One of the reasons why I love working in the world of data protection and privacy is that it is a rapidly evolving and changing area of law.
This week, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint Opinion on the data protection aspects of the European Commission’s proposed Covid 19 Digital Green Certificate framework. edpb_edps_joint_opinion_dgc_en.pdf (europa.eu)
Since the Covid-19 pandemic commenced, EU Member States have adopted various measures impacting on the right to move freely within the EU (eg entry restrictions, quarantine and vaccination certificates). On 17 March 2021, the European Commission published two Proposals for a Digital Green Certificate Regulation. Both Proposals aim to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for certificates on COVID-19 vaccination, testing and recovery, entitled “Digital Green Certificate”. There are three types of certificates being proposed – vaccination certificate, test certificate and certificate of recovery. The Proposals will require all EU Member states to use the Digital Green Certificate Framework and to issue certificates to facilitate the right to free movement within the EU.
In introducing a Digital Green Certificate, the Commission’s stated aim is to facilitate intra-EU free of movement during a pandemic, where Member States currently have a fragmented approach to restrictions and quarantine. There are risks in not having a common approach towards vaccination certificates including a risk relating to forgery and black market selling of fake certificates and the impact on free movement. By harmonising the approach, this risk may be mitigated, and free movement facilitated.
Privacy and Data Protection concerns
Given that the Digital Green Certificate will involve the collection and processing of vast swathes of sensitive and Special Category Personal Data, the EDPB/EDPS joint opinion makes welcome recommendations to preserve EU citizens’ privacy and data protection rights, when balanced against other rights such as the right to free movement. The Opinion makes recommendations and observations on the privacy and data protection aspects of the EU Commission’s Proposals and notes that “data protection does not constitute an obstacle for fighting the current pandemic”. However, it is essential that the general principles of effectiveness, necessity and proportionality must guide these measures. A similar point was previously made by Helen Dixon, the Irish Data Protection Commissioner in an IAPP session I moderated last year on the topic of “Necessity and Proportionality in a Pandemic”. The point remains an essential part of the toolkit for European Institutions and Member States when legislating for management of the Covid-19 pandemic.
Article 52 of the EU Charter of Fundamental Rights requires that the principles of necessity and proportionality of the measures set out in the Proposals should be analysed to achieve a fair balance between the objectives pursued by the Digital Green Certificate and other rights, including the rights to privacy, data protection and non-discrimination, and other fundamental freedoms, such as freedom of movement and residence. It is important that these rights are appropriately balanced and considered. In balancing these rights during a pandemic, the EDPB/EDPS Opinion notes the approaches to compliance with the principles of GDPR (as set out below); requirements under Member State law, and strong and specific safeguards following a “proper impact assessment”. In general, the Opinion suggests that the Proposals could better define the purpose of the Green Digital Certificate and provide a mechanism for the monitoring of its use.
A fundamental concern expressed by the EDPB and the EDPS is that the Proposals should be limited in scope and purpose. They state that recital 42 and Article 15 of the Proposals must be amended in order to rule out any future use of the Digital Green Certificate once the pandemic has ended and limit the scope of the Proposals to the current COVID-19 pandemic and SARS-CoV-2 virus. In this regard, the EDPB and the EDPS state their opposition to the “open door” included in Article 15 of the Proposal, whereby the Commission may declare the further application of the Proposal in the future if the WHO declares a public health emergency in relation to SARS-CoV-2, “a variant thereof, or similar infectious diseases with epidemic potential”. The EDPB and the EDPS recommend the deletion of the wording “similar infectious diseases with epidemic potential” in order to comply with the principle of purpose limitation and confine the scope of the Digital Green Certificate to the Covid-19 pandemic.
Firstly, the EDPB and the EDPS highlight that the Proposals do not allow for, and must not lead to, the creation of any sort of personal data central database at EU level under the pretext of the establishment of the Digital Green Certificate framework. The Opinion also highlights areas where the Proposals require further alignment with the GDPR as follows:
- Controllers and Processors – It is noted that under the terms of the Proposal, the authorities responsible for issuing the Digital Green Certificate shall be considered as controllers. Article 8(g) of the Proposal provides that the Commission shall adopt implementing acts containing the technical specifications and rules to allocate responsibilities amongst controllers and processors. However, the Proposal should specify that a list of all the entities foreseen to be acting as controllers, processors and recipients of the data in each Member State (other than the authorities responsible for issuing the certificates) shall be made public. This will allow EU citizens to know the identity of the entity to whom they may apply to exercise of their data protection rights under the GDPR. The EDBP and the EDPS also recommend clarifying the role of the Commission within the context of data protection law in the framework guaranteeing interoperability between the certificates.
- Lawful, Fair and Transparent Processing: the lawful basis for the measures should be set out in the Regulation and the framework should include a justification of the need for the categories and data fields of personal data to be processed. The Commission should ensure that the transparency of the processes is clearly outlined to enable citizens to exercise their data protection rights.
- Purpose limitation – the certificates should be limited to COVID-19. Currently the Proposal includes as a data field of the certificate, the “disease or agent the citizen has recovered from”. The EDPB and the EDPS consider that, given the scope of the draft Proposal, the disease or agent to which the citizen has recovered from should be limited to COVID-19, including its variants.
- Data minimisation principles should be adopted in the context of the information included in the certificates and an explanation given as to whether all categories of personal data provided need to also be included in the QR code of the certificates.
- Accuracy – the Opinion notes that the Framework enables citizens to obtain certificates free of charge as well as new certificates if the personal data contained in the Digital Green Certificate is no longer accurate or up to date, or the certificate is no longer available to the holder. Modified certificates should be issued on request of the data subject.
- Storage Limitation – The Proposal “does not create a legal basis for retaining personal data obtained from the certificate by the Member State of destination or by the cross-border passenger transport services operators”. The Regulation states that “the personal data processed for the purpose of issuing the certificates referred to in Article 3, including the issuance of a new certificate, shall not be retained longer than is necessary for its purpose and in no case longer than the period for which the certificates may be used to exercise the right to free movement”. This reflects GDPR principles. The EDPB/EDPS Opinion recommends that the expiry date of each certificate should be specified, and the data held only for as long as is necessary. Specific data storage periods should be explicitly defined. If this is not possible, then at least the criteria used to determine such storage period should be specified. The EDPB and the EDPS consider that, in any case, the storage period in Member States should not go beyond the end of the COVID-19 pandemic, in line with Article 15(2) of the Proposals.
- Integrity and Confidentiality – the Proposals should state that controllers and processors shall take adequate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, in line with Article 32 GDPR. These measures should consider for example the establishment of processes for a regular testing, assessment and evaluation of the effectiveness of the privacy and security measures adopted.
- Data Subject Rights – The Proposals state that “[t]he holder shall be entitled to request the issuance of a new certificate if the personal data contained in the certificate is not or no longer accurate or up to date” This is in line with Article 5(1)(d) and 16 GDPR. The Opinion states that the certificates should be available in digital and paper-based formats, to ensure the inclusion of all citizens.
- Data protection by default – verification techniques not requiring transmission of personal data must be employed by default, whenever technically possible.
- International Data Transfers may be necessary “to confirm and verify the holder’s vaccination, testing or recovery status” and for international interoperability reasons. Therefore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether and when international transfers of personal data are expected and include safeguards in the legislation to ensure that third countries will only process the personal data exchanged for the purposes specified by the Proposals.
When drafting legislation, it is crucial that various rights which may be impacted are balanced appropriately and relevant protections adopted. The EDPB/EDPS Opinion provides a roadmap to help the EU Commission to undertake this balancing exercise effectively in terms of privacy and data protection rights. It will now be a matter for the Commission to amend the Proposals where appropriate, in light of this Opinion. In doing so, the Commission’s Proposals may result in a more robust framework that is more likely to withstand the scrutiny of the Court of Justice, if an application is made to that court.
Please contact Kate Colleary with any queries.