Beannachtaí ó Bhaile Átha Cliath — Greetings from Dublin!
One of the reasons I love working in the world of data protection and privacy is that there is always something happening. This week, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the data protection aspects of the European Commission’s proposed COVID-19 Digital Green Certificate framework.
By way of background, since the COVID-19 pandemic started, EU member states have adopted various measures impacting the right to move freely within the EU (e.g., entry restrictions, quarantine and vaccination certificates). In March, the European Commission published two proposals for a Digital Green Certificate Regulation. The proposals aim to facilitate the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for certificates on COVID-19 entitled “Digital Green Certificate.” There are three types of certificates proposed — vaccination, test and recovery.
The EDPB/EDPS opinion deals with the data protection aspects of the commission’s proposals and notes that “data protection does not constitute an obstacle for fighting the current pandemic.” However, it is essential that the principles of effectiveness, necessity and proportionality must guide these measures. A similar point was made by Helen Dixon, Irish data protection commissioner, during an IAPP talk I moderated last year on the topic of “Necessity and Proportionality in a Pandemic.”
The EDPB/EDPS opinion states that the proposals do not allow and must not lead to the creation of a centralised database at EU level. It also raises the following GDPR-specific issues:
- Controllers and processors — A list of controllers, processors and recipients of this data should be made public.
- Lawful, fair and transparent processing — The lawful basis for the measures should be set out in the regulation. The framework should include a justification of the need for the categories of personal data to be processed. The commission should ensure that transparency requirements are met.
- Purpose limitation — The certificates should be limited to COVID-19 only.
- Data minimization principles should be adopted for the information included in the certificates and consideration given to whether all categories of personal data need to be included in the QR code of the certificates.
- Accuracy — Modified certificates should be issued if the personal data is no longer accurate.
- Storage limitation — The expiry date for each certificate should be specified and the data held only for as long as is necessary. Specific storage periods should be defined, or the criteria used to determine storage periods should be specified. The storage period in member states should not go beyond the end of the COVID-19 pandemic.
- Integrity and confidentiality — The proposal should state that controllers and processors shall take adequate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including processes for regular testing, assessment and evaluation of the effectiveness of the measures adopted.
- Data protection by default — Verification techniques not requiring transmission of personal data must be employed by default, whenever technically possible.
- International data transfers may be necessary to confirm and verify the holder’s vaccination, testing or recovery status and for international interoperability reasons. The commission should clarify whether any international transfers of personal data are expected and include safeguards in the legislation to ensure that third countries will only process the personal data exchanged for the purposes specified by the proposal.
The EDPB/EDPS opinion provides a practical road map for the commission to ensure that privacy and data protection requirements are met in the Digital Green Certificate Proposal. For those who are interested, I wrote a deeper analysis of the proposal.