific data storage periods should be explicitly defined, and, in any event, it must be ensured that personal data is not retained any longer than what is strictly necessary.
• The Proposal must expressly provide that access and subsequent use of the data by member states is not permitted once the pandemic has ended. The EDPB and EDPS asserted that establishing clear parameters around the purpose of the Proposal is key to complying with the principle of purpose limitation. For example, both bodies stated that they were opposed to including wording that the Proposal could apply to “similar infectious diseases with epidemic potential” and that the scope should be confined to COVID-19 and its variants. Overall, the EDPB and EDPS consider that the scope of the Proposal should be strictly limited to the current pandemic and for the purpose of facilitating the free movement of people (and not restricting the movement of people). Once the pandemic has ended, the Digital Green Certificate should be suspended by the Commission as there would be no justification to require citizens to present health documents when exercising their right to free movement.
• National authorities should not introduce requirements of proof of vaccination for international travel as a condition for departure or entry. The EDPB and EDPS believe this would be inappropriate given there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.
• The EDPB and EDPS highlight that a clear distinction should be made between a “vaccination certificate” and the term “immunity certificate.” The joint opinion states that the Digital Green Certificate should not be a “timestamped medical application or history . . . nor a means to assume immunity or contagiousness.” This is because, currently, there is little scientific evidence as to whether having received the COVID-19 vaccine (or having recovered from COVID-19) grants immunity, and, by extension, how long such immunity may last.
• Further clarity is required in relation to the roles of controller and processor in the Digital Green Certificate scheme. The EDPB and EDPS recommend that the Proposal publicly specify a list of all of the entities foreseen to be acting as controllers, processors, and recipients of the data under the GDPR in each member state.

Conclusion

The recommendations included in the joint opinion demonstrate that clear and precise rules governing the scope and application of the Digital Green Certificate are paramount. As reiterated by the EDPB and EDPS, an impact assessment of the Proposal is required in order to substantiate the impact of the measures being adopted as well as the effectiveness of the safeguards included to protect personal data. Effective, necessary, and proportionate measures will reassure citizens that the Digital Green Certificates will strike a balance between achieving the aims of the Proposal and protect the fundamental right to personal data.

It remains to be seen if the United Kingdom’s supervisory authority, the Information Commissioner’s Office (ICO), will issue a similar proposal now that the United Kingdom has left the European Union. We consider this is likely, particularly in light of the ICO’s stated commitment to help UK organizations operate within the data protection framework and navigate the pandemic.

How We Can Help

Morgan Lewis has experience in navigating data protection laws. If your organization is interested in finding out more about the support we can provide, please contact one of the lawyers listed below.

Navigating the NEXT.

Sharing insights and resources that help our clients prepare for and address evolving issues is a hallmark of Morgan Lewis. To that end, we maintain a resource center with access to tools and perspectives on timely topics driven by current events such as the global public health crisis, economic uncertainty, and geopolitical dynamics. Find resources on how to cope with the globe’s ever-changing business, social, and political landscape at Navigating the NEXT and Coronavirus COVID-19 to stay up to date on developments as they unfold. Subscribe now if you would like to receive a digest of new updates to these resources.

Trainee solicitor Christina Lewes contributed to this LawFlash.

Contacts

If you have any questions or would like more information on the guidance discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis

San Francisco
Reece Hirsch

Paris
Charles Dauthier 

Washington, DC
Ronald Del Sesto
Dr. Axel Spies