Greetings, privacy pros.

This year is providing some much-needed comfort as “the year of the vaccine,” as 2020 biggest vaccination campaign in history” continues, we in privacy cannot help but wonder about the ways in which this data is being collected, shared, used and stored and what protections are in place against its misuse.

The biggest challenge in this respect may be that of the vaccine passport. While this subject has been on our radar for more than a year, it has only in recent weeks taken on practical significance, as more than 200 million shots have been given out in the U.S. and about 850 million have been administered worldwide. While people, governments and economies are desperate to return to many pre-pandemic ways of life, the fears around the use of vaccination records are not entirely unfounded. As a recent perspective piece in NEJM put it, “If history is a guide, programs that confer social privilege on the basis of ‘fitness’ can lead to invidious discrimination.”

One of the world leaders in per capita vaccination, Israel, is already issuing “green passes,” which provide individuals who are fully vaccinated or have recovered from COVID-19 with exemption from quarantine, as well as access “to social, cultural, and sports events, as well as to gyms, hotels, and restaurants.” Yet, because they may reveal additional information, such as the date a user recovered or received a vaccine, and are vulnerable to security breaches, the green passes have been described as a “potential privacy nightmare.”

Last month, the European Commission also released its proposal for a regulation for the issuance, verification and acceptance of a Digital Green Certificate. Yet, opinions on vaccination passports diverge throughout the EU. While Denmark has just rolled out its “Coronapas” and Sweden has declared similar plans, data protection supervisors in Italy and Germany have considered data regarding a person’s COVID-19 recovery or vaccination to be “sensitive information” and called for a ban on any uses of vaccine passports in the absence of national law.

In the U.S., sufficient details about the federal government’s planned approach to them have yet to emerge. In its "National Strategy for the COVID-19 Response and Pandemic Preparedness" from January, the Biden administration asked the secretaries of State, HHS and Homeland Security to "assess the feasibility" of linking COVID-19 vaccination to International Certificates of Vaccination or Prophylaxis and producing electronic versions of them. At a recent White House press briefing March 12, White House Coronavirus Response Coordinator Jeffrey Zients said the U.S. government’s role is to “help ensure that any solutions in this area should be simple, free, open-source, accessible to people both digitally and on paper, and designed from the start to protect people’s privacy.”

Among the American public, meanwhile, acceptance is partial and divided, with social consensus unlikely to be achieved. Reflecting this, and the absence of a federal standard, state-level approaches are fragmented (sound familiar?). The Excelsior Pass, developed by IBM, is already in use in New York state, while the governors of Florida and Texas have issued executive orders to ban their use. In this, Florida and Texas find some common ground with the World Health Organization, whose position is that authorities should not introduce departure/entry requirements for international travelers to prove COVID-19 vaccination, given that “there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.”

During such strange days, I hope you find time for a well-deserved break from it all.