Europe is working on a corona passport, the ‘Digital Green Certificate‘. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on 6 April announced that they have adopted a joint opinion on the proposals for this certificate.
In the press release regarding this opinion EDPS and EDPB say:
that it is necessary to mitigate the risks to fundamental rights of EU citizens and residents that may result from issuing the Digital Green Certificate, including its possible unintended secondary uses. The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.
Andrea Jelinek, Chair of the EDPB, said: “A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place.”
Wojciech Wiewiórowski, EDPS, said: “It must be made clear that the Proposal does not allow for – and must not lead to – the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”
In the current emergency situation caused by the COVID-19 pandemic, the EDPB and the EDPS insist that the principles of effectiveness, necessity, proportionality and non-discrimination are upheld. The EDPB and the EDPS reiterate that, at the moment of writing, there seems to be little scientific evidence as to whether having received the COVID-19 vaccine (or having recovered from COVID-19) grants immunity, and, by extension, how long such immunity may last. But scientific evidence is growing daily.
Moreover, a number of factors are still unknown regarding the efficacy of the vaccination in reducing transmission. The Proposal should lay down clear and precise rules governing the scope and application of the Digital Green Certificate and impose appropriate safeguards. This will allow individuals, whose personal data is affected, to have sufficient guarantees that they will be protected, in an effective way, against the risk of potential discrimination.
The Proposal must expressly include that access to and subsequent use of individuals’ data by EU Member States once the pandemic has ended is not permitted. At the same time, the EDPB and the EDPS highlight that the application of the proposed Regulation must be strictly limited to the current COVID-19 crisis.
The Joint Opinion includes specific recommendations for further clarifications on the categories of data concerned by the Proposal, data storage, transparency obligations and identification of controllers and processors for the processing of personal data.
Hopefully European institutions will follow the recommendations.
— Ellen Timmer (@Ellen_Timmer) April 6, 2021
On this blog on the corona-passport:
- Het digitale groene certificaat | corona-paspoort, 26 March 2021
- Vaccination, immunity certificates, and the permanent pandemic | Privacy International, 19 March 2021
Addition 14 April 2021
Security.nl on the opininion: EDPS: coronapaspoort niet voor soortgelijke infectieziektes inzetten.
Addition 6 May 2021
The Council of Europe announces statements by the Bioethics Committee and the Data Protection Convention Committee (4 May 2021):
Vaccine passes: protecting human rights and personal data
Statements by the Bioethics Committee and the Data Protection Convention Committee
At a time where vaccination campaigns are accompanied by a willingness to relax restrictions taken to protect public health against the threat of the COVID-19 pandemic, the issue of a “vaccine pass” is being raised in Europe as well as in other parts of the world.
In a statement on human rights considerations relevant to a “vaccine pass” and similar documents, the Committee on Bioethics is calling for careful deliberation on the challenges raised by such a pass and on the steps taken to ensure that the human rights and fundamental freedoms of all individuals are promoted and protected.
The Committee distinguishes between medical and non-medical purposes for the use of such “passes” and examines the ethical and human rights issues involved, taking into account the still limited scientific knowledge.
The Committee on Bioethics also concurs with the conclusions of the Secretary General of the Council of Europe that “combating the current pandemic depends, above all, on the increased efforts to produce and administer vaccines, with particular attention to people in vulnerable situations, so that restrictions to individual freedoms and constraints imposed can be progressively reviewed as the population acquires greater immunity, taking into account acquired scientific knowledge”.
In its statement, the Data Protection Convention Committee calls for data protection safeguards to be strictly respected in the Covid-19 national vaccination programmes as well as in certificates attesting vaccination, results of negative tests or a past infection. Noting the complex challenges related to protecting public health and combatting the pandemic, the committee welcomes the work that is being done to enable vaccination certificates to be harmonised and interoperable at European and international levels.
However, it also warns that the use of such vaccination certificates – or those containing the results of negatives tests or of a past Covid-19 infection – for non-medical purposes raises human rights issues which should be carefully considered, notably in respect of the right to data protection and the principle of non-discrimination. Therefore, all the digital tools used to limit infection, including those which require the processing of data on vaccination and negative tests, must respect the principles of necessity, proportionality and non-discrimination. In particular, data bases as they rely on sensitive data should be used ensuring strict respect of the right to data protection. The committee recommends decentralised solutions both for the storage of the data contained in these certificates, for example, on users´ mobile devices, and for the data collected by national IT systems supporting vaccination programmes.