Covid-19 vaccination passport and European Digital Green Certificate: a French and European law perspective on how fundamental rights are challenged

Cécile Théard-Jallu

De Gaulle Fleurance & Associés, Paris

ctheardjallu@dgfla.com

Adèle Binnié

De Gaulle Fleurance & Associés, Paris

abinnie@dgfla.com

The introduction of the Digital Green Certificate

Since Order No 2020-1257 of 14 October 2020 declaring the state of health emergency, the French Government has issued many orders meant to restrict the circulation of French citizens both within the national territory and outside its borders. Today, Order No 2021-99 of 30 January 2021[1] specifically prevents French citizens from travelling outside the European Union, unless they can justify a compelling personal or family reason. Within the territory, mobility is also restricted. This will hopefully evolve in the coming weeks, but travel restrictions will probably remain for a long time in some format or another due to Covid-19 still spreading in a lot of regions, and its variants that challenge authorities' action plans to get rid of the pandemic.

As for domestic circulation, many national initiatives have been launched across the EU, including France, to create a vaccination certificate that enables citizens to resume their 'normal lives', for instance, by starting to go to restaurants or museums, or attend sporting events. That being said, travel within the EU and abroad falls within the scope of European institutions.

Despite the World Health Organization's (WHO's) initial recommendation of January 2021 that countries should not introduce requirements of proof of vaccination or immunity for international travel, the European Commission is now working on a so-called 'vaccination passport'. Hence, the European Commission has presented a fairly mature proposal[2] to create a 'Digital Green Certificate' to facilitate safe free movement inside the EU during the pandemic.

One of the praiseworthy aims of the EU is to create an interoperable and harmonised framework for the vaccination passport that will avoid discrepancies between Member States, while complying with European laws, such as the Charter of Fundamental Rights of the EU or the General Data Protection Regulation (GDPR).

The Digital Green Certificate's aim is to allow the demonstration that a person has either been vaccinated against Covid-19 or received a negative test result, or recovered from Covid-19. The Digital Green Certificate would contain an interoperable QR code with a digital signature. European citizens would obtain the certificate through their competent national authorities (hospitals, test centres, health authorities etc). Each issuing body would have its own digital signature key. All of this data would be stored in a secure database in each country. A gateway would be created to enable every EU Member State to check the Digital Green Certificate of a person without the data circulating through the gateway.

A difficult balance among fundamental rights

There is no official European or French definition of the notion of a 'vaccination passport'. Some say that the two words should not even be associated because the passport is, legally speaking, meant to establish the identity of a person without any sanitary link, while vaccination is intrinsically linked to the health status of the person.[3] To give it a pragmatic chance to become real, it could simply be defined as a document proving the individual's vaccination status required for certain activities. In other words, the passport would be a way to subject certain activities to the proof of vaccination, that is, an indirect way for vaccination to become compulsory. In any event, it sparks a debate.

It is worth recalling that, under European law, the administration of medical treatment without the consent of the patient falls within the scope of Article 8 of the European Convention on Human Rights and was considered a violation of the individual's physical integrity in the Pretty v United Kingdom case (European Court of Human Rights (ECHR), 29 April 2002, No 2346/02).

In that context, the introduction of the Digital Green Certificate raises many challenges, including the requirement of maintaining a balance among diverse European fundamental rights. An example is that the EU shall combine, on the one hand, the right of freedom of movement and residence protected by Article 45 of the Charter of Fundamental Rights of the EU, and on the other hand, the respect of private life and the right to the protection of personal data protected by Articles 7 and 8 of the charter.

Given the protests, the French President, Emmanuel Macron, has claimed that vaccination would not be mandatory in France regarding Covid-19.

Under French law, the principle of a compulsory vaccination passport already exists for certain zones in the national territory and certain diseases. For instance, Article L 3111-6 of the French Public Health Code provides that 'vaccination against yellow fever is mandatory, unless medically contraindicated, for any person over one year old and residing or staying in French Guyana'. Article R 3115-63 of the French Public Health Code also states that 'any entry into parts of French territory where vaccination against yellow fever is mandatory is subject to the presentation of a vaccination certificate or a certificate of medical contraindication to this vaccination' and this should be verified by transport service operators under Article R 322-7 of the French Aviation Code. However, in the yellow fever case, compulsory vaccination is deemed to be justified and well accepted by travellers because it is limited to a specific territory and specific disease.

This should be read in light of the ECHR's recent decision of 8 April 2021, under which compulsory vaccination for children could be considered 'necessary in a democratic society'.[4] This is justified by the legitimate interest 'to protect the population against diseases which may pose a serious risk to health'. In France, such compulsory immunisations for children already exist for 11 serious diseases, including diphtheria or tetanus (Article L3111-2 of the French Public Health Code).

What differs in the current context is the worldwide, historic and unprecedented nature of the Covid-19 crisis.

For now, a balance between the population's health and its freedoms seems to be found by the European Commission because its contemplated certificate would allegedly offer a tool that enables vaccinated people to prove their vaccination easily. It would not prevent unvaccinated people (for medical reasons, because they are not part of the target group for which the vaccine is currently recommended, or because they have not yet had the opportunity or do not wish to be vaccinated) from travelling as, indeed, people could still provide a negative test result or prove that they have recovered from Covid-19. Hence, the European Commission clearly mentioned that 'this Regulation cannot be interpreted as establishing an obligation or right to be vaccinated' and that 'people without such a certificate must still be able to travel and that being in possession of a certificate is not a prerequisite of exercising the right to free movement or other fundamental rights'.

The European Commission even insisted on choosing the name 'certificate' instead of 'passport', the latter suggesting that it would be mandatory.

This position seems reasonable at this stage of the pandemic because access to vaccination remains unequal and we are uncertain as to whether vaccines will achieve their intended goal.

Issues and concerns raised on the data protection and privacy side

The creation of a vaccination passport raises technical challenges, especially from an interoperability standpoint. It also raises real risks from a data protection and privacy perspective. On the basis of the GDPR and the French Data Protection Act, the French Data Protection Authority (Commission nationale de l'informatique et des libertés or CNIL) already spotted those risks in an article that it published through its digital innovation laboratory (Laboratoire d'innovation numérique de la CNIL or LINC).[5] The latter provides that institutions and private companies could abusively require immunity certificates, and that implementing that tool would therefore require a comprehensive framework. Among other aspects, the CNIL insists that there is probably a need to adjust the current health data protection rules, and regulate systems governance and related guarantees.

Other European governments and populations are also concerned about these risks in view of the GDPR's requirements on the protection of data and their own national legislations.

Among the risks identified, the Digital Green Certificate, as well as any other vaccination passport, would contain health data, which is highly sensitive data whose processing is prohibited by Article 9 of the GDPR, except under a strict number of scenarios and legal bases. Article 9.2 (1) seems to adequately fit the purpose of the contemplated certificate, but will also need to match the possible legal specificities and complementary conditions of each Member State's national legislation.

Issuing and controlling Covid-19 certificates or vaccination passports would also most probably be considered as processing on a large scale. Beyond health data, they would include other personal data of the holder, such as name, date of birth or nationality. Overall, a security breach would therefore have serious consequences and a high degree of risk should be considered.

Together, this data represents an important volume of data that is potentially vulnerable to attackers, especially if the data is stored on a central database in each country as envisaged.

While combined with other information, the data collected for the purpose of the vaccination passport or certificate may reveal the identity and location of the person. In the most extreme cases, unauthorised access to this data could lead to unauthorised surveillance and constitute a serious risk to privacy.

Hackers could also try and create false vaccination proofs and therefore violate health protection.

Another major concern is the possibility that the people that have access to the data, including passenger transport service operators and authorities, reuse it for purposes other than those for that were initially intended. For example, Member States may consider reusing the Digital Green Certificate for other internal purposes, such as access to certain places (restaurants, cultural places, sports halls etc).

Strong technical and organisational measures and warranties from all stakeholders will therefore be required in order for this passport or certificate to win the population's trust.

Analysis of the measures considered to protect personal data and individuals' privacy

As in many foreign countries, European bodies are currently considering measures to strengthen security and the protection of personal data collected through vaccination certificates or passports.

On 6 April 2021, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued a joint opinion regarding the European Commission's proposal for a Digital Green Certificate.[6]

Among other observations, the EDPB and EDPS underlined that it 'must be fully in line with the fundamental principles of necessity, proportionality and effectiveness'. They insisted that the vaccination certificate fully complies with the core principles of the GDPR, including transparency, data minimisation, purpose limitation and data storage limitation. They highlighted the need for the European Commission to justify the necessity for certain data to be included in the certificates (eg, the vaccine product used for the person's vaccination and its marketing authorisation holder), as well as the requirement to determine data controllers and data processors for the processing of personal data.

However, concrete measures have not yet been identified, and many technical solutions have been suggested to guarantee data protection, such as blockchain and encryption technology (which is used in New York for the Excelsior Pass).[7] Surprisingly, the EDPB and EDPS, as well as the European Commission in its proposal, do not mention the necessity to carry out a privacy impact assessment. This assessment would be appropriate to identify security and other risks, and determine whether suitable safeguards have been implemented.

In line with the European Commission, the EDPB and EDPS have also stressed that the European Commission's proposal must not lead to the creation of any sort of central database of personal data at the EU level.

Finally, they have insisted on the fact that the collection and use of data collected for the purpose of the Digital Green Certificate and other similar tools shall be temporary and not permitted once the pandemic is over. However, the certificate could be 'temporary' for a long time because the pandemic has been going on for a year already and we are uncertain of when and how it will end.

As always in the current sanitary crisis, this is a matter of urgency, but urgency cannot justify rushed decisions that may have a serious impact on fundamental rights. The aforementioned guarantees will therefore need to be established and made available by the European Commission by 15 June 2021, which is the announced date for the Digital Green Certificate launch.[8]

Notes