Abstract

On 20 May 2021, the European Commission, Council and Parliament announced a breakthrough in the trialogue negotiations to establish the European Union (EU) Digital COVID Certificate. Originally, this standardisation effort was labelled as “Digital Green Certificate” and – “[i]n view of the urgency” – presented without a data protection impact assessment. It should allow citizens and residents of Member States to prove that they are either vaccinated against COVID-19, have recently tested negative or are currently immune against the virus. This article considers the proposal from a privacy perspective, taking into account the opinion of EU data protection authorities, ongoing negotiations in the EU institutions and relevant developments on the national and international level. While the European Parliament and others tried to improve the original Commission proposal, questions around the appropriateness and effectiveness of the framework remain. The technological and organisational implementation is essentially left to Member States, who already have started to develop their own tracing and identification systems.

Highlights

  • On 17 March 2021, the Commission of the European Union (EU) published a “Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic” (Draft Regulation).[1]

  • It seems that the final compromise is scheduled for adoption by the European Parliament in the session from 7 to 10 June 2021.4 During the negotiation process the name was changed to “EU Digital COVID Certificate” (EUDCC), which could be interpreted as an attempt to leave the mixed reception of the original Commission proposal behind

  • As acknowledged in recital 8 of the original proposal, the publication of the Draft Regulation might even seem urgent from the Commission’s perspective, since many Member States have or are planning to launch national initiatives to issue certificates.[5]. These are a priority for those countries with large tourism and transport sectors, who fear losing a significant portion of their economic activity for the second year in a row since the World Health Organization (WHO) declared the COVID-19 pandemic on 11 March 2020.6 At the time of writing, Austria, Bulgaria, Croatia, Cyprus, Denmark, France, Germany, Greece, Italy, Malta, Portugal, Slovenia and Spain seem to actively promote the EUDCC

Read more

Summary

INTRODUCTION

On 17 March 2021, the Commission of the European Union (EU) published a “Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic” (Draft Regulation).[1]. Becoming operational nationwide on 21 February 2021, while the UK is in the runner-up position: its first pilot schemes took place from April 2021 and the nationwide rollout started on May 2021.11 Many other countries such as Australia, China and some US states are in the process of developing and rolling out their own programmes.[12] The idea has failed to gain traction at the federal level in the USA so far, but it remains to be seen what will happen if the inoculation rate remains too low to achieve “herd immunity”, which is required for an effective vaccine-based deterrence of SARS-CoV-2 and its variants.[13] In addition, there are corporate initiatives such as IBM’s “Digital Health Pass”, as well as sector-specific initiatives such as that of the International Air Transport Association (IATA).[14] While there is much to write about the ethical, social, political and legal aspects associated with the idea behind the EUDCC,[15] this article analyses the original Draft Regulation and the current discussion through the lens of European privacy and data protection law. Seems necessary since “[i]n view of the urgency, the Commission did not carry out an impact assessment”.16

CONTEXT AND FOCUS
Necessity and benefits
Inappropriateness of the governance framework
Lack of detailed provisions and safeguards
Unclear exit strategy
EMERGENCIES AND INFRASTRUCTURES

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.