Op-Ed: “The EU Digital Green Certificate proposed framework: how does it interact with data protection law?” by Olga Gkotsopoulou and Daniela Galatova
According to Articles 168(1) and (7) of the Treaty on the Functioning of the EU (TFEU), EU Member States are competent to define the most appropriate measures to safeguard public health, while the EU shall complement such policies. Since the beginning of the COVID-19 pandemic, EU Member States have adopted several, diverse measures at national level. A coordinated approach however appears necessary in order to ensure the right of free movement and facilitate the fight against the serious cross-border threat to health. On 13 and 30 October 2020 respectively, the Council adopted Recommendations on a coordinated approach to the restriction of free movement in response to the COVID-19 pandemic within the EU and in the Schengen area.
The two new proposed Regulations
Action at EU level is considered necessary, and the principle of subsidiarity is applicable (Article 5 of the Treaty of the EU (TEU)). Subsequently, on 17 March 2021 the European Commission proposed two Regulations, introducing the ‘Digital Green Certificate’ framework, to be submitted for approval to the European Parliament and the Council of the EU. The first proposal is a Regulation on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate) (DGC I), whereas the second – complementary – one is a Regulation on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to third-country nationals legally staying or legally residing in the territories of Member States during the COVID-19 pandemic (Digital Green Certificate) (DGC II).
DGC I consists of 47 Recitals, 15 Articles and an Annex, whereas DGC II has 18 Recitals and 2 Articles. The legal basis for DGC I is Article 21(2) of the TFEU and the legal basis for DCG II is Article 77(2)(c) of the TFEU. In fact, the second Regulation follows the Council Recommendation from 30 October 2020 and provides that Member States shall apply the same rules both to EU citizens and third-country nationals who reside or stay legally in the EU territory and/or are entitled to travel to other Member States.
The framework in a nutshell
Briefly, the framework encompasses three types of certificates: (a) a ‘vaccination certificate’ confirming that the holder has received a COVID-19 vaccine in the Member State which issues the certificate, (b) a ‘test certificate’ indicating the result and date of a NAAT test or a rapid antigen test, and (c) a ‘certificate of recovery’ confirming that the holder has recovered from a SARS-CoV-2 infection following a positive NAAT test or a positive rapid antigen test. Those mutually accepted certificates would be provided free of charge to EU citizens and can be in digital, paper-based or hybrid format – they should display an interoperable QR code enabling the competent authorities to verify their authenticity, validity and integrity. Apart from a machine-readable structure, all information should be displayed also in a human-readable form, and at least in both the official language(s) of the issuing State and in English. No further details on the precise criteria of mutual acceptance are provided yet. Nevertheless, it is noted that vaccination certificates shall not serve as a pre-condition of free movement.
Accordingly, the European Commission would establish a common digital infrastructure by the summer of 2021 to allow the authentication of those certificates, while Member States should develop interoperable technical solutions at national level to issue and process such certificates.
Recital 47 of DGC I provides that the framework would be suspended once the World Health Organization (WHO) declares the end of the COVID-19 pandemic and could be re-enacted in case of another health emergency. Third countries should be encouraged in the future to recognise the Digital Green Certificate, but this would constitute a point for future negotiations. This is why the conditions for the framework are additionally coordinated with the World Health Organization (WHO) and the International Civil Aviation Organization (ICAO).
As was the case with the contact tracing and warning apps, the eHealth Network has provided recommendations and guidelines with respect to the establishment of an overall trust framework for interoperable and reliable COVID-19 health certificates (published on 27 February 2021 and updated on 12 March), basic interoperability requirements for verifiable vaccination certificates for medical purposes (12 March 2021) and a minimum dataset for recovery certificates (15 March 2021), reflecting the preliminary discussions and agreements among the Member States. Moreover, on 17 February 2021, the Health Security Committee adopted a common list of COVID-19 rapid antigen tests and a common standardised set of data to be included in COVID-19 test result certificates. The Opinion of the European Data Protection Supervisor was also sought.
Select highlights from a data protection law point of view
Lawfulness and transparency
With respect to the lawfulness of the processing, in line with Recital 37 of DGC I, Article 6(1)(c) GDPR (processing in compliance with a legal obligation) and Article 9(2)(g) GDPR (processing for reasons of substantial public interest) are designated as legal grounds for the processing of the personal data necessary for the issuance and verification of the interoperable certificates. The DGC I proposal cannot be used as a legal basis for retaining personal data obtained from the certificate by the Member State of destination or by the cross-border passenger transport services operators. As for transparency, in its Communication of 17 March 2021, the Commission stated that the use of the certificates ‘should be accompanied by clear and transparent communication to citizens to explain its scope, use, [and] clarify the safeguards to personal data protection’.
Articles 5, 6, 7 and the Annex of DGC I outline the types of data to be included in the certificates. All three types of certificates shall contain the holder’s identification and the certificate metadata , that is the certificate issuer or a unique certificate identifier. The proposal defines further distinct elements on the basis of the type of the certificate. The vaccination certificates are expected to contain information about the vaccine administered, the test certificates information about the test carried out and the certificates of recovery information about past SARS-CoV-2 infection. The proposal characterises all of the above mentioned data as personal data. In this regard, the Commission is endowed to adopt delegated acts to add, modify or remove data fields on the categories of personal data, whenever necessary.
The primary objective of the proposed Regulations is the facilitation of the free movement within the EU during the COVID-19 pandemic for EU citizens and third-country nationals staying or residing legally in the EU. For other purposes, the proposed Regulations stipulate that a national law may provide for a legal basis for data processing.
DGC I provides in Article 9(3) that personal data processed for the purpose of issuing the certificates shall not be retained longer than the period for which the certificates may be used to exercise the right to free movement. Article 9(2), on the other hand, stipulates that personal data processed by the competent authorities of the Member State of destination, or by the cross-border passenger transport services operators in order to confirm and verify the holder’s status, shall not be retained. No provisions, however, refer to the exact storage duration, especially in view of possible re-enactment of the system.
Data controllership and accountability
The explanatory memorandum of DGC I indicates that the ‘Digital Green Certificate’ framework does not establish a database at EU level. Instead, it provides for the decentralised verification of digitally signed interoperable certificates through a trust framework. The Member States’ authorities responsible for issuing the certificates shall be considered to be controllers in line with Article 9(4) of DGC I. The language of Recital 40 of the same text may provide a hint that cross-border passenger transport services operators could be considered processors. Article 8 of DGC I empowers the Commission to adopt implementing acts laying out the responsibilities of the data controllers and processors with respect to the implementation of its trust framework. Those implementing acts will also outline the framework for the unique certificate identifier, the interoperable barcode and other data security measures.
Both proposed Regulations will undergo the ordinary legislative procedure as defined in Article 294 of TFEU. Still, due to the urgency of the matter, the proposed texts are accompanied by explanatory memoranda but not an impact assessment. In this spirit, in its Communication of 17 March 2021, the Commission calls on the European Parliament and the Council to fast-track the discussions and the agreement on the proposed framework, and the Member States to speed up the technical implementation.
Olga Gkotsopoulou is a PhD researcher at the Law, Science, Technology and Society Research Group at Vrije Universiteit Brussel. Her recent publications include: ‘Interoperability of contact tracing apps in EU and data protection law implications’ (August 2020) and ‘Between masks and curfews: Critical synopsis of the guidance issued by national supervisory authorities on analogue and digital body temperature measurement in the context of the COVID-19 pandemic in the EU’ (January 2021). She also contributes to the Data Protection Law & Covid-19 Observatory.
Daniela Galatova is a first-year PhD researcher at the Faculty of Law of Pan-European university in Slovakia. Her research examines the international legal and ethical aspects during the COVID-19 pandemics, focusing on the proportionality of measures taken with regards to human rights, particularly privacy, personal data and health. Her most recent publication is ‘3 Questions concerning personal data within the EU vaccination scheme’ (March 2021) and her soon to be published article is ´Body temperature measurement vs. Mobile tracing applications in the EU during COVID-19’.