Laura Liguori

Portolano Cavallo, Milan

lliguori@portolano.it

Elisa Stefanini

Portolano Cavallo, Milan

estefanini@portolano.it

Last month the European Commission presented a proposal to create a digital green certificate to facilitate the free movement inside EU during the Covid-19 pandemic while ensuring public health safety.

The EU green certificate will not be a precondition for travel or discriminate against those who have not yet been vaccinated, but it will instead allow movement to take place more easily, avoiding possible restrictions such as quarantine or testing for Covid-19, as they may be imposed by each Member State. In the EU Commission proposal, the certificate will confirm whether the holder has got the vaccination, a negative test or has recovered from Covid-19.

One of the most hotly debated issues regarding the green certificate, informally referred to as a Vaccination Passport, concerns the protection of personal data.

The Italian vaccination pass and the need for harmonisation at EU-level

Like the EU Commission, the Italian government is also working on the implementation of a green certificate that would facilitate movement of people between regions identified as red zones or orange zones (within which – under the system adopted in Italy – certain limitations of the individual’s free circulation apply) or would allow them to attend events or other activities. Indeed, the Italian Government has adopted Law Decree 52/2021 which – among other provisions – regulates the functioning of the Italian certificates. The certificates will attest whether the holder has got vaccinated or has recovered from Covid-19 (in which cases the certification would last six months) or whether he/she tested negative to the virus (in which case the certification would last 48 hours). These rules would apply in Italy, while waiting for the final approval of the EU green certificates.

In light of the above, it is clear that both the EU Commission and the Italian government deemed this solution practicable while striking a balance between the principle of free movement of persons between Member States, the protection of public health and the right to protection of personal data recognised by Regulation (EU) 2016/679 (GDPR). However, in order for the project to be implemented effectively, Member States will have to come to unanimous agreement (on such items as, for example, the proposal’s respect for the principles on the protection of personal data) and operational and IT capacity must exist to guarantee the issuance of Certificates under the minimum requirements at the European level requested from each Member State. In addition, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the EU Proposal for the Digital Green Certificate. With this opinion, they provided for recommendations and suggestions for the implementation of the Certificate in accordance with EU personal data protection legislation[1].

The Garante’s position on the Italian vaccination pass

Before the proposed EU regulation and Legislative Decree 52/2021, the Italian Supervisory Authority (the ‘Garante’) expressed its opinion on vaccination passes, ie, a digital-format solution that public or private service providers might require as a necessary condition to access certain places or to use services.

On that occasion, the Garante outlined the risk that similar solutions discriminate against those who have not yet had access to the vaccination campaign and those who choose not to vaccinate. Therefore, such tools – if implemented improperly – could harm the fundamental freedoms granted to individuals and, for example, lead to vaccination against Covid-19 being perceived as a compulsory health treatment. In addition, the Garante highlighted criticalities in connection with confidentiality of data and compliance with all the GDPR principles (including proportionality, purpose limitation and data minimisation). In a press release dated 1 March 2021, the Garante reiterated that any appropriate measures to introduce vaccine passports in national territories must be adopted by the state legislature, in compliance with existing legislation and while striking an appropriate balance between public interest, health protection and protection of personal data.

After the adoption of Law Decree 52/2021, therefore, the Garante has exercised its powers to issue warnings to a controller or processor whose intended processing operations are likely to infringe the GDPR[2]. By issuing Resolution of 23 April 2021, the Garante has warned the various ministries and public institutions involved in the processing about the possible violations that might be triggered by the implementation of the Italian certificates.

In particular, the Garante has challenged the following aspects:

• First, by approving Law Decree 52/2021 (adopted as a matter of urgency) the Italian government has not consulted the Garante, as specifically required by article 36, paragraph 4 GDPR, under which Member States shall consult the supervisory authority when preparing a legislative or regulatory measure that relates to the processing of personal data. This has been done last year in Italy, for example, when the Italian Government issued the decree implementing the national alert system to fight the spread of the virus (the contact tracing app Immuni).
• Second, Law Decree 52/2021 cannot be considered a valid legal basis for the implementation of the Italian certificate, as it does not specify the purposes of the data processing triggered by the certification.
• Third, the certification does not comply with the principle of minimisation as it includes data which is not necessary for the declared (generic) purposes of the certification (for example, details on the vaccine, etc). Certifications should only contain identification data, unique certificate identifier and the validity of the certificate.
• Fourth, the Law Decree violates the principle of accuracy as it allows the use the data contained in other certificates issued before the adoption of the same decree to issue the certificate itself.
• Fifth, the Law Decree violates the principle of transparency, as the purposes of the certifications are not sufficiently clarified, the entities/persons who will be processing the related data are not indicated, nor those who will control the validity and authenticity of the certifications itself.
• Finally, the Law Decree does not specify the retention periods of the personal data processed as well as the security measures adopted to ensure safety of the data.

Raising attention against potential breaches of constitutional rights

A few days after this resolution, the Garante also announced the opening of an investigation against the Autonomous Province of Bolzano, which implemented the ‘CoronaPass Alto Adige’, a ‘local certification’ allowing holders to access certain accommodations, recreational places or attend certain public events.

All the above actions by the Garante must be read as due attention to the many data protection matters connected to the implementation of green certificates and not as blind opposition to the adoption of similar solutions. The Garante merely takes a stance (by exercising its powers as provided directly by the GDPR) against the inconsistent adoption of tools potentially capable of damaging constitutionally guaranteed rights.