The European Union has proposed a framework for certificates that reveal whether they have been vaccinated, whether they have had COVID-19 or whether they have been negative. The European Data Protection Board (EDPB), together with the European Data Protection Supervisor (EDPS), have left a formal privacy statement.
On 17 March, the European Commission presented a bill on the issuance, verification and acceptance of coronavirus certificates, also known as “digital green certificates”. The purpose of certificates is to make it easier to travel across national borders in Europe.
The certificates will take the form of a QR code in letter or in application and will operate in all countries of the European Union. The bill will probably be included in the EEA agreement if it is adopted, and that is why it is also important for Norway.
The European Union proposes that the certificate be used at borders and that the data not be archived during the reading of the certificate.
The EDPB and the EDPS have now left a formal declaration on the draft law as part of the legislative procedure.
It has to be necessary and proportionate
The EDPB and the EDPS state that privacy does not prevent the fight against pandemics. This means that it must not stand in the way of good solutions, but also that solutions must be disproportionate, go no further than necessary and respect the principles of privacy.
It is important to remember that the coronavirus status of people is a sensitive fact. If a young person who is not a health expert has been vaccinated, he or she may be sensitive because it indicates that he/she is part of a group put in danger and for this reason has been a priority in the queue of vaccines.
The statement indicates that an impact assessment of the bill is missing. Therefore, it can be difficult to demonstrate the effect of the bill. At the same time, the declaration recognises the extraordinary situation in which we find ourselves and that this situation also carries a number of risks.
Risk of discrimination
The statement underlines that the purpose of the certificates must be clearly stated in the law. It further stresses that the law should include measures to minimize risks to individuals, including the risk of unintentional secondary use.
States may also wish not to use certificates within the country, for example, to encourage measures taken.
The use of certificates within a country can lead to discrimination, for example in the workplace.
The declaration recalls that if certificates are to be used in addition to borders, this must have a separate basis for processing in national legislation.
An impact assessment has to be carried out, the law has to provide sufficient guarantees that the rights of individuals are protected and the measure has to be appropriate, necessary and proportionate. Any legal or factual discrimination must be avoided.
Discrimination may occur, for example, if a country collects only vaccine certificates and not certificates for a disease or a negative test. The EDPB and EDD think that the law should ask all countries to accept all three types of certificates: if they have been vaccinated against COVID-19, if they had COVID-19 or if they have been negative.
It can be extended
The bill provides the European Commission with additional opportunities to make changes to the course. The European Commission may modify the personal data to be included in the certificate and may declare that the framework will also apply in other pandemic situations. The EDPB and EDPS request that these authorisations be reduced.
The bill also states that the Commission will suspend the framework when the pandemic is over. The EDPB and the EDPS call for clearer rules that should not allow access to and use of data after the pandemic.
Security and unanswered questions
The statement states that the bill is not clear enough on how to protect information security. In addition, the statement identifies a number of other questions to which the draft does not answer:
- Which actors will be responsible for and responsible for data processing?
- Is the certificate in line with the principle of data minimization?
- Does the certificate have to be created autonomously or when the person asks for it?
- Will personal data be transferred outside the EEA?