The following document was published on June 3, 2021 in "About Pharma and Medical Devices".
The current health emergency arising from the spread of the coronavirus ("Covid-19") has led both national and supranational governmental authorities to adopt measures restricting certain fundamental rights and freedoms of individuals. In particular, some of the restrictions adopted by European Union ("EU") Member States to contain the Covid-19 pandemic have affected citizens' right to free movement.
However, the progressive knowledge of Covid-19, its mode of transmission, the effectiveness of therapeutic measures to counteract the disease and, especially, the introduction of the many possibilities of vaccine prophylaxis have made possible a reflection on the exit strategies to be implemented to gradually bring citizens to a condition of normality.
In such context, the European Commission took action with a proposal for a Regulation “on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate)”, to date already adopted by the European Parliament (the “Proposal”) [1].
Pursuant to Article 21 of the Treaty on the Functioning of the European Union, every EU citizen has the right to move and reside freely within the territory of the Member States, subject to the limitations and conditions laid down in the Treaties and by the measures adopted to give them effect.
However, some of the measures adopted by the Member States in order to limit the spread of the ‘COVID‑19’ pandemic often consisted of restrictions on entry or other specific requirements applicable to cross-border travellers, such as to undergo quarantine or self-isolation or to be tested for SARS-CoV-2 infection prior to and/or after arrival.
The Proposal is set in such context, which aims to facilitate the exercise of the right to free movement within the EU Member States and establish a common framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery, called "digital green certificate".
As mentioned, the digital green certificate allows cross-border issuance, verification and acceptance of any of the following certificates:
(a) a certificate confirming that the holder has received a COVID-19 vaccine in the Member State issuing the certificate ("vaccination certificate");
(b) a certificate indicating the holder’s result and date of a NAAT test or a rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Council Recommendation 2021/C 24/01[2]> ("test certificate");
(c) a certificate confirming that the holder has recovered from a SARS-CoV-2 infection following a positive NAAT test or a positive rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Recommendation 2021/C 24/01 (“certificate of recovery”).
More specifically, the Proposal specifies that the vaccination certificate shall contain the following personal data:
(a) name: surname(s) and forename(s), in that order;
(b) date of birth;
(c) disease or agent targeted;
(d) vaccine/prophylaxis;
(e) vaccine medicinal product;
(f) vaccine marketing authorization holder or manufacturer;
(g) number in a series of vaccinations/doses;
(h) date of vaccination, indicating the date of the latest dose received;
(i) Member State of vaccination;
(j) certificate issuer;
(k) a unique certificate identifier.
The attempt undertaken by the EU with the Proposal is to make the vaccination certificate, and more generally the digital green certificate, an instrument for the promotion of freedoms, with respect to which it is necessary to assess the impact on the protection of personal data, ensuring from the outset respect for the principles of proportionality and non-discrimination, which are all the more compulsory since we are dealing with data - health data - which require, due to their sensitivity, a higher degree of protection.
It seems appropriate to recall that Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR") applies to the processing of personal data carried out in the context of the Proposal.
Well, with reference to the processing of personal data carried out for the purpose of issuing the certificates in question, the Proposal provides for the legal ground to process personal data necessary to issue such certificates and to process the information necessary to confirm and verify the authenticity and validity of such certificates.
In this regard, Whereas Clause 37 of the Proposal identifies the legal basis for the processing of personal data under Article 6(1)( c) of the GDPR (i.e., processing is necessary for compliance with a legal obligation to which the controller is subject) and Article 9(2)(g) of the GDPR (i.e., processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject), as necessary for the issuance and verification of the interoperable certificates provided for by the Proposal. [3]
Furthermore, the Commission specifies that, in accordance with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the Union during the COVID-19 pandemic, underlining the necessity to set out specific categories of personal data and data fields to be included in the certificates, with a decentralised verification system that does not involve the storage of the assessment results, and limited to the continuation of the state of emergency as declared by WHO. The Commission indeed clarifies that the Proposal does not create a legal basis allowing the Member State of destination or the cross-border passenger transport services operators, which are required by national law to implement certain public health measures during the COVID-19 pandemic, to retain personal data obtained from the certificate.
More specifically, in order to allow for the secure issuance and verification of the certificates, the Commission and the Member States shall under Article 4 of the Proposal set up and maintain a trust framework digital infrastructure. Such trust framework shall ensure, where possible, interoperability with technological systems established at international level.
Furthermore, personal data personal data may be transmitted/exchanged across borders with the sole purpose of obtaining the information necessary to confirm and verify the holder’s vaccination, testing or recovery status.
Finally, the Proposal provides that the authorities responsible for issuing the certificates referred to in Article 3 shall be considered as controllers referred to in Article 4(7) of Regulation (EU) 2016/679.
By a joint opinion (04/2021 of 31 March)[4], the European Data Protection Board (the “EDPB”) and the European Data Protection Supervisor (the “EDPS”) suggested certain significant actions that are illustrated below:
Said remarks are aimed at an overall, further refinement of proposals that, however, already involve an adjustment of the balance between the protection of personal data, public health needs and freedom of movement, demonstrating, once again, how the discipline of data protection represents an increasingly important prerequisite for a sustainable management of innovation as much as of the emergency.
On the subject of vaccination certificates and the related data protection implications, the Italian Data Protection Authority expressed its view as well. The Authority highlights how data on vaccination status is particularly sensitive data and its incorrect processing can seriously impact the life and fundamental rights of people. Such impact, in case of solutions – including digital solutions (e.g. apps) – implemented to meet the need to make information on vaccination status a condition for accessing certain premises or using certain services (e.g. airports, hotels, stations, gyms, etc..) can result in discrimination, violation and unlawful restriction of constitutional freedoms.
If one intends to resort to the above solutions, public decision-makers and Italian private operators should, in the Data Protection Authority’s view, focus on the obligation to comply with the rules on the personal data protection.
The Data Protection Authority therefore believes that the processing of data relating to the vaccination status of citizens for the purpose of accessing certain premises or using certain services should be regulated by a national rule, in accordance with the principles of personal data protection (particularly, the principles of proportionality, purpose limitation and minimization of data).
In the absence of such legal basis, according to the Data Protection Authority, the use, in whatever form, by public and private providers of services to the public, of apps and passes designed to distinguish between the vaccinated and unvaccinated, should be deemed unlawful.
In the above context, Decree Law No. 52 of 22 April 2021 (so-called “Decreto Riaperture” – “Reopening Decree” –) stands out, which provides for the introduction, on the national territory, of the so-called "Covid-19 green certificates", proving the status of vaccination against SARS-CoV-2 or the recovery from the infection or the performance of a rapid molecular or antigenic test with a negative result.
In particular, it is expected that vaccination certificates and recovery certificates will be valid for six months, while a negative Covid-19 test certificate will be valid for 48 hours. The certificates issued in the Member States of the European Union will be recognised as equivalent, as will also those issued in a third country following a vaccination recognized in the European Union.
However, as reiterated by the Data Protection Authority, from the wording of the Reopening Decree it can be inferred that the issue of privacy will be dealt with in a subsequent Prime Minister’s Decree, since the decree merely establishes the need for the pass and defines the application areas, but not the approach from a privacy perspective.
According to the Authority, however, “it is difficult to discuss the proportionality of the data processed, security measures or retention times with respect to a decree-law that to date lacks any implementation concerning such aspects" [7]. In other words, there are a number of crucial nodes from a privacy point of view that should be discussed and evaluated before starting to use the certificate.
In conclusion, it seems clear that data protection is not an obstacle for fighting the Covid-19 pandemic, nor to implement solutions such as the vaccination certificate and, more generally, the Digital Green Certificate.
However, it is necessary to provide for solutions that are fully in line with the EU data protection legislation not only for the sake of legal certainty, but also in order to avoid that the Proposal has the effect of directly or indirectly jeopardising the fundamental right to the protection of personal data.
In this regard, it would be desirable that EU law may achieve a fair balance between the objectives of general interest pursued by the Digital Green Certificate and the individual interest in self-determination, as well as the respect for the fundamental rights to privacy, data protection and non-discrimination, and other fundamental freedoms such as freedom of movement and residence.
At the same time, the need to ensure compliance with the fundamental principles of accuracy, necessity and proportionality in the processing of data, and the need to mitigate risks to the fundamental rights of data subjects, including risks of (unintended) secondary use of the Digital Green Certificate, as well as of direct and/or indirect discrimination, requires that the processing of data contained in vaccination certificates for purposes other than to ensure the free movement of persons to be specifically regulated by national law, in accordance with the principles of personal data protection, so as to achieve a fair balance between the public interest to be pursued and the individual interest in confidentiality.
According to the Authority, “We all want and hope to be able to move again soon, but we also don't want the price to be paid for moving again to be a substantial expropriation of privacy”. [8]
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For further information please contact Ilaria Todaro and Claudia Colamonaco.
[1] The proposal for a Regulation of the European Parliament and of the Council is available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0130
[2] Council Recommendation on a common framework for the use and validation of rapid antigen tests and the mutual recognition of COVID-19 test results in the EU (2021/C 24/01) (OJ C 24, 22.1.2021, p. 1).
[3] The Proposal indeed does not regulate the processing of personal data related to the documentation of a vaccination, test or recovery event for other purposes, such as for the purposes of pharmacovigilance or for the maintenance of individual personal health records. The legal basis for processing for other purposes is to be provided for in national law, which must comply with Union data protection legislation.
[4] The text of the Joint Opinion is available at the following link: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_edps_joint_opinion_dgc_en.pdf
[5] According to the two boards, indeed, the extension of the application of the digital green certificate to other situations to ease the restrictions currently in place has already been suggested and Member States might plan to introduce it as a de facto requirement, e.g. to enter shops, restaurants, clubs, places of worship or gyms or to use it in any other context as in the employment context. Any such further use of the digital green certificate and its associated framework under a national legal basis should not legally or factually lead to discrimination based on having been (or not) vaccinated or recovered from COVID-19. For this reason, the two boards highlight that any possible further use of the digital green certificate and the personal data related to it at Member States level must be in compliance with the GDPR. This implies the need for a proper legal basis in Member State law, complying with the principles of effectiveness, necessity, proportionality and including strong and specific safeguards implemented following a proper impact assessment, in particular to avoid any risk of discrimination and to prohibit any retention of data in the context of the verification process.
[6] The data belonging to special categories are those referred to in Article 9(1) of the GDPR, namely, i “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.
[7] So said Guido Scorza, a member of the Board of the Italian Data Protection Authority, a in an Open nnline interview on 22 April 2021.
[8] Ibidem.