On 31 March 2021, the European Data Protection Board (the EDPB) and the European Data Protection Supervisor (the EDPS, together the Authorities) adopted a joint opinion on the European Commission’s proposal to create a Digital Green Certificate (the Proposal), also known as the Digital Green Pass.
The objective of the Digital Green Certificate is to allow individuals vaccinated against COVID-19 to move freely within the EEA during the ongoing pandemic. The Proposal aims at setting out a common framework for the implementation of a Digital Green Certificate, allowing interoperability between the different measures and solutions implemented across EU Member States.
What is the main takeaway?
The Authorities do not consider the protection of personal data as an obstacle for fighting the COVID-19 pandemic but says the Digital Green Certificate should fully comply with European legislation on data protection such as the General Data Protection Regulation (the GDPR).
What are the main concerns of the Authorities?
The Authorities say that:
- the Proposal lacks an impact assessment and should fairly balance the objectives of general interest pursued by the Digital Green Certificate and the respect of fundamental rights such as the right to privacy and the protection of personal data;
- the Digital Green Certificate should not be understood as proof of a time-stamped factual medical application or history facilitating free movement within the EEA; it must not be intended as an immunity or non-contagiousness certificate;
- they are concerned about any potential further use of data collected once the current COVID-19 pandemic has ended, yet suggesting that the Regulation to be adopted should expressly prohibit any such subsequent use and, therefore, the words “or similar infectious diseases with epidemic potential” should be deleted from the current wording when referring to COVID-19;
- while this is not a purpose stated in the Proposal, it is likely that EU Member States will use the Digital Green Certificate for domestic purposes, such as controlling access to pubs and shops; EU Member States will have to take into account Article 6(4) of the GDPR and therefore provide for a comprehensive legal basis for any use of the Digital Green Certificate for purposes other than that for which the personal data have been initially collected (i.e. facilitating free movement within the EEA);
- the Digital Green Certificate should better define its purpose and provide for a mechanism for monitoring its use, be of a temporary nature and provide for security measures (notably to mitigate the risk linked to forgery as is the case with false COVID-19 test certificates that exist);
- the Proposal does not allow for the creation of any sort of personal data central database at EU level, and must not lead to any such creation under the pretext of the establishment of the Digital Green Certificate framework.
For any questions please contact the ICT, IP, media and data protection team: