On 17th March 2021, the EC Commission published plans to create a European wide “Digital Green Certificate” to facilitate safe movement inside the EU.

 

The proposal is very simple. In summary, the Digital Green Certificate will be proof that a person has been vaccinated against COVID-19, received a negative test result or recovered from COVID-19. It will be available free of charge, in digital or paper format. It will include a QR code to ensure security and authenticity of the certificate, and that could be scanned at airports as part of a check-in or security process. For the average passenger, you will download an app containing a QR code with your certificate, which will be scanned at airports and other ports of entry.

 

This follows on from announcements by China and New Zealand that similar digital vaccination passports would be created.

 

The EC Commission will build a gateway to ensure all certificates can be verified across the EU and Member States will be required to apply waivers to travellers holding a Digital Green Certificate.

 

Concerns have been raised by civil liberties groups, particularly around whether it would be lawful for Member States to process the personal data of EU citizens in such an intrusive manner. As a result, a number of Irish MEPs voted against a proposal to fast-track the implementation of the Digital Green Certificates, when it came before the European Parliament on 25th March 2021.

 

The question arises, will these Digital Green Passports fall victim of European data protection laws or equality concerns, and in particular, GDPR?

 

The answer lies in (1) the nature of the personal data that will be contained on the Digital Green Certificates and (2) how that personal data is treated. The Digital Green Certificate would include an individual’s name, birthdate, date of issuance, date of vaccine, and date of test or recovery information. This type of personal data is health related data and is afforded a special level of protection under Article 9 of GDPR, and stricter reasons are required before this type of data can be processed. 

 

The EC Commission can address data protection concerns by conducting a normal assessment that is required under GDPR, as it would for any processing of personal data. Controllers are always required to assess what information is required, how is it going to be stored and processed, for how long, and who will have access to the information.   

Thankfully, these data protection concerns are entirely surmountable, once the system is properly implemented. 

 

Article 6.1(e) of GDPR already allows the processing of personal data where processing is “necessary for the performance of a task carried out in the public interest”. Similarly, for special categories of health data, Article 9.2(i) allows the processing where it is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health”. 

 

Clearly, there is no greater threat to cross-border public health than a virus that has caused almost 3 million deaths worldwide, and infected 136 million people. That is of course aside from the massive global economic impact. That gives the EU a lawful basis for processing personal data as part of the Digital Green Certificates system. 

 

After that, the EC Commission must ensure that general principles of data protection law are not breached. These include fairness, data minimisation, purpose limitation, and storage limitation. The EC Commission has confirmed that no personal data of the certificate holders will pass through the gateway, or will be retained by the verifying Member State. It has also confirmed that only essential personal information will be contained on the certificates. 

From a practical perspective, if Member States use the information obtained from individuals who use Digital Green Certificates to investigate whether those individuals really need social welfare, or if policing authorities use it to track a person’s movements, then the system will quickly run into significant data protection issues. 

 

However, once the EC Commission follows normal data protection principles, particularly around sharing the information contained on the Digital Health Certificates with other governmental organisations within Member States or law enforcement authorities, these certificates should be lawful under GDPR.