European Green Certificate: freedom of movement in Europe during the pandemic

It's called the European "Green Certificate," but actually you can read it as "Covid-19 Pass". It purports to make movement of citizens within the European Union easier, as well as to contribute to the containment of the spread of the Sars-CoV-2 virus.

Let's try to understand what are the features of the green certificate, who will issue it and what guarantees it will have in place for the protection of personal data, including sensitive data.

1. Premise

On 17 March 2021, the European Commission proposed the introduction of a European "Green Certificate", which aims to allow the exercise of the right of free movement of citizens – as provided under Article 21 of the Treaty on the Functioning of the EU (TFEU) – during the Covid-19 pandemic. This certificate would be issued by each Member State, in digital and/or paper format and would have the same legal value throughout the EU.

However, to speak of just one "Green Certificate" is not correct. Indeed, as explained in the Proposal for a European Regulation published by the EU Commission[1], there are three different types of certificates that may be issued:

i. “Vaccination certificate": namely an attestation certifying that a person has received an anti Covid-19 vaccine authorized for marketing in the EU;

ii. "Test certificate": a certification that an individual has tested for Covid-19, via an antigenic or molecular test (as long as it is not self-diagnostic) which has returned a negative result;

iii. "Certificate of recovery": a document proving that a person who had been diagnosed with Covid-19 has subsequently recovered from it.

Each certificate will be in the official language of the relevant Member State and in English, it will be free of charge and will be issued by duly authorized institutions/authorities (e.g., hospitals, diagnostic/testing centres or the health authority itself).

2. How does the certificate work?

The certificate has a "QR (Quick Response) code" containing essential information about its holder, a digital signature that prevents forgery and a seal that guarantees its authenticity.

When a European citizen enters a Member State of which he or she is not a native, the institutions and/or competent authorities of that State will scan the QR code on the certificate and verify the digital signature contained therein. This verification of the digital signature will take place by comparing it with the signature keys held by the institutions/authorities of the State of destination, which will be stored in a secure database of each State.

In addition, a single "gateway" managed by the EU Commission will be made available at an EU level, via which the digital signatures of green certificates may be verified throughout the EU.

3. Processing of personal data contained in the certificate

Each certificate - whether related to vaccination, test or recovery - will contain a series of information relating to the person to whom it refers such as, for example: name, surname, date of birth, date of vaccination, result of the antigenic/molecular test, diseases which he/she has recovered from. This is information that falls under the definition of "personal data" pursuant to art. 4 of Regulation 679/2016 ("GDPR") insofar as it relates to an identified natural person and, for this reason, must be processed in accordance with the principles and guarantees provided by that Regulation.

In this regard, it is appropriate to summarise the most important contents of the opinion dated 31 March 2021 that the European Data Protection Board ("EDPB") and the European Data Protection Supervisor ("EDPS") provided to the EU Commission regarding the green certificate.

a) The processing of personal data contained in the certificates should be carried out only for the purpose of proving and verifying the vaccination, negativity or recovery status of the holder of the certificate and, consequently, to facilitate the exercise of the right of free movement within the EU during the pandemic.

b) In order to facilitate the exercise of privacy rights by the data subjects, it would be advisable for each country to draw up and publish a list of the persons authorized to process such data as data controllers or data processors and of those who will receive the personal data (in addition to the authorities/institutions of each Member State competent to issue certificates, already identified as "data controllers" by the proposal for a Regulation at issue).

c) The legal basis for the processing of personal data in the certificates should be the fulfilment of a legal obligation (art. 6, para. 1, lett. c of GDPR) and "reasons of substantial public interest" (art. 9, para. 2, lett. g of GDPR).

d) In accordance with the GDPR principle of "storage limitation" of personal data, retention of data should be limited to what is necessary for the purposes of the processing (i.e. facilitation of the exercise of the right to free movement within the EU during the Covid-19 pandemic) and, in any case, to the duration of the pandemic itself, which will have to be declared ended by the WHO (World Health Organization).

e) The creation of EU-wide databases will be absolutely forbidden.

4. Critical remarks and conclusions

In addition to the innovative implications of the proposed Regulation, there are certain aspects which deserve further study or, at least, clarification by the European legislator in order to ensure the correct application of the new European legislation.

a. Issuing and delivery of certificates

The proposal for a Regulation provides that certificates are "issued automatically or at the request of the interested parties" (see Recital 14 as well as articles 5 and 6). Therefore, as also pointed out by the EDPB and the EDPS, the question is whether a certificate:

i. will be created and then delivered to the individual only if expressly requested by the latter;
or if, on the contrary
ii. such certificate will be created automatically by the competent authorities (e.g., as a result of vaccination) but delivered to the individual only upon his/her express request.

b. Possession of a certificate does not prevent member states from imposing any entry restrictions

The proposed Regulation provides that a Member State may still decide to impose on the holder of a certificate certain restrictive measures (such as, for example, the obligation to undergo a quarantine regime and/or self-isolation measures) despite the presentation of the certificate itself, as long as the State indicates the reasons, scope and period of application of the restrictions, including the relevant epidemiological data to support them.

However, one may wonder if these restrictions and their enforcement conditions will be defined at European level, or whether their identification will be left to each State; in the latter case, this would involve accepting the risk of frustrating the attempt of legal harmonisation pursued by the proposed Regulation.

c. The duration of the certificate

The proposed Regulation provides that only the "Certificate of recovery" must also contain an indication of the validity period. Therefore, once again we may wonder what will be the duration of the other two certificates ("vaccination" and "test") and how it will be possible to ensure the accuracy of what is attested by a certificate after a certain period of time from the date of issuance (for example, let us think about the various cases of positivity found after the administration of a vaccine or the so-called "false negative / positive" cases).

d. The obligations of the certificate holder

What are the obligations of the certificate holder? For example, if a certificate has been issued attesting a Covid-19 negative result and, after a few months, the holder finds out that in fact he or she is positive, would the holder be obliged to apply to the competent authorities/institutions of his/her country in order to have the certificate revoked? Furthermore: in the event that the holder tries to use a false certificate for entry in another Member State, what sanctions would he/she have to face?

e. The protection of personal data

The new proposal for a Regulation tasks the Commission with adopting, by means of implementing acts, specific provisions aimed at guaranteeing the security of the personal data contained in the certificates.

However, given the extremely sensitive nature of the data in question, will the EU Commission also ask for a prior opinion from the Data Protection Authorities of the Member States? Perhaps it would be useful to ensure, also in this context and with specific reference to the privacy documentation to be provided to the data subjects prior to the issuance of certificates, a quasi-unanimous European approach in order to prevent the possible dilution of the guarantees provided under Regulation 679/2016 ("GDPR").

In conclusion, this is a proposal which, if implemented with due care, could contribute greatly to the return to a somewhat normal life; however, it is feared that without a particularly detailed regulation on this matter, a high risk of making cross-border movements even more complex would ensue, also considering that each State would most likely adopt further measures regarding the regulation of this certificate.

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:38de66f4-8807-11eb-ac4c-01aa75ed71a1.0024.02/DOC_1&format=PDF.


EU - UK agreement (so-called “Brexit”): the birth of the “comparable trademark”

It is well known by now that on 24 December 2020 the European Union and the United Kingdom reached an agreement for regulating their future commercial relations following “Brexit”.

This agreement seals the definitive separation between the British and European legal systems and, starting from the date of its enactment (i.e., 1 January 2021, namely the end of the transition period), the rules of European Union law will no longer apply to the United Kingdom, including those concerning intellectual and industrial property rights.

With a view to ensuring an orderly transition towards the new legal regime, the European Commission published a series of “Notices of Withdrawal” (related to the main sectors of European economy) which set out the main practical consequences that will affect the owners of intellectual and industrial property rights.

In particular, the Notice concerning trademarks specifies that, among other things, the owner of an EU trademark registered before 1 January 2021 will automatically become the owner of a “comparable trademark” in the United Kingdom, resulting as registered and subject to opposition in the United Kingdom, in accordance with the laws of that country.

This notion of a “comparable trademark” appears to be new within the field of IP rights, in so far as it was specifically introduced for the purpose of protecting those who – before the definitive withdrawal of the United Kingdom from the European Union – had obtained protection for their EU trademark which, at the time, produced effects also with respect to British territory.

The European Commission – evidently aware of the novelty of this legal concept – in the same Notice clarified that such “comparable trademark”:

      1. consists of the same sign that forms the object of EU registration;
      2. enjoys the date of filing or the date of priority of the EU trademark and, where appropriate, the seniority of a trademark of the United Kingdom claimed by its owner;
      3. allows the owner of an EU trademark that has acquired a reputation before 1 January 2021 to exercise equivalent rights in the United Kingdom;
      4. cannot be liable to revocation on the ground that the corresponding EU trademark had not been put into genuine use in the territory of the United Kingdom before the end of the transition period;
      5. may be declared invalid or revoked or cancelled if the corresponding EU trademark is the object of a decision to that effect as a result of an administrative or judicial procedure which was ongoing before 1 January 2021 (on a date following the “cloning”).

The British Government has confirmed that it will fall to the competent office of the United Kingdom to proceed without cost with the “cloning” of EU trademarks in the United Kingdom, where they will become “comparable trademarks”. It is not required of the owners of EU trademarks to file any request, nor to commence any administrative procedure in the United Kingdom, nor is it necessary for them to have a postal address in the United Kingdom for the three years following the end of the transition period.

Despite the precise description of the main features of the new “comparable trademarks”, there are – inevitably – uncertainties surrounding the practical application of this legal concept.

In particular, it is puzzling to find that the “comparable trademark” continues to be influenced by European administrative and judicial occurrences (see point e) above), which conflicts with the alleged independence of the United Kingdom from European laws and regulations.

Such inconsistencies evidently have already been noted, in so far as the Notice specifies (in a footnote) that the parties have acknowledged that the United Kingdom “is not obliged to declare invalid or to revoke the corresponding right in the United Kingdom where the grounds for the invalidity or revocation of the European Union trade mark … do[es] not apply in the United Kingdom”. It would seem therefore that the United Kingdom is invested with the power to not conform itself to European decisions.

However, it is not clear what should prevail in this “contest”: the invalidating decision of the European proceedings or British power to deny the effects of such European decision?

Furthermore, if the European proceedings – albeit commenced before the end of the transition period – should last for several years, how should the owner of the “cloned” trademark in the United Kingdom behave? Again, how are we to reconcile the existence of a “comparable trademark” – contemporaneously subject to European and British jurisdiction – with the known principle of territoriality applicable to the world of trademarks?

The situation appears somewhat uncertain and, in our opinion, it cannot be excluded that other issues concerning this new “comparable trademark” may arise in the future and form the object of open debate by those operating in the IP industry.

This is a key point that concerns not just acquired rights (which the British Government has undertaken to protect), but also the future political relations between the EU and the United Kingdom; indeed, it is interesting to note in this regard how such a seemingly innocent subject, namely trademark law, may in fact reveal the frailty of an agreement which is formally commercial but in reality turns out to be predominantly of a political nature.

In light of all the above, it would seem that the EU and the United Kingdom have chosen to follow the easiest path for protecting owners of EU trademarks in the midst of an orderly transition towards a new legal regime imposed by Brexit; on the other hand, this decision raises several legal questions, some of which have been anticipated above, which introduce a measure of uncertainty concerning the new “British hybrid” trademark.

Finally, we cannot fail to note how this new legal concept may represent an interesting precedent in the event that other Member States may decide in the future to leave the European Union. In that regard, we find ourselves before a new concept that certainly seems interesting from a legal standpoint, but potentially may also be “dangerous” from a political point of view and, as such, deserving of close attention in the coming years.