What happens with European citizens’ data protection when using the EU Digital COVID Certificate?
The so-called vaccine passports have been identified by several international entities and governments as a universal way of monitoring immunizations, positive status as well as recovery status of individuals.
However, managing sensitive health information has been seen by many as one of the biggest obstacles to create and put into motion the COVID passes.
In a press conference held on June 8th, the European Parliament’s spokesperson assured the public that the EU Gateway, used to verify COVID certificates, does not store data.
In other words, the certificate’s data – name, identification of the subject, and variety of immunization – is not held by any other member state than that of the health authority which issued the certificate. It will not be transferred to any other member state.
Both the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) have their own take about it.
European Data Protection Board on the EU Digital COVID Certificate
The EDPS issued a statement, on April 6th, 2021, to tackle the situation of the European Digital COVID Certificate regarding data protection.
“With this joint opinion, the EDPB and the EDPS invite the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation,” said the document.
Furthermore, the expert report highlighted the importance of avoiding any type of “direct or indirect discrimination of individuals” when issuing and handling the European COVID passports.
The Green Pass must also comply with the fundamental principles of necessity, proportionality and effectiveness. This is why both data protection entities suggest the creation of a “comprehensive legal framework” that is specific for this COVID-19 certificate initiative.
Since the EU announced the deployment of a COVID certificate, Member States have openly shown their thoughts about the Green Pass.
What data is stored via the EU Digital COVID Certificate?
The European Health Union has confirmed that only a small amount of personal data will be stored for validation purposes. Information like a name and date of birth will be standard and each holder will be issued with a unique identification number.
A QR code will be issued and used to scan and verify the authenticity of the Green Pass. Officials will also be able to track the member state that issued the certificate.
A digital signature will be included on the certificate. This signature relates to the hospital, testing center, or vaccination center where an individual has received a test or treatment.
No central database for green passes at EU level
The EU has also confirmed that there will not be a central database accessible by all EU member states. The verification will be a gateway portal and not a data collection service. The European Commission has been tasked with creating this technology.
In this regard, the EDPS representative Wojtek Wiewiorowski clarified via Twitter, on April 7th, that “the proposal does not allow for and must not lead to the creation of any sort of central database at EU level.”
The certificate contains valuable medical information and its negligent distribution thereof would be a gross infringement on personal privacy. Thus, the utmost care will be taken to ensure the minimum amount of data to be present on the certificate.
According to Wiewiorowski, “it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended.”
On March 17th, during the European Commission’s presentation of the Digital COVID Certificate, Von Der Leyen and other EU leaders highlighted the use of this COVID pass will only be valid during the coronavirus outbreak.
Citizens & data protection during the pandemic: what do the numbers say?
The EU has been slow with its vaccine rollout and the United Kingdom, a former member, is leading the charge with over 40% of their population having received their vaccination.
According to Statista, Malta has the highest rate of vaccinations in the EU with just over 42%. Bulgaria is the lowest with less than 7 in 100 people receiving a vaccine by the end of March 2021.
The International Air Transport Association conducted a poll in February 2021 that gave valuable info into traveler behavior amidst the pandemic. 84% of those that participated believe that the virus will not disappear and that the risk needs to be managed to continue with travel.
Nearly 90% of participants agree that a standardization certificate is essential for future travel and that governments should be implementing it.
Four out of five people will also agree to use an app for verification if they have complete control over their own data.
The opposition camp believes there are alternatives
These figures are promising but many factions are adamant that the implementation will be rushed and that it will not be ready by the summer.
German Pirate MEP, Patrick Breyer, released a statement saying: “The proposal does not yet meet the requirements of data protection and protection against discrimination. It does not ensure that the digital variant of the certificate is stored decentrally on devices of the person concerned and not in a central vaccination register.”
Harry Halpin is a research scientist and CEO who has penned a paper in 2020 where he listed his critiques of a standardized immunity passport. He claims there are ways to prove your status without being part of a global scheme.
He suggests the use of Attribute-Based Credentials which protect an individual’s identity while simultaneously verifying a user’s credentials. “Attribute-based credentials just prove attributes without revealing identity. You don’t need a global identity for any of these use-cases,” he says.