Today, the European Parliament votes on the interinstitutional compromise text on the regulation(s) on the EU Digital COVID Certificate (EU DCC, also known as the Digital Green Certificate and the European Green Pass). The proposed legislation regulates the “framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery” with aim of facilitating free movement during the COVID-19 pandemic.
Epicenter.works and its partner, Civil Liberties Union Liberties expects that the legislation will pass. The final compromise text, in line with the majority of our recommendations, is a clear victory for human rights and digital rights.
More accessible testing to be provided to avoid two-tier societies
- The text of the main regulation (hereafter ‘the text’) stresses the need for universal, timely and affordable access to COVID-19 vaccines and tests. To support Member States’ testing capacity, the Commission has mobilised 100 million Euros to purchase over 20 million rapid antigen tests. EUR 35 million were also mobilised through an agreement with Red Cross to increase testing capacity in Member States through mobile testing capacities.
Liberties has repeatedly expressed concerns about the risk of creating a two-tier society with those who are vaccinated enjoying their full set of rights, while those who have not been vaccinated face undue hindrances in enjoying similar rights. Liberties recommended that Member States should make testing easily accessible (both geographically and financially) for those who are not inoculated.
Paper-based certificates for those who do not own a smartphone
- According to the text, “to ensure interoperability and equal access, including for vulnerable persons such as persons with disabilities and for persons with limited access to digital technologies, Member States should issue the certificates making up the EU Digital COVID Certificate in a digital or paper-based format, or both. The prospective holders should be entitled to receive the certificate in the format of their choice” (Recital 14).
Liberties and epicenter.works were concerned that according to the Commission’s proposals, Member States given discretion over what form to issue the certificates in and were not obliged to issue them in a way that was most accessible to the end user. The digital format is meant to be displayed and stored on mobile devices. However, by issuing only digital certificates, Member States could have exacerbated inequalities and social exclusion. Liberties proposed that Member States should be required to issue the certificates in both formats, or, if they wish to issue the certificate in digital format only, to ensure that any person is provided with a device capable of storing and displaying them.
An end in sight
- The text contains a sunset clause. The regulations will apply for 12 months from the date of its entry into force. This is an important improvement, since any fundamental rights restriction with the aim to combat the Covid-19 crisis should not outlive this pandemic. We will closely monitor the implementation of this proposal in the member states, the reporting obligations of the European Commission and insist that the system is shut down after the sunset period is over.
Liberties and epicenter.works insisted that a clear set of conditions needed to be set out for discontinuing the use of certifications. The requirement to attest our health status when moving inside Europe cannot become a normal part of life.
Protecting medical history
- The certificates will only contain the personal data strictly necessary “for the purpose of facilitating the exercise of the right to free movement within the Union during the COVID-19 pandemic” (Recital 38). A separate certificate will be issued for each vaccination, test or recovery – so that no medical history will be collected on the holder for the purposes of the European Digital COVID Certificate.
Epicenter.works and Liberties were both concerned about the processing of sensitive health data in the scope of this proposal and the means by which this information is exposed to third parties. Particularly, recovery certificates could indicate a life-long disadvantage of a person (long covid). As Member States have no good-track record in being sufficiently mindful about the risks of introducing new technology to control the risks COVID-19 pandemic may pose, we were concerned about the lack of details on the protection of personal data in the Commission’s proposal.
- It will be ensured that “the verification of a certificate has to happen offline and without informing the issuer or any other third party about the verification. The trust framework should be based on a public-key infrastructure with a trust chain from Member States’ health authorities or other trusted authorities to the individual entities issuing the certificates” (Recital 15). In addition, verifiers will be prohibited from retaining personal data obtained from the certificate. This is as far as the European legislation can solve the problem. Member States going beyond the regulation by using this system to control access to shops and restaurants domestically, will have to adopt national legislation with equivalent safeguards.
Epicenter.works warned against a centralised architecture for the verification of certificates. Such online verification creates the potential for surveillance by the issuing authority, in effect creating data sets at the issuing authority about every time a citizen crosses a border. This problem is amplified when countries use this system also for regulating access to spaces or services for vaccinated, tested or recovered people – in effect creating the potential for the observability of all social life. Therefore, epicenter.works insisted that the regulations have to clarify that only an offline verification via a public key infrastructure adheres to the principles of privacy by design. When a certificate is verified, the issuer should not obtain knowledge about the verification process or its circumstances.
Whether the implementation of the Regulation will comply with the highest human rights standards of course remains to be seen. Epicenter.works and Liberties will continue to monitor developments in the coming months. But today we celebrate.
The Proposal for a Regulation: A Brief History
As early as in March 2020, EU Member States adopted various measures to limit the spread of the coronavirus and protect public health. Some of these measures affected the Union citizens’ right to move and reside freely within the territory of the Member States. In Summer 2020, when the incidence rates decreased in Europe, but vaccines were not even on the horizon, governments hoped to revive inter-European travel with interoperable contact tracing apps. This, for various reasons, has not happened: the contact tracing gateway started to function too late, and the download rate of the apps was too low in most countries for them to serve as an efficient means in fighting the pandemic.
In early 2021, as the vaccination campaigns started in Europe, it quickly became clear that a number of European leaders wanted to issue vaccination passes to be used both for domestic and for international purposes. This time the EU wanted to be early and didn’t leave the development of a technical standard to Tech Giants like Apple and Google. In March 2021, the Commission announced its plan to introduce a pass that could certify not only the holders’ vaccination status, but also their recent test results or recovery status too. In a policy brief dated 12 March 2021, Liberties put forward recommendations on what measures the EU would need to take to ensure that such a pass would not lead to unfair treatment, exacerbated inequalities and privacy violations.
On 17 March, the European Commission presented a proposal for a regulation on interoperable vaccinaton/test result/recovery certificates for European citizens and family members and a twin proposal regulating how third country nationals legally staying or residing in the EU could become holders of such certificates. Epicenter.works and Liberties were of the opinion that the Commission's proposals showed good intentions. However, because the proposals did not ensure that issuing authorities could not misuse the certificate for the purposes of surveillance, and did not go far enough to avoid social exclusion, Liberties issued a second policy brief with suggested amendments to the proposal.
On 26 April, epicenter.works, Liberties and 26 human rights and digital rights organisations sent an open letter to the Members of the European Parliament urging them to address our concerns with appropriate amendments and ensure that both regulations were in line with the values the Union is based on.
On 28 April, the European Parliament adopted its position, and the inter-institutional negotiations moved to the so-called trialogue phase. The versions adopted by the Parliament contained vital improvements to the original proposals, especially in their emphasis on avoiding discrimination against those who have not been vaccinated and in its emphasis on privacy-by-design. Informal political trialogues between the Parliament, the Commission and the Council (which had adopted its own version of the proposals on 12 April) were held on 3, 11, 18 and 20 May. In a final policy brief that aimed to provide input for the negotiators in the trialogue, epicenter.works and Liberties published analysis and recommendations on the different various amendments proposed by the Council and European Parliament.
At the fourth political trialogue on 20 May, a provisional agreement was reached on the text of both regulations. Today, the Parliament is expected to adopt the text agreed on the fourth trialogue. While some of our concerns are not fully met, Liberties and epicenter.works are of the opinion that the texts to be voted on today are a great improvement on the original proposal and can be considered a victory for human and digital rights.