Today, the European Parliament votes on the interinstitutional compromise text on the regulation(s) on the EU Digital COVID Certificate (EU DCC, also known as the Digital Green Certificate and the European Green Pass). The proposed legislation regulates the “framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery” with aim of facilitating free movement during the COVID-19 pandemic.
Liberties and its partner, epicenter.works, expect that the legislation will pass. The final compromise text, in line with the majority of our recommendations, is a clear victory for human rights and digital rights.
1. More accessible testing to be provided to avoid two-tier societies
The text of the main regulation (hereafter ‘the text’) stresses the need for universal, timely and affordable access to COVID-19 vaccines and tests. To support Member States’ testing capacity, the Commission has mobilised 100 million Euros to purchase over 20 million rapid antigen tests. 35 million Euros was also mobilised through an agreement with the Red Cross to increase testing capacity in Member States through mobile testing capacities.
Stay in the loop.
2. Paper-based certificates for those who do not own a smartphone
According to the text, “to ensure interoperability and equal access, including for vulnerable persons such as persons with disabilities and for persons with limited access to digital technologies, Member States should issue the certificates making up the EU Digital COVID Certificate in a digital or paper-based format, or both. The prospective holders should be entitled to receive the certificate in the format of their choice” (Recital 14).
Liberties and epicenter.works were concerned that according to the Commission’s proposals, Member States were given discretion over what form to issue the certificates in and were not obliged to issue them in a way that was most accessible to the end user. The digital format is meant to be displayed and stored on mobile devices. However, by issuing only digital certificates, Member States could have exacerbated inequalities and social exclusion. Liberties proposed that Member States should be required to issue the certificates in both formats, or, if they wish to issue the certificate in digital format only, to ensure that any person is provided with a device capable of storing and displaying them.
3. An end in sight
The text contains a sunset clause. The regulations will apply for 12 months from the date of its entry into force. This is an important improvement, since any fundamental rights restriction with the aim to combat the COVID-19 crisis should not outlive this pandemic. We will closely monitor the implementation of this proposal in the Member States, the reporting obligations of the European Commission and insist that the system is shut down after the sunset period is over.
Liberties and epicenter.works insisted that a clear set of conditions needed to be set out for discontinuing the use of certifications. The requirement to attest our health status when moving inside Europe cannot become a normal part of life.
4. Protecting medical history
The certificates will only contain the personal data strictly necessary “for the purpose of facilitating the exercise of the right to free movement within the Union during the COVID-19 pandemic” (Recital 38). A separate certificate will be issued for each vaccination, test or recovery – so that no medical history will be collected on the holder for the purposes of the European Digital COVID Certificate.
Epicenter.works and Liberties were both concerned about the processing of sensitive health data in the scope of this proposal and the means by which this information is exposed to third parties. Particularly, recovery certificates could indicate a life-long disadvantage of a person (long COVID). As Member States do not have a good track record in being sufficiently mindful about the risks of introducing new technology to control the risks COVID-19 pandemic may pose, we were concerned about the lack of details on the protection of personal data in the Commission’s proposal.
5. Preventing surveillance
It will be ensured that “the verification of a certificate has to happen offline and without informing the issuer or any other third party about the verification. The trust framework should be based on a public-key infrastructure with a trust chain from Member States’ health authorities or other trusted authorities to the individual entities issuing the certificates” (Recital 15). In addition, verifiers will be prohibited from retaining personal data obtained from the certificate. This is as far as the European legislation can solve the problem. Member States going beyond the regulation by using this system to control access to shops and restaurants domestically, will have to adopt national legislation with equivalent safeguards.
Epicenter.works warned against a centralised architecture for the verification of certificates. Such online verification creates the potential for surveillance by the issuing authority, in effect creating data sets at the issuing authority about every time a citizen crosses a border. This problem is amplified when countries use this system also for regulating access to spaces or services for vaccinated, tested or recovered people – in effect creating the potential for the observability of all social life. Therefore, epicenter.works insisted that the regulations have to clarify that only an offline verification via a public-key infrastructure adheres to the principles of privacy by design. When a certificate is verified, the issuer should not obtain knowledge about the verification process or its circumstances.
But today we celebrate.
The Proposal for a Regulation: A Brief History
As early as March 2020, EU Member States adopted various measures to limit the spread of the coronavirus and protect public health. Some of these measures affected the Union’s citizens’ right to move and reside freely within the territory of the Member States. In Summer 2020, when the incidence rates decreased in Europe, but vaccines were not even on the horizon, interoperable contact tracing apps were hoped to revive inter-European travel. This, for various reasons, has not happened: the contact tracing gateway started to function too late, and the download rate of the apps was too low in most countries for them to serve as an efficient means in fighting the pandemic.
In early 2021, as the vaccination campaigns started in Europe, it quickly became clear that a number of European leaders will want to issue vaccination passes to be used both for domestic and for international purposes. In March 2021, the Commission announced its plan to introduce a pass that could certify not only the holders’ vaccination status, but also their recent test results or recovery status too. In a policy brief dated 12 March 2021, Liberties has put forward recommendations on how such a pass should be deployed so that it does not lead to unfair treatment, exacerbated inequalities and privacy violations.
On 17 March, the European Commission presented a proposal for a regulation on interoperable vaccination/test result/recovery certificates for European citizens and family members and a twin proposal regulating how third country nationals legally staying or residing in the EU could become holders of such certificates. Liberties believed that the Commission's proposals showed good intentions, but as the proposals did not ensure that issuing authorities cannot misuse the certificate for the purposes of surveillance, and it did not go far enough to avoid social exclusion, Liberties in a second policy brief proposed that legislators amend the text.
On 26 April, Liberties, epicenter.works and 26 other human rights and digital rights organisations sent an open letter to the Members of the European Parliament urging them to address our above-described concerns with appropriate amendments and ensure that both regulations are in line with the values the Union is based on.
On 28 April, the European Parliament adopted its position, and the inter-institutional negotiations moved to the so-called trilogue phase. The versions adopted by the Parliament contained vital improvements to the original proposals, especially in their emphasis on the non-discrimination of the unvaccinated and in its emphasis on privacy-by-design. Informal political trilogues between the Parliament, the Commission and the Council (which adopted its own version of the proposals on 12 April) were held on 3, 11, 18 and 20 May. In a policy brief that aimed to provide input for the negotiators in the trilogue, Liberties (and epicenter.works) analysed the different proposed amendments and explained which of them is worthy of the human and digital rights community’s support and why.
Stay in the loop.
Today, the Parliament is expected to adopt the text agreed on at the fourth trilogue. While some of our concerns are not fully met, Liberties and epicenter.works believe that the texts to be decided about today show a great improvement to the original proposal and represent a victory for human and digital rights to be celebrated.
Thomas Lohninger is Executive Director of the digital rights NGO epicenter.works in Vienna, Austria. Liberties and epicenter.works are working together to ensure that COVID-19 certificates in Europe are not used for surveillance and do not lead to discrimination.