27 April 2021
The EU's proposed 'Digital Green Certificate' is intended to allow people to prove that they have been vaccinated, recently recovered from COVID-19, or received a negative test result. The aim is to facilitate the return of free movement within the EU. However, 28 human rights organisations, including Statewatch, have written to the European Parliament to warn that they must fix problems with the proposals that mean the certificates could facilitate surveillance, exacerbate discrimination and potentially become a permanent fixture of everyday life.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
UPDATE, 7 May 2021: Many of the demands made by NGOs were adopted by the Parliament in its position. However, it remains to be seen what will happen in negotiations with the Council, which are expected to be resolved quickly. See here for an overview.
The proposals were published by the European Commission in mid-March. The Council got to work fast, in secret, and has now reached its negotiating position. The Parliament also supports an "urgency procedure", but bad laws are made in haste. The letter to MEPs, coordinated by Liberties and epicenter.works, raises a number of concerns that must be taken into consideration.
The letter underscores that the proposed text does not include guarantees that the certificates would only be used in line with scientific guidance regarding the duration of immunity of vaccined and recovered persons - meaning they might be used to demonstrate someone does not pose a transmission risk, when this is not the case.
The letter also warns that the Commission's proposal suffers from a "lack of protection for personal data", as it foresees a certificate based on an online verification process that has "no safeguards against surveillance by the issuing authority". Without such safeguards in place, the issuing authority could know when and where the certificate has been scanned and validated.
This is particularly dangerous given that a number of member states have expressed their intention to use the certificate to regulate entry to locations such as businesses, sports venues or places of worship. The letter calls on MEPs to ensure that further uses of the system "are either prohibited" or "provided for by national law, which in turn has to be based on a data protection impact assessment."
The proposals would also exacerbate discrimination, warns the letter. Testing must be made easily accessible (geographically and financially) for those who have not yet been, or cannot be, vaccinated, to ensure that the certificate does not become a "vaccination pass".
The proposals also only concern citizens of the EU, their family members, and people legally residing in the EU. The exclusion of the EU's significant undocumented population means that "undocumented migrants will face undue problems in trying to partake in social life. Certificates need to be issued (upon request) to everyone residing in the Union," says the letter.
The possibility for member states only to issue digital certificates, which are intended to be held and displayed on mobile devices, would also exclude those who do not have such a device. The letter calls on MEPs to include provisions that would require member states "to issue the certificates in both formats [paper and digital] automatically, or, if they wish to issue the certificate in digital format only, to ensure that all have the necessary device needed to store and display them."
No sunset clause
There is also an urgent need for revocation of the certificates once the situation allows, warns the letter. The proposals merely allow for suspension of the certification once there is no "public health emergency of international concern."
The signatories call for "a clear set of conditions, focusing on the European situation," that would set out when the certificates can be discontinued altogether. "A need for attesting our health status when moving inside Europe cannot become a normal part of life," warns the letter.
The full text of the letter is below; it is also available as a PDF.
Dear Members of the European Parliament,
On 17 March 2021, the European Commission presented a proposal for a Regulation on a Digital Green Certificate to facilitate free movement in the EU - 2021/0068 (COD) and an accompanying proposal on third country nationals legally staying or residing in the EU (2021/0071 (COD). During the plenary debate on 24 March 2021, a large majority of MEPs supported an urgency procedure for a rapid creation of the Digital Green Certificate (Covid Pass), which establishes a common framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery.
The undersigned organisations warn the European Parliament against hastily accepting these proposals and urge the Members of the European Parliament to address the concerns described below. While the undersigned agree that lifting the measures restricting free movement on grounds of public health in the context of the pandemic in a coordinated manner is desirable, we are concerned about the scientific uncertainties pertaining to the duration and type of immunity of vaccinated and recovered persons. While the regulation allows for the possibility to ask the Health Security Committee to issue scientific guidance to inform the further use of the certificates, we do not see any guarantees built into the regulations ensuring that certificates will be used only in line with said scientific guidance.
The undersigned organisations are alarmed about the lack of protection for personal data in the Commission’s proposal. The verification of the authenticity and validity of Digital Green Certificates currently contains no safeguards against surveillance by the issuing authority (online verification). The regulations have to clarify that only an offline verification via a public key infrastructure adheres to the principles of privacy by design. When a certificate is verified, the issuer shall not obtain knowledge about the verification process or its circumstances. If the regulation is not amended, the EU risks exporting a very low privacy standard to the rest of the world.
Similarly, the regulation should do the utmost to reduce the data protection risk that will emerge once Member States extend the application of the Digital Green Certificate for other purposes. Several countries have already announced that they will use it for regulating entry to places of business and worship, sports venues and similar gatherings. Therefore, uncertainty with regards to the architecture allows for the surveillance of the verification system, which risks creating extensive data records about the movement of people, their religious affiliations and private life. Furthermore, the recitals should clarify that any further use-cases of this system are either prohibited or need to be provided for by national law, which in turn has to be based on a data protection impact assessment. Finally, the recitals should stipulate the obligation of Member States to lay down prohibitions to retain or further process data from the verification process, similar to the provisions of Article 9(2). Without such safeguards the trust in the whole system can easily be undermined by very few bad actors.
In addition, while we appreciate that the Commission wants to avoid discrimination and is of the firm opinion that vaccination cannot be a precondition of free movement, in our understanding the proposals lack the appropriate guarantees ensuring the non-discriminative and inclusive use of certificates.
First, even if the certificate is not a “vaccination pass” and the Commission foresees that test results will also be accepted by the competent authorities, a simple acceptance of said results is insufficient in ensuring that the certificate will not lead to a two-tier society with the vaccinated enjoying their full set of rights, while the non-vaccinated face undue hindrances in enjoying similar rights. This is ensured only if Member States make testing easily accessible (both geographically and financially) for those who are not inoculated.
Second, according to the proposals, certificates will be issued to “Union citizens and their family members” and people legally residing in the EU. If certificates become (legally or practically) a condition for travelling or for having access to services, people with no residence status such as undocumented migrants will face undue problems in trying to partake in social life. Certificates need to be issued (upon request) to everyone residing in the Union.
Third, according to the proposal 2021/0068 (COD), Member States may issue the “certificates making up the Digital Green Certificate in a digital or paper-based format, or both”. The digital format is meant to be displayed and stored on mobile devices. However, Member States issuing only digital certificates may exacerbate inequalities and social exclusion. Thus, Member States should be required to issue the certificates in both formats automatically, or, if they wish to issue the certificate in digital format only, to ensure that all have the necessary device needed to store and display them.
The undersigned are also concerned about the unlimited nature of the proposed certificates. On paper, the proposals intend to facilitate “the exercise of the right to free movement within the Union during the COVID-19 pandemic” and not to introduce an identification or travel document that citizens will have to keep with them for the rest of their lives. The Digital Green Certificate, however, will never be revoked. It will simply be suspended, once and to the extent there is no “public health emergency of international concern”. We believe, however, that a clear set of conditions, focusing on the European situation, needs to be set out for discontinuing the use of certifications. A need for attesting our health status when moving inside Europe cannot become a normal part of life.
To reiterate, the proposals raise a number of concerns regarding compliance with the Charter of Fundamental Rights of the European Union and regarding its accordance with the European Union’s fundamental values. We call on the European Parliament to address the above-described concerns with appropriate amendments and ensure that both regulations are in line with the values the Union is based on.
• Access Now, International
• Aktive Arbeitslose, Austria
• Begegnungszentrum für aktive Gewaltlosigkeit, Austria
• Bulgarian Helsinki Committee
• Citizen D, Slovenia
• Civil Liberties Union for Europe (Liberties), International
• Civil Rights Defenders, Norway
• Defend Democracy, International
• Dutch section of the International
Commission of Jurists
• Elektronisk Forpost Norge, Norway
• epicenter.works – for digital rights, International
• European Digital Rights (EDRi)
• Homo Digitalis, Greece
• Human Rights Monitoring Institute, Lithuania
• Hungarian Civil Liberties Union
• IT-Pol Denmark
• Legal-Informational Centre for NGOs, Slovenia
• Panoptykon Foundation, Poland
• Peace Institute, Slovenia
• Privacy International
• Rights International Spain
• Solidarisches Salzburg, Austria
• Statewatch, International
• The Irish Council for Civil Liberties
• Verband Freier Rundfunk Österreich, Austria
• Verein Gegen Tierfabriken, Austria
• Verein Respekt.net, Austria
• Vrijschrift, The Netherlands
Image: Jernej Furman, CC BY 2.0
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.