On March 17, 2021, the European Commission presented a proposal to create a Digital Green Certificate (the Certificate) to facilitate the free movement of citizens within Member States during the COVID-19 pandemic while ensuring public health safety.
The Certificate will allow movement between Member States to occur in a safe way, thus limiting the risk of spreading the virus within EC territory. This certificate will not discriminate against individuals who have not yet been vaccinated. In fact, the Certificate will not be used as a precondition for travel but will allow movement to take place more easily, avoiding possible restrictions imposed by individual states, such as quarantine or testing for COVID-19.
One of the most hotly debated issues regarding the Digital Green Certificate, informally referred to as a Vaccination Passport, concerns the protection of personal data, which will be further discussed below.
1. Digital Green Certificate: Main features and minimum information required
The Certificate will be issued in digital format by each Member State and may include three different types of certification: the certification of (i) vaccination, (ii) testing (non-self-diagnostic), and (iii) recovery from COVID-19.
The information on the Certificate is strictly used to verify the identity of the subject and the authenticity of the Certificate (i.e., name, Member State of issuance, and unique identifier of the certificate) as well as to ascertain technical characteristics related to the vaccine (e.g., producer), the test (e.g., type of test and date it was performed), or recovery (e.g., date determined), depending on the type of certification that is shown.
2. Implementation of the Digital Green Certificate in each Member State
Each Certificate must contain a QR code with a digital signature, which will be scanned and checked at the time of verification in order to make sure the Certificate is authentic.
For this purpose, each Certificate issuing body (e.g., hospitals, health authorities) will have its own digital signature key. These keys will be stored in a secure database within each Member State. Moreover, the European Commission will build a gateway through which it will be possible to verify the digital signature on the Certificate, regardless of the issuing Member State.
In this regard, the choice made by the European Commission to use a regulation as a normative instrument to introduce the Digital Green Certificate becomes essential. This, in fact, guarantees immediate and uniform implementation of Certificate discipline, thus avoiding problems involving recognition of the authenticity of the Certificates themselves.
3. The processing of personal data contained in the Digital Green Certificate
Article 9 of the proposed regulation provides certain guarantees to ensure the protection of personal data processed to create a Digital Green Certificate.
As already mentioned, the Certificate contains only data strictly necessary to verify the identity of the subject and the data related to vaccination, the negative outcome of a test, or the recovery of a patient. The amount and type of information collected in the Certificate therefore seem to be in line with the principle of minimization.
It is clear that not only personal data will be processed, but also data concerning health—the processing of which may be supported, as in this case, for reasons of substantial public interest (i.e., to facilitate the free movement of persons within EU territory in safety) on the basis of EU law.[1]
Furthermore, these data can be consulted by the competent authorities of the country of destination but cannot be stored by the countries visited. The data will therefore be stored only by the Member State that issued the certificate, while the creation of a European database is not foreseen. In any case, the data necessary for the Certificate will be retained only for the period of use of Certificates during the pandemic in order to allow effective exercise of free movement within Member States.
Under the proposed Regulation, the authorities in charge of issuing the Certificates are considered data controllers.
In light of the above, it is clear that the European legislature deemed this solution practicable while striking a balance between the principle of free movement of persons between Member States, the protection of public health, and the right to protection of personal data recognized by Regulation (EU) 2016/679 (GDPR). However, in order for the project to be implemented effectively, Member States will have to come to unanimous agreement (on such items as, for example, the proposal’s respect for the principles on the protection of personal data) and operational and IT capacity must exist to guarantee the issuance of Certificates under the minimum requirements at the European level requested from each Member State.
Recently, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the EU Proposal for the Digital Green Certificate. With this opinion, they provided for recommendations and suggestions for the implementation of the Certificate in accordance with EU personal data protection legislation[2].
4. Considerations at a national level: the Italian Data Protection Authority on possible local vaccination pass
Before the proposed regulation for the Digital Green Certificate was published, the Italian Data Protection Authority expressed its opinion on what was called a national vaccination pass, i.e., digital-format solution that public or private service providers might require as a necessary condition to access certain places or to use services.
First, such solutions risk discriminating against those who have not yet had access to the vaccination campaign and those who choose not to vaccinate. Therefore, such tools—if implemented improperly—could harm the fundamental freedoms granted to individuals and, for example, lead to vaccination against COVID-19 being perceived as compulsory health treatment.
Also from the perspective of the confidentiality of personal data, critical issues could arise. In fact, such measures—adopted in an uneven and uncontrolled manner in national territory—could lead to violation of the right to privacy if implemented in violation of the principles set out in the GDPR (e.g., the principle of proportionality, purpose limitation, and data minimization). In this light, in a press release dated March 1, 2021, the Italian Data Protection Authority reiterated that any appropriate measures to introduce vaccine passports in national territory must be adopted by the state legislature, in compliance with existing legislation and while striking an appropriate balance between public interest, health protection, and protection of personal data.
This declaration by the Italian Data Protection Authority is in accordance with the principles cited in the text of the EU Regulation and does not represent opposition to the adoption of similar solutions; it merely takes a stance against the schizophrenic and inconsistent adoption of tools potentially capable of damaging constitutionally guaranteed rights. Moreover, we note that if the Regulation is adopted at the European level, it will regulate only movement between Member States. It will then be up to each individual Member State to introduce instruments similar to the Digital Green Certificate within its territory, via national law, if necessary.
[1] This legal basis, provided in Article 9(2)(g), is cited in Recital 37 of the proposed Regulation.
[2] EDBP press release available at the following page.