The Digital Green Certificate – what exactly is it?
As EEA member states proceed with vaccinations, many are advocating the use of certificates as a tool to reopen society safely. In this context, the EU Commission (Commission) is proposing the Digital Green Certificate (Certificate) to provide a harmonised framework to assist with ensuring free movement within the EEA, while COVID-19 continues to be a threat to public health. The Certificate will allow individuals freedom of movement between member states and will be proof, verifiable by a QR code, that an individual fulfils one of the following criteria:
- Vaccinated against COVID-19;
- Received a negative test result; or,
- Recovered from COVID-19.
On 31 March 2021, the EDPB and EDPS (Boards) released a Joint Opinion 04/2021 (Opinion) regarding the Certificate and the proposed Regulation (Regulation) which provides the framework for the Certificate, to highlight areas where the Regulation needs further alignment with the EU data protection framework.
The Boards note the absence of scientific evidence that vaccination grants immunity or how long any immunity lasts. This has an impact on how the Certificate aligns with fundamental GDPR and Charter of Fundamental Rights of the EU (EU Charter) principles, such as effectiveness, proportionality, and non-discrimination in the processing of personal data.
Effectiveness and proportionality – Immunity rates from vaccinations are varied and as a result, the Certificate is not as effective for the purposes of GDPR as if vaccinations guaranteed immunity. There is also a possibility of other methods achieving open EEA travel that do not intrude on privacy rights to the same extent. The Boards point to the absence of an impact assessment considering the effectiveness of the Certificate, and alternative or less intrusive measures of achieving open EEA travel.
Non-discrimination – The Boards refer to the EU Charter’s principle of non-discrimination, enshrined in Article 21 in encouraging the Commission to consider a comprehensive legal framework in drafting the Regulation. The Boards expressed concern about the potential for discrimination based on liberties being granted to some but not to others, on the basis of a Certificate which does not guarantee immunity. The Boards accept that there is a conflicting body of opinion on this matter.
Lack of a sunset provision
It is a fundamental principle of data protection rules that personal data should not be kept for longer than necessary. The Boards propose that the Regulation should expressly prohibit subsequent use of the data collected once the current COVID-19 pandemic has ended. The Boards concern centres around the potential for further use of data based on the current wording in the Regulation referring to COVID-19 “or similar infectious diseases with epidemic potential”. While this is still a restriction on use, the Boards suggest that this language should be changed to comply with the principle of purpose limitation.
The Certificate and permitted purposes
The Boards recognise that member states are likely to adopt the Certificate for EEA travel and also for domestic purposes, such as entry to pubs and shops. This is not the stated purpose in the Regulation, and as a result, member states must be careful to comply with Article 6(4) of GDPR relating to the processing of data for the purposes of collection. The Boards recommend that member states should ensure a proper legal basis for any further implementation of the Certificate beyond the intended purpose of facilitating free movement.
We are available to discuss and advise on any aspect of the Opinion or other related issues you might have. Please contact David Cullen, John O’Connor, Leo Moore or your usual William Fry contact with any queries.
Please visit our COVID-19 Hub for more information from our other practice areas relevant to your business.
Contributed by Raymond Sherry