The present article examines the suggested issuance of a "Digital Green Certificate" by the European Community and addresses certain data protection concerns regarding the issuance of such certificates.
The introduction of a "Digital Green Certificate" and the use/storage of sensitive personal data in the context of the free movement of citizens, has been a topic of discussion amongst the European Community these past few months.
What is Green Digital Certificate?
The European Commission recently consulted the European Data Protection Council (IACS), of which the Cyprus Commissioner of Personal Data Protection is a member and the European Data Protection Supervisor on the draft Regulation for the creation of the "Green Digital Certificate" (the Certificate). This Regulation is intended to facilitate the safe free movement of citizens within the EU during the COVID-19 pandemic by providing information through the Certificate that will verify if a person has either been vaccinated against COVID-19, received a negative test result or recovered from COVID-19.
Therefore, the Certificate will cover vaccination certificates, test certificates (NAAT/RT-PCR test or a rapid antigen test), and certificates for persons who have recovered from COVID-19.
Member States which accept proof of vaccination to avoid quarantine or testing restrictions for visitors, are required to accept vaccination certifications issued under the Certificate. This obligation would be limited to vaccines that have received EU-wide marketing authorisation, but Member States can decide to accept other vaccines as well.
Where will the Certificate be valid?
The Certificate will be valid in all EU Member States and open for Iceland, Liechtenstein, Norway as well as Switzerland. Such Certificates will be issued to EU citizens and their family members (regardless of nationality) in any Member States as well as to non-EU nationals who reside in the EU and to visitors who have the right to travel to other Member States.
How will the Certificate be issued?
The Certificate should be in electronic or paper form and must guarantee the authenticity, validity and integrity of certificates by electronic stamps or similar means. The information contained in the Certificate should also appear in a human-readable format, the layout should be easy to understand and ensure simplicity and user-friendliness. Issuance of Certificates should be free of charge and obtaining them should be easy. The Certificate will have information in both the national language of the Member State issuing it and in English.
The Commission revealed that the agreed technical specifications of the Certificates cover data structure and encoding mechanisms, including a QR code that will ensure that all Certificates, whether on paper or in digital form, can be verified across the EU. The European Commission will also help Member States to develop a software that authorities can use to check the QR codes.
The goal of the European Commission is for this Digital Green Certificate to be accepted in all EU Member States and help to ensure that restrictions currently in place can be lifted in a coordinated manner.
This Certificate system is viewed by the European Community as a temporary measure. The intention is for the Certificate will be suspended once the World Health Organization declares the end of the COVID-19 international health emergency.
Issues related to the protection of personal data will be discussed in an upcoming teleconference of the IACS as a Digital Green Certificate will include personal data such as name, date of birth, date of issuance, relevant information about vaccine or the test or the recovery and the above-mentioned unique identifier.
The European Commission has stated that such Certificates will only include a limited set of information that is absolutely necessary and that such information will not be transported to or retained by visited countries. For verification purposes, only the validity and authenticity of the Certificate is checked by verifying who issued and signed it. All health data remains with the Member State that issued a Digital Green Certificate.