The Proposal for a Digital Green Certificate (Proposal) aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery.
Pending the approval of the European Parliament, the Proposal has been examined by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) with a specific focus on the protection of personal data, which “represent a fundamental aspect”.
In their joint opinion, the EDPB and the EDPS recall that data protection does not constitute an obstacle for fighting the current pandemic and, therefore, recommend that the Digital Green Certificate is fully in line with EU personal data protection legislation: not only for the sake of legal certainty, but also “to avoid that the Proposal has the effect of directly or indirectly jeopardizing the fundamental right to the protection of personal data”.
The Proposal should achieve a fair balance between the objectives of general interest pursued by the Digital Green Certificate and the individual interest in self-determination, as well as the respect for her/his fundamental rights to privacy, data protection and non-discrimination, and other fundamental freedoms, such as freedom of movement and residence. Specific attention should be paid to ensure compliance with the fundamental principles of effectiveness, necessity and proportionality in the processing of personal data, and to mitigate risks to the fundamental rights of data subjects, including risks of unintended secondary use of the Digital Green Certificate as well as of direct and/or indirect discrimination.
The following summarizes the general recommendations of the EDPB and the EDPS to the legal framework for establishing the Digital Green Certificate:
- the Digital Green Certificate should neither be a mere verifiable proof of a timestamped factual medical application or history that will facilitate the free movement of EU citizens due to its common format in all Member States, nor a means to assume immunity or contagiousness;
- it should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry;
- the Proposal should better define the purpose of the Digital Green Certificate and provide for a mechanism for the monitoring of the use of the certificate (as composed of the three subcertificates) by Member States;
- the scope of the Proposal should be expressly limited to the current COVID-19 pandemic and to the purpose of facilitating the free movement of persons within the current situation, consistently,
- the Digital Green Certificate should have a temporary nature, since it should be suspended by means of a delegated act by the Commission once the COVID19 pandemic has ended, in light of the fact that, as of that point in time, there would be no justification requiring citizens to present health documents when exercising their right to free movement;
- the relating legal framework shall not require the setting up and maintenance of a central database;
- an impact assessment should be carried out to provide the Proposal with substantiation as to the impact of the measures being adopted as well as to the effectiveness of already existing less intrusive measures;
- the Digital Green Certificate must contemplate measures to identify and mitigate the risks that may result from the issuance and the use of the Digital Green Certificate, including risks relating to the forgery and illicit sale of false COVID-19 test certificates, discrimination based on health data (e.g. should Member States not accept all three types of certificates) and possible unintended secondary uses without a proper legal basis established at national level (which shall comply with the principles of effectiveness, necessity, proportionality and include strong and specific safeguards implemented following a proper impact assessment);
- such a legal basis in Member State law should at the very least include specific provisions clearly identifying the scope and extent of the processing, the specific purpose involved, the categories of entities that can verify the certificate as well as the relevant safeguards to prevent abuse, taking into account the risks for the rights and freedoms of data subjects.
The presentation by the EDPS of the joint opinion is available here.