COVID-19: EDPB and EDPS Recommendations for Digital Green Certificate
Once implemented, the Digital Green Certificate that has been proposed by the European Commission will allow EU citizens to travel freely between Member States during the pandemic on producing a verifiable certificate on vaccination, testing or recovery. The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) have published recommendations regarding the data protection implications of this proposal.
The Digital Green Certificate
On 17 March 2021, the European Commission (the “Commission”) proposed to create a Digital Green Certificate to facilitate travel in the EU during the Covid-19 pandemic (the “Proposal”). The proposed Digital Green Certificate would consist of three types of certificates:
- Vaccination certificates;
- Test certificates; and
- Recovery certificates (demonstrating recovery from Covid-19 within the previous 180 days).
The Digital Green Certificate will be free of charge, in digital form or on paper, and will have a digital signature and QR code containing key information. The Commission has stated that it will build a gateway to support Member States to develop software that authorities can use to verify the Digital Green Certificate. It is proposed to be a temporary measure that will be suspended once the World Health Organisation (“WHO”) declares the end of the Covid-19 pandemic.
The Commission’s intention is that the Digital Green Certificate can be issued and used in all Member States to facilitate free movement by EU Citizens, and in certain circumstances, citizens of third countries, by allowing certain restrictions to be waived, such as mandatory testing and quarantine. However, in order to prevent discrimination, the Proposal also states that the Digital Green Certificate will not be a pre-condition to travel, and is designed to make it easier to travel in certain circumstances where quarantine or testing measures are in place.
EDPB and EDPS Joint Assessment
The Proposal states that the processing of personal data is limited to the minimum necessary for the purposes of the Proposal (with the specific data fields for each type of certificate set out in the Annex to the Proposal), that the data obtained when verifying the certificates should not be retained, and that the framework does not require the creation of a central database. On 31 March 2021, the EDPB and the EDPS issued a joint opinion on the Proposal (the “Opinion”). The Opinion initially sets out a number of general comments on the Proposal, including the following:
- Importance of general principles: The Opinion emphasises the importance of the general principles of effectiveness, necessity and proportionality. It notes that there is a lack of scientific evidence supporting the assumption that vaccination or recovery results in immunity to Covid-19, and refers to the ongoing debate regarding the potential risk of discrimination from the use of vaccination certificates if they are taken to be indicative of immunity or contagiousness. In this regard, the Opinion notes the lack of an impact assessment carried out with respect to the Proposal. However, the Opinion acknowledges the urgency of the issue, noting the risks arising to free movement and public health, and the risk of forgery and false certificates. The Opinion states that the Digital Green Certificate must be accompanied by adequate technical and organisational measures safeguarding against manipulation and falsification;
- Further use of the Digital Green Certificate: The Opinion notes that Member States may consider extending the application of the Digital Green Certificate, such as to allow entry to shops, restaurants or gyms. However, it emphasises that any further use of the Digital Green Certificate must respect Articles 7 and 8 of the Charter of fundamental rights of the European Union (the “Charter”), and be in compliance with the GDPR. The Opinion states that any proposed further use must have a proper legal basis in Member State law, comply with the principles of effectiveness, necessity and proportionality, and include appropriate safeguards to avoid discrimination and prevent retention of personal data. The Opinion also notes that any further processing will depend on its compatibility with the legal basis set out in relation to the original purpose, and recommended that the Proposal better define the purpose of the Digital Green Certificate and provide for a mechanism for monitoring its further use by Member States; and
- Post-pandemic use cannot be permitted: The Opinion emphasises that the Proposal must expressly state that the Digital Green Certificate may not be used or accessed once the current Covid-19 pandemic has ended. The Opinion opposes the ‘open door’ included in the Proposal providing that the Digital Green Certificate may be open to use in relation to other similar infectious diseases declared by the WHO in the future.
Specific data protection considerations
The Opinion also provides specific recommendations to ensure the protection of personal data, relating to: adjustments to the text of the Proposal for clarity; categories of personal data; technical and organisational measures; the identification of controllers and processors; transparency; data storage; and, international data transfers. These include the following comments:
- Categories of personal data: Specific categories of data that will be contained in the Digital Green Certificates are set out in the Annex to the Proposal. However, the Opinion states that further explanation should be provided as to the need for certain data and whether all data needs to be included in the QR code. The Opinion also highlights the absence of an expiry date in the data fields specified, which is relevant to a lack of specification of retention periods. It notes that the Commission is empowered to adopt delegated acts to add, modify or remove data fields. The Opinion also recommends that only more detailed sub-categories of data falling under already defined categories should be added and that the EDPS (and EDPB where applicable) should be consulted in such circumstances;
- Identification of data controllers and processors: The Opinion notes that the Proposal states that the authorities responsible for issuing the Digital Green Certificate shall be considered to be controllers under the GDPR. However, the Opinion recommends that the Proposal state that a list of all entities considered to be controllers, processors or recipients of personal data in connection with the Digital Green Certificate shall be made public to allow EU citizens to exercise their data protection rights under the GDPR; and
- International data transfers: The Opinion notes that the Proposal provides for the cross-border transfer of personal data for the purpose of verification, and that it provides that the framework shall ensure, where possible, interoperability at an international level. The Opinion considers that this would be opening the door to potential transfers of personal data outside the EEA in certain circumstances. The Opinion recommends that the Proposal explicitly clarify circumstances in which international transfers of personal data are expected, if any, and include safeguards to ensure that the third countries will only process the personal data for the purposes specified by the Proposal.
The Proposal must be adopted by the European Parliament and the Council of the European Union, and in setting out the recommendations in the Opinion, the EDPB and EDPS invited the co-legislators of the EU to ensure that the Digital Green Certificate is fully in line with the GDPR. The Council of the European Union agreed proposed amendments to the Digital Green Certificate on 14 April, some of which strengthen the data protection provisions on the basis of the Opinion, and the European Parliament vote on the Proposal is due on 28 April. The Commission has stated that the intention is that the Digital Green Certificate will be in place by the summer of 2021.
Also contributed by Lisa Leonard.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.