Part I – Digital Health Passports in Europe: Facilitating a Return to the “New Normal” or an Intrusion of Privacy?
With the roll-out of the COVID-19 vaccine and the start of easing of social distancing measures, the latest initiative being considered at a national as well as an international level is the introduction of so-called “digital health passports” or “immunity passports,” i.e., a tool to record and share the immune status of an individual whether by virtue of a COVID-19 test result or vaccination record – indeed, it is estimated there are currently more than 70 digital health passports and 14 vaccine passport apps in operation globally. However, the privacy concerns (and indeed the broader ethical implications) of introducing such measures, without the implementation of appropriate safeguards are significant and a current topic of intense debate.
Why are digital health passports being considered?
A digital health passport is intended to confirm that a particular individual is at a low risk of acquiring or transmitting COVID-19. In turn, digital health passports are being considered as a means of, for example, facilitating international travel and entry to mass gatherings such as, football matches and music concerts – with the ultimate aim being to speed up the return to “normality” and promote the re-opening of the economy.
Who is considering digital health passports in the EU?
EU-Level:
On 17 March 2021, the European Commission (EC) presented a proposal to create a “Digital Green Certificate” which will be valid across the EU and will serve as digital proof that the individual has either (1) been vaccinated against COVID-19, (2) received a negative COVID-19 test result, or (3) recently recovered from COVID-19.
According to the EC, the Certificate will contain a QR code (i.e., a machine-readable graphic code) with a digital signature (i.e., to prevent falsification). Each national issuing body (e.g. a hospital, a test centre, a health authority) will have its own specific digital signature. When the certificate is checked, the QR code is scanned and the signature verified. The EC will in turn, build a gateway through which all Certificate signatures can be verified across the EU. However, according to the EC, the personal data encoded in the Certificate (e.g., name, date of birth, date of issuance, relevant information about vaccine/ test/ recovery and a unique identifier) will not pass through the gateway – only the validity and authenticity of the Certificate is checked.
The EC plans to roll-out the Certificate by Summer 2021 (subject to approval from the EU Parliament and EU Member States). The EC is also working with the World Health Organisation to ensure the Certificate is recognised beyond the EU.
The European Data Protection Board and the European Data Protection Supervisor published a joint Opinion on the Certificate on 6 April 2021. The Opinion recommends restricting the use of the Certificate to cross-border travel within the EU i.e., as opposed to any broader purposes such as facilitating entry to restaurants and concerts, and prohibiting access to the data by Member States following the end of the pandemic. The Opinion also addresses the need for both a digital and paper-based version of the Certificate, requests clarification as to the justification for inclusion of all proposed categories of personal data in the QR code, and stresses the need for governments to adhere to the principles of “effectiveness, necessity and proportionality” and include “strong and specific safeguards” – to be implemented following an impact assessment.
National Level:
Several other countries have already introduced, or are developing, digital health passports. For example:
- the Danish government plans to implement a digital health passport domestically starting May 2021. Individuals in Denmark will be required to present the passport in order to access services such as hairdressers, concerts and restaurants;
- in Estonia the plan is to launch digital certificates in the form of a QR code (i.e., showing proof of vaccination) by the end of April 2021;
- in Israel, a vaccine passport was launched in February permitting those who have received the vaccine to visit various locations such as hotels and gyms;
- an app-based passport is being issued to those who have received the vaccine in Saudi Arabia;
- the UK government (in consultation with the UK’s Information Commissioner’s Office) is now also considering incorporating a vaccine certificate into the existing general NHS application and is expected to provide a high level report on these considerations shortly; and
- Switzerland is currently evaluating new technical solutions to put in place an internationally recognized vaccine certificate, available both in paper and digital form. In comparison to other solutions, Switzerland will not have a centralized record.
Separately, the private sector uptake of digital health passports is increasing, in particular in the aviation industry with a number of airlines having implemented (or piloting) a range of platforms.
Interestingly, it does not seem the US will be adopting a similar approach, with the White House press secretary recently confirming that the US government “is not now, nor will we be supporting a system that requires Americans to carry a credential. There will be no federal vaccinations database and no federal mandate requiring everyone to obtain a single vaccination credential”. The White House explained its “interest is very simple …, which is American’s privacy and rights should be protected so that these systems are not used against people unfairly,” and also indicated that the federal government will be providing guidance about privacy related to the coronavirus vaccines.
What are the potential EU privacy concerns?
As with all measures implemented in response to COVID-19, the introduction of digital health passports is not without challenge and much of this stems from the associated privacy concerns. These include, for example:
- Information Security: given the sensitive nature of the information being collected (i.e., health data), the need for effective information security is paramount. However, with the speed at which these solutions are being implemented and their inherently high profile nature, the digital health passports are likely targets for bad actors. Indeed, it is believed experts have already identified a number of security vulnerabilities with the applications rolled-out in Israel and Switzerland. For example, in Switzerland a digital vaccine record platform “meineimpfungen.ch” was launched last autumn and subsequently suspended due to security concerns raised by the Federal Data Protection and Information Commissioner, which opened investigations against the owner of the platform.
One proposed solution to address the security risks, is the use of blockchain technology (i.e., as a mechanism to enhance security for certain digital health passports). However, such technologies are typically not aligned with the principles of EU data protection which inter alia require adherence to the principle of data minimization and accountability.
- Purpose Limitation: under EU data protection laws, personal data must be collected for specified and legitimate purposes and not further processed in a manner incompatible with those purposes. Steps will need to be taken by developers and operators of the apps to avoid function creep – in particular, to avoid issues such as, that which purportedly transpired in Singapore earlier this year, when law enforcement were allegedly granted access to the TraceTogether app in spite of statements in the privacy policy indicating this would not happen.
- Data Minimization and Retention: under EU data protection laws, only the minimum amount of personal data should be collected as necessary to achieve the intended purpose. The EC in its proposal for the Digital Green Certificate states that it will collect only a limited set of information which cannot be retained by visited countries. Consideration should also be given to the retention periods for the personal data in particular, as the accuracy of this information is subject (in certain cases) to rapid change. In turn, these limitations should be built into the design of the certificates (i.e., as default settings) to ensure the collection of, access to and retention of personal data are strictly limited to what is necessary.
- Transparency: ensuring end-users have been provided with clear and easily understandable information about how their health data will be used and shared, will be a priority. This is particularly important to the extent novel technologies such as, blockchain and/or artificial intelligence (AI) – e.g., to automatically prevent entry to a location based on the certificate – are leveraged.
What other risks are associated with digital health passports?
The introduction of digital health passports also raises a number of broader ethical concerns. For instance, many opponents of the passports assert that their implementation could further exacerbate existing inequalities. Indeed, the World Health Organisation commented that “[the digital health passports] […] create a new distinction between individuals based on their health status, which can then be used to determine the degree of freedoms and rights individuals may enjoy.” However, the EC asserts that the three-pronged approach to its Digital Green Certificate would prevent discrimination.
Separately, and linked to the information security concerns highlighted above, apps (and similar technologies) are vulnerable to fraud – as as demonstrated by recent research highlighting the existence of forged negative COVID-19 test results and fake vaccine certificates being offered on the Darknet.
Conclusion
There are clearly a number of privacy-related obstacles posed by the implementation of digital health certificates. However, these are not insurmountable – indeed, EU data protection laws are not intended to avert innovation in particular, where this is intended to ensure the health and safety of individuals and promote economic growth. Nevertheless, it does require that processing is necessary and proportionate i.e., to the risks presented.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.