Presentation to LIBE Committee: EDPB–EDPS Joint Opinion on the Digital Green Certificate by European Data Protection Supervisor, Wojciech Wiewiórowski
Dear Members of the LIBE Committee, dear Chair, It is my great honour to be here with you today.
The EDPS and the EDPB have been called upon to issue a Joint Opinion. This time, a Joint Opinion on the Commission’s Proposal for a Digital Green Certificate.
Given the high sensitivity of the legislative proposal at stake, the role of our institutions as independent advisors has been even more important.
Despite the short deadline (two weeks since its publication and request for the Joint Opinion by the Commission), full cooperation between the EDPB and the EDPS has been successfully achieved, once again.
Personally, I have long considered immunity passports as being highly problematic due to the lack of scientific evidence and high risks of stigmatisation, discrimination and exclusion. We strongly believe that the introduction of ‘immunity passports’ could also create a direct incentive to self–infection, thus being harmful while also putting at risk vulnerable groups.
We welcome the fact that the notion of ‘immunity’ was not used in this proposal and we agree that vaccination certificates are different by nature, as they simply attest whether an individual has been vaccinated. Vaccination passports have existed for a very long time and used for entirely legitimate purposes. However,this does not mean that we should not think carefully about when and how vaccination certifications shall be used in the context of the current health crisis.
From the start, I have advocated for due caution when reflecting on the specific use cases in which vaccination certificates should be (allowed to be) used.The situations in which a vaccination certificate would need to be provided (e.g., travelling vs. social life activities vs. returning to the workplace),need to be identified, particularly since, at present; vaccination against COVID–19 is carried out on a voluntary basis in EU Member States. Moreover, at present,the extent to which the vaccine is widely available may also impact the extent to which the use of certificates as a precondition may be fair. Finally, some individuals, due to circumstances beyond their control (such as health conditions, serious allergies, age etc.)may not be eligible for a COVID–19 vaccination.
When looking at the Commission’s proposal, we must remain mindful of the nature of the data being processed, which provides information concerning a person’s health, which is a special category of data in itself.
In our Joint Opinion, the EDPB and the EDPS have acknowledged the legitimate objective of the Proposal on harmonising the documentation relating to the issuance, verification and acceptance of the Digital Green Certificate within the EU, with the aim to allow the free movement of citizens between EU Member States.
When discussing this proposal–as supervisory authorities in the field of data protection –we had to respect our remit and provide advice on privacy and data protection issues, and to not deviate towards political and social dispute on the expectations of Europeans and on managing these expectations.
Nevertheless,we have to say that even if from a data protection point of view a system is safe, its operation should not lead to creating false expectations. We cannot spread fake safety assurances which are not founded on solid scientific proof and knowledge.
Despite the current emergency situation caused by the COVID–19 pandemic and the fact that the Proposal provides for three types of certificates (the testing certificate, the recovery certificate and the vaccination certificate), we, the EDPB and the EDPS, have clearly insisted on the observance of the principles of effectiveness, necessity, proportionality and non–discrimination. We also reiterate that, at present, there seems to be little scientific evidence supporting the fact that having received a COVID–19 vaccine (or having recovered from COVID–19) grants immunity and, as a consequence, how long such immunity lasts. Moreover, there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.
In any event, we have underlined that the Proposal should lay down clear and precise rules governing the scope and application of the Digital Green Certificates and impose the necessary safeguards, so that individuals,whose personal data is affected,have sufficient guarantees that their data will be effectively protected against the risk of discrimination.
While we acknowledge that any possible further use of the framework and the Digital Green Certificate other than the one of facilitating the right to free movement between EU Member States falls outside the Proposal’s scope and, consequently,of the Joint Opinion. We underline that such further use of the framework, and the personal data related to it at EU Member State level must respect Articles 7 and 8 of the Charter and must be in compliance with the GDPR(including Article 6(4)).
We have called for the Proposal to expressly provide that access and subsequent use of the data by EU Member States once the pandemic has ended is not permitted under the Proposal and to provide clear indications in this regard. At the same time, we also highlight that the application of the proposed Regulation must be strictly limited to the current COVID–19 crisis, and that the restrictions imposed shall not apply to other future emergencies other than the ongoing COVID–19 pandemic.
Last but not least, the Joint Opinion provides for specific data protection–related recommendations dealing with various issues, such as the need for clarification on the categories of personal data involved in the processing; the adoption of adequate technical and organisational privacy and security measures in the context of the Proposal;specific identification of controllers and processors; data storage and international data transfers.
Overall, the Joint Opinion acknowledges the need to enhance the right to free movement within the EU Member States,and positively assesses the efforts of the Commission to propose the framework that respects privacy and data protection. At the same time,the Joint Opinion adequately reflects the doubts and concerns about the respect for the fundamental rights of citizens when the system, which has been created to allow free movement of people inside the Union, would be used for other purposes. We call for the respect of the principles of necessity, proportionality and effectiveness wherever and however the certificates are used. In this regard, we hope that you may also agree with our recommendations and ensure that these are fully reflected in the final text of the Regulation.
One of the many lessons learnt from the COVID–19 crisis is that respect for fundamental rights must be our guiding light.
Europeans have the right to move and travel. They have a right to use their data to prove their commitment to make Europe a healthy and safe continent. But,they also have the right to know what is really certified by the certificate they get, and the right to trust not only the right to be “mutually accepted”.
Only by doing so will we be able to find a way forward in the COVID–19 crisis,while maintaining the trust of citizens.
I thank you for your attention and look forward to answering any questions you may have.