European Green Certificate: freedom of movement in Europe during the pandemic

It's called the European "Green Certificate," but actually you can read it as "Covid-19 Pass". It purports to make movement of citizens within the European Union easier, as well as to contribute to the containment of the spread of the Sars-CoV-2 virus.

Let's try to understand what are the features of the green certificate, who will issue it and what guarantees it will have in place for the protection of personal data, including sensitive data.

1. Premise

On 17 March 2021, the European Commission proposed the introduction of a European "Green Certificate", which aims to allow the exercise of the right of free movement of citizens – as provided under Article 21 of the Treaty on the Functioning of the EU (TFEU) – during the Covid-19 pandemic. This certificate would be issued by each Member State, in digital and/or paper format and would have the same legal value throughout the EU.

However, to speak of just one "Green Certificate" is not correct. Indeed, as explained in the Proposal for a European Regulation published by the EU Commission[1], there are three different types of certificates that may be issued:

i. “Vaccination certificate": namely an attestation certifying that a person has received an anti Covid-19 vaccine authorized for marketing in the EU;

ii. "Test certificate": a certification that an individual has tested for Covid-19, via an antigenic or molecular test (as long as it is not self-diagnostic) which has returned a negative result;

iii. "Certificate of recovery": a document proving that a person who had been diagnosed with Covid-19 has subsequently recovered from it.

Each certificate will be in the official language of the relevant Member State and in English, it will be free of charge and will be issued by duly authorized institutions/authorities (e.g., hospitals, diagnostic/testing centres or the health authority itself).

2. How does the certificate work?

The certificate has a "QR (Quick Response) code" containing essential information about its holder, a digital signature that prevents forgery and a seal that guarantees its authenticity.

When a European citizen enters a Member State of which he or she is not a native, the institutions and/or competent authorities of that State will scan the QR code on the certificate and verify the digital signature contained therein. This verification of the digital signature will take place by comparing it with the signature keys held by the institutions/authorities of the State of destination, which will be stored in a secure database of each State.

In addition, a single "gateway" managed by the EU Commission will be made available at an EU level, via which the digital signatures of green certificates may be verified throughout the EU.

3. Processing of personal data contained in the certificate

Each certificate - whether related to vaccination, test or recovery - will contain a series of information relating to the person to whom it refers such as, for example: name, surname, date of birth, date of vaccination, result of the antigenic/molecular test, diseases which he/she has recovered from. This is information that falls under the definition of "personal data" pursuant to art. 4 of Regulation 679/2016 ("GDPR") insofar as it relates to an identified natural person and, for this reason, must be processed in accordance with the principles and guarantees provided by that Regulation.

In this regard, it is appropriate to summarise the most important contents of the opinion dated 31 March 2021 that the European Data Protection Board ("EDPB") and the European Data Protection Supervisor ("EDPS") provided to the EU Commission regarding the green certificate.

a) The processing of personal data contained in the certificates should be carried out only for the purpose of proving and verifying the vaccination, negativity or recovery status of the holder of the certificate and, consequently, to facilitate the exercise of the right of free movement within the EU during the pandemic.

b) In order to facilitate the exercise of privacy rights by the data subjects, it would be advisable for each country to draw up and publish a list of the persons authorized to process such data as data controllers or data processors and of those who will receive the personal data (in addition to the authorities/institutions of each Member State competent to issue certificates, already identified as "data controllers" by the proposal for a Regulation at issue).

c) The legal basis for the processing of personal data in the certificates should be the fulfilment of a legal obligation (art. 6, para. 1, lett. c of GDPR) and "reasons of substantial public interest" (art. 9, para. 2, lett. g of GDPR).

d) In accordance with the GDPR principle of "storage limitation" of personal data, retention of data should be limited to what is necessary for the purposes of the processing (i.e. facilitation of the exercise of the right to free movement within the EU during the Covid-19 pandemic) and, in any case, to the duration of the pandemic itself, which will have to be declared ended by the WHO (World Health Organization).

e) The creation of EU-wide databases will be absolutely forbidden.

4. Critical remarks and conclusions

In addition to the innovative implications of the proposed Regulation, there are certain aspects which deserve further study or, at least, clarification by the European legislator in order to ensure the correct application of the new European legislation.

a. Issuing and delivery of certificates

The proposal for a Regulation provides that certificates are "issued automatically or at the request of the interested parties" (see Recital 14 as well as articles 5 and 6). Therefore, as also pointed out by the EDPB and the EDPS, the question is whether a certificate:

i. will be created and then delivered to the individual only if expressly requested by the latter;
or if, on the contrary
ii. such certificate will be created automatically by the competent authorities (e.g., as a result of vaccination) but delivered to the individual only upon his/her express request.

b. Possession of a certificate does not prevent member states from imposing any entry restrictions

The proposed Regulation provides that a Member State may still decide to impose on the holder of a certificate certain restrictive measures (such as, for example, the obligation to undergo a quarantine regime and/or self-isolation measures) despite the presentation of the certificate itself, as long as the State indicates the reasons, scope and period of application of the restrictions, including the relevant epidemiological data to support them.

However, one may wonder if these restrictions and their enforcement conditions will be defined at European level, or whether their identification will be left to each State; in the latter case, this would involve accepting the risk of frustrating the attempt of legal harmonisation pursued by the proposed Regulation.

c. The duration of the certificate

The proposed Regulation provides that only the "Certificate of recovery" must also contain an indication of the validity period. Therefore, once again we may wonder what will be the duration of the other two certificates ("vaccination" and "test") and how it will be possible to ensure the accuracy of what is attested by a certificate after a certain period of time from the date of issuance (for example, let us think about the various cases of positivity found after the administration of a vaccine or the so-called "false negative / positive" cases).

d. The obligations of the certificate holder

What are the obligations of the certificate holder? For example, if a certificate has been issued attesting a Covid-19 negative result and, after a few months, the holder finds out that in fact he or she is positive, would the holder be obliged to apply to the competent authorities/institutions of his/her country in order to have the certificate revoked? Furthermore: in the event that the holder tries to use a false certificate for entry in another Member State, what sanctions would he/she have to face?

e. The protection of personal data

The new proposal for a Regulation tasks the Commission with adopting, by means of implementing acts, specific provisions aimed at guaranteeing the security of the personal data contained in the certificates.

However, given the extremely sensitive nature of the data in question, will the EU Commission also ask for a prior opinion from the Data Protection Authorities of the Member States? Perhaps it would be useful to ensure, also in this context and with specific reference to the privacy documentation to be provided to the data subjects prior to the issuance of certificates, a quasi-unanimous European approach in order to prevent the possible dilution of the guarantees provided under Regulation 679/2016 ("GDPR").

In conclusion, this is a proposal which, if implemented with due care, could contribute greatly to the return to a somewhat normal life; however, it is feared that without a particularly detailed regulation on this matter, a high risk of making cross-border movements even more complex would ensue, also considering that each State would most likely adopt further measures regarding the regulation of this certificate.


Contact tracing and COVID-19: the GDPR as a balance between the protection of health and the privacy right

The use of contact tracing technology is necessary and essential in order to deal with the Covid-19 emergency and protect the public health of our country. However, mapping the movement of individuals can have serious consequences for the protection of our privacy. So how can the right balance be found between the two fundamental rights of health and privacy of each individual?

“Contact tracing” is the expression of the moment. It is a digital system used for tracing physical contact between individuals and in that sense it represents an important technological measure aimed at containing and preventing the spread of the Covid-19 virus in our country (and elsewhere).

This tracking system should be implemented via the application called “Immuni”, designed and developed by the Milan-based software house Bending Spoons, which will (probably) be launched in Italy by the end of May 2020.

However, the tracking of contacts between individuals and the consequent use of their common and sensitive personal data (including health data) for purposes related to the protection of public health also has an impact on their privacy.

While, on the one hand, the protection of health is a right guaranteed by the Italian Constitution – wherein “health” is understood both as a fundamental right of the individuals and an interest of the community, pursuant to article 32 of the Italian Constitution - on the other hand, the protection of personal data (or the privacy right) is a fundamental right expressly provided for by the Charter of Nice and recognized by the Italian Constitution.

Furthermore, we should ask ourselves what could be the practical consequences of using contact tracing technology in our daily lives; how the relationship between the right to health and the right to protection of personal data has been dealt with at a regulatory level; and whether it is possible to rely on the use of this new technology without fear of violation of our right to privacy.

1. What is "Immuni" and how does it work?

Immuni is an application that can be downloaded on each mobile device and that generates - for each device - a temporary, anonymous and variable identification code (ID) which interacts, via “Bluetooth Low Energy” technology, with other nearby mobile devices, thereby collecting and storing the ID code and related metadata of those devices (for example, how long the connection with the other device lasted, the distance in meters, etc.). The data controller of the personal data collected by Immuni is the Italian Ministry of Health.

Immuni checks whether the nearby ID codes include so-called “positive IDs”, i.e. ID codes associated with mobile devices owned by people who are already infected (or rather, whose infection has already been ascertained by a healthcare facility); to perform this operation, Immuni downloads positive IDs from a publicly managed server at regular intervals and cross-checks them with the ID of the device on which the application is installed. Subsequently, Immuni processes the metadata collected through a special algorithm and determines whether a “potential risk of Covid-19 contagion” (which may be more or less high) may be established.

If the outcome of the above checks is positive and Immuni believes that there is a reasonable risk of contagion, the user receives a notice on his / her device indicating that he / she was in contact with an infected person and therefore invites him / her to follow certain instructions (including, for example, staying at home and/or carrying out diagnostic tests).

A practical example on how this works: Carlo and Giulia meet for a few minutes at a short distance from each other; they both downloaded Immuni and their mobile devices have captured each other’s ID codes. After a few days, Carlo discovers that he has Coronavirus and decides spontaneously (remember that there is no obligation in this regard) to upload this sensitive data to Immuni. Meanwhile, the app installed on Giulia’s smartphone examines the IDs she has collected and stored in its memory and cross-checks them with those downloaded from the public server, detecting the presence of Carlo’s ID. Subsequently, Giulia is informed through a notice sent by her Immuni app that she was in contact with a person that tested positive to the Coronavirus (without, however, indicating who that person is) and she is thereby invited to take certain cautionary measures.

2. The opinions of the European Data Protection Board and the Italian Data Protection Authority

The European Data Protection Board (see the “Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak”) and the Italian Data Protection Authority (see “Parere sulla proposta normativa per la previsione di una applicazione volta al tracciamento dei contagi da COVID-19”) have already issued their opinions on the use of geo-localisation of individuals and contact tracing tools during the Covid-19 emergency and have identified which measures should be taken in order to ensure that the data subjects’ personal data is processed without causing prejudice to their fundamental rights and freedoms.

In this regard, according to the Italian Data Protection Authority the contact tracing carried out through the Immuni app is in line with the criteria identified by the European Data Protection Board and is compliant with the data protection principles inasmuch as such contact tracing:

a) is regulated by a law that provides a sufficiently detailed description of the processing of personal data, the type of data collected, the guarantees given to the data subjects, the provisional duration of the measure (reference should be made to art. 6 of Italian Legislative Decree of 30 April 2020, no. 28);

b) is based on the voluntary participation of the data subject, excluding any form of conditioning of individual choice and, therefore, any possibile unequal treatment for those who decide not to consent to the tracking;

c) is designed to pursue a public interest purpose indicated with sufficient precision and excludes that the personal data collected is being processed for other different purposes, it being understood that there is the possibility (within the general terms provided for by the GDPR) of using the personal data, either anonymously or in aggregate form, for statistical or scientific research purposes;

d) appears to comply with the principles of minimisation as well as with the criteria of privacy by design and by default (set out in art. 25 of the GDPR), insofar as it provides for the collection of just the data that concerns the proximity or closeness of the devices and for their treatment in pseudonymous form, provided such collection may not occur in a completely anonymous form. Such collection must occur in such a way as to exclude the use of geo-localisation data and limit the storage of data to the time strictly necessary to reach the indicated purpose, with the automatic deletion at the expiry date.

In this regard, it should be noted that, pursuant to art. 6 of Italian Legislative Decree no. 28/2020, the use of Immuni and any related processing of personal data will have to cease at the end of the state of emergency and in any case within 31 December 2020, and all personal data processed must be permanently deleted or anonymized;

e) complies with the principle of transparency with respect to the data subjects, thus guaranteeing that before activating the app the users receive an information notice in accordance with the GDPR.

Consequently, the Italian Data Protection Authority supports the use of Immuni, however, it always maintains special attention towards the data subjects: indeed, in its opinion, the Authority clarifies that, on the one hand, the characteristics of the processing of personal data carried out by Immuni can be better identified and, on the other hand, adequate measures to protect the rights, freedoms and legitimate interests of the data subcjects can be adopted (in accordance with art. 2-quinquiesdecies of the Privacy Code and art. 36, para 5, of the GDPR).

3. GDPR as a balance between the protection of health and personal data

There is unfortunately a widely held opinion, especially among non-professionals, that privacy regulations are often a mere “bureaucratic complication” that act as an obstacle to the achievement of all those goals which involve a processing of personal data.

This is an erroneous and misleading opinion, often generated by a lack of knowledge about the law, which may also be dangerous in light of the consequences which it could lead to - let us just think, for example, about the remote possibility of completely forfeiting the use of a valid and efficient contact tracing system to deal with the health Covid-19 emergency inasmuch as such system allegedly may be “incompatible” with the protection of personal data.

This writer believes that the current scenario represents the perfect context to demonstrate that, on the contrary, privacy regulations may (and must) represent the “balance” which allows for the achievement of some of the most ambitious purposes – which certainly include the protection of public health - without giving up privacy.

First of all, it should be recalled that the European Data Protection Board had the opportunity to clarify that “the data and technologies used to contribute to the fight against COVID-19 must serve to give people more tools, rather than to control, stigmatise or repress their behavior”.

A careful analysis of Regulation no. 679/2016 (so-called “GDPR”) also shows that, with reference to health emergency situations, the European legislator does not place any obstacle in the way of pursuing important interests in the public health sector by means of the processing of personal data (see recitals 52 and 54 and art. 9, paragraph 1, letter g and i), where such interests also include “monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health”.

On the same basis, the Italian Privacy Code - updated lastly by Italian Legislative Decree no. 101/2018 - also refers to the provisions of the GDPR and indeed expressly considers “relevant” the interest of those who process personal data for the performance of public interest tasks (or tasks related to the exercise of public authority) in the health sector and for the health and safety of the population.

Consequently, it may be said that data protection rules support the adoption of measures and solutions aimed at curbing the spread of the Covid-19 without, however, forfeiting protection of individual privacy.

However, these solutions - and this is where the “balance” can be found - must always be based on laws that regulate them and that expressly establish appropriate and specific measures to protect the fundamental rights and freedoms of the data subjects, including the types of data that can be processed, the processing operations that can be carried out and the reason of the relevant public interest (see art. 9, paragraph 1, letter i of the GDPR and art. 2-sexies of the Privacy Code).

4. Conclusions and considerations

So can we “trust” Immuni? The answer must be affirmative.

As already said, the use of this app is left to the conscientiousness of each of us, since the key principle that inspires this app is the principle of willingness: each user, in other words, will be free to download it, to enter their personal data in the app, even related to their state of health (i.e Covid-19 positivity) and to comply or not with the instructions received from the app following a potential contact with an infected person.

However, experts tell us that at least 70% of the population should download it so that the app can contribute to a significant containment of the pandemic. This is certainly an ambitious objective, which, in order to be achieved, requires first of all a public awareness campaign aimed at making the app easy to understand, especially for those who are not experts in the field, and clarifying what are the guarantees identified by the Italian Government to protect our privacy.

Briefly, the guarantees that Immuni offers for the protection of our personal data, and that everyone has the duty to be aware of, are: transparency towards the data subjects (we will know before registering with the app, for example, for which purposes our personal data will be processed, for how long and to whom it will be communicated), the exclusivity of the purpose of the processing (our data will be used only for the containment of infections, excluding different purposes) and the minimisation of processing (only the data necessary to trace our contacts will be collected and reliable anonymisation and pseudonymisation techniques will be adopted).

But that’s not all. Indeed, spreading accurate knowledge of data protection rules, their real meaning, their function and their value is even more important, if not indispensable and essential, towards contributing to a widespread “legal culture” and pursuing an ambitious goal that we are all called upon to realize in this delicate historical moment.

The President of the European Data Protection Board, Andrea Jelinek, has expressly reiterated this concept to the European Commission by stating: “the voluntary adoption of a contact tracing system is associated with individual trust, thus further illustrating the importance of data protection principles”.

Awareness and trust. And vice versa.