It’s called the European “Green Certificate,” but actually you can read it as “Covid-19 Pass”. It purports to make movement of citizens within the European Union easier, as well as to contribute to the containment of the spread of the Sars-CoV-2 virus.

Let’s try to understand what are the features of the green certificate, who will issue it and what guarantees it will have in place for the protection of personal data, including sensitive data.

1. Premise

On 17 March 2021, the European Commission proposed the introduction of a European “Green Certificate“, which aims to allow the exercise of the right of free movement of citizens – as provided under Article 21 of the Treaty on the Functioning of the EU (TFEU) – during the Covid-19 pandemic. This certificate would be issued by each Member State, in digital and/or paper format and would have the same legal value throughout the EU.

However, to speak of just one “Green Certificate” is not correct. Indeed, as explained in the Proposal for a European Regulation published by the EU Commission[1], there are three different types of certificates that may be issued:

i. “Vaccination certificate“: namely an attestation certifying that a person has received an anti Covid-19 vaccine authorized for marketing in the EU;

ii. “Test certificate“: a certification that an individual has tested for Covid-19, via an antigenic or molecular test (as long as it is not self-diagnostic) which has returned a negative result;

iii. “Certificate of recovery“: a document proving that a person who had been diagnosed with Covid-19 has subsequently recovered from it.

Each certificate will be in the official language of the relevant Member State and in English, it will be free of charge and will be issued by duly authorized institutions/authorities (e.g., hospitals, diagnostic/testing centres or the health authority itself).

2. How does the certificate work?

The certificate has a “QR (Quick Response) code” containing essential information about its holder, a digital signature that prevents forgery and a seal that guarantees its authenticity.

When a European citizen enters a Member State of which he or she is not a native, the institutions and/or competent authorities of that State will scan the QR code on the certificate and verify the digital signature contained therein. This verification of the digital signature will take place by comparing it with the signature keys held by the institutions/authorities of the State of destination, which will be stored in a secure database of each State.

In addition, a single “gateway” managed by the EU Commission will be made available at an EU level, via which the digital signatures of green certificates may be verified throughout the EU.

3. Processing of personal data contained in the certificate

Each certificate – whether related to vaccination, test or recovery – will contain a series of information relating to the person to whom it refers such as, for example: name, surname, date of birth, date of vaccination, result of the antigenic/molecular test, diseases which he/she has recovered from. This is information that falls under the definition of “personal data” pursuant to art. 4 of Regulation 679/2016 (“GDPR”) insofar as it relates to an identified natural person and, for this reason, must be processed in accordance with the principles and guarantees provided by that Regulation.

In this regard, it is appropriate to summarise the most important contents of the opinion dated 31 March 2021 that the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) provided to the EU Commission regarding the green certificate.

a) The processing of personal data contained in the certificates should be carried out only for the purpose of proving and verifying the vaccination, negativity or recovery status of the holder of the certificate and, consequently, to facilitate the exercise of the right of free movement within the EU during the pandemic.

b) In order to facilitate the exercise of privacy rights by the data subjects, it would be advisable for each country to draw up and publish a list of the persons authorized to process such data as data controllers or data processors and of those who will receive the personal data (in addition to the authorities/institutions of each Member State competent to issue certificates, already identified as “data controllers” by the proposal for a Regulation at issue).

c) The legal basis for the processing of personal data in the certificates should be the fulfilment of a legal obligation (art. 6, para. 1, lett. c of GDPR) and “reasons of substantial public interest” (art. 9, para. 2, lett. g of GDPR).

d) In accordance with the GDPR principle of “storage limitation” of personal data, retention of data should be limited to what is necessary for the purposes of the processing (i.e. facilitation of the exercise of the right to free movement within the EU during the Covid-19 pandemic) and, in any case, to the duration of the pandemic itself, which will have to be declared ended by the WHO (World Health Organization).

e) The creation of EU-wide databases will be absolutely forbidden.

4. Critical remarks and conclusions

In addition to the innovative implications of the proposed Regulation, there are certain aspects which deserve further study or, at least, clarification by the European legislator in order to ensure the correct application of the new European legislation.

a. Issuing and delivery of certificates

The proposal for a Regulation provides that certificates are “issued automatically or at the request of the interested parties” (see Recital 14 as well as articles 5 and 6). Therefore, as also pointed out by the EDPB and the EDPS, the question is whether a certificate:

i. will be created and then delivered to the individual only if expressly requested by the latter;
or if, on the contrary
ii. such certificate will be created automatically by the competent authorities (e.g., as a result of vaccination) but delivered to the individual only upon his/her express request.

b. Possession of a certificate does not prevent member states from imposing any entry restrictions

The proposed Regulation provides that a Member State may still decide to impose on the holder of a certificate certain restrictive measures (such as, for example, the obligation to undergo a quarantine regime and/or self-isolation measures) despite the presentation of the certificate itself, as long as the State indicates the reasons, scope and period of application of the restrictions, including the relevant epidemiological data to support them.

However, one may wonder if these restrictions and their enforcement conditions will be defined at European level, or whether their identification will be left to each State; in the latter case, this would involve accepting the risk of frustrating the attempt of legal harmonisation pursued by the proposed Regulation.

c. The duration of the certificate

The proposed Regulation provides that only the “Certificate of recovery” must also contain an indication of the validity period. Therefore, once again we may wonder what will be the duration of the other two certificates (“vaccination” and “test”) and how it will be possible to ensure the accuracy of what is attested by a certificate after a certain period of time from the date of issuance (for example, let us think about the various cases of positivity found after the administration of a vaccine or the so-called “false negative / positive” cases).

d. The obligations of the certificate holder

What are the obligations of the certificate holder? For example, if a certificate has been issued attesting a Covid-19 negative result and, after a few months, the holder finds out that in fact he or she is positive, would the holder be obliged to apply to the competent authorities/institutions of his/her country in order to have the certificate revoked? Furthermore: in the event that the holder tries to use a false certificate for entry in another Member State, what sanctions would he/she have to face?

e. The protection of personal data

The new proposal for a Regulation tasks the Commission with adopting, by means of implementing acts, specific provisions aimed at guaranteeing the security of the personal data contained in the certificates.

However, given the extremely sensitive nature of the data in question, will the EU Commission also ask for a prior opinion from the Data Protection Authorities of the Member States? Perhaps it would be useful to ensure, also in this context and with specific reference to the privacy documentation to be provided to the data subjects prior to the issuance of certificates, a quasi-unanimous European approach in order to prevent the possible dilution of the guarantees provided under Regulation 679/2016 (“GDPR”).

In conclusion, this is a proposal which, if implemented with due care, could contribute greatly to the return to a somewhat normal life; however, it is feared that without a particularly detailed regulation on this matter, a high risk of making cross-border movements even more complex would ensue, also considering that each State would most likely adopt further measures regarding the regulation of this certificate.

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:38de66f4-8807-11eb-ac4c-01aa75ed71a1.0024.02/DOC_1&format=PDF.