Coronavirus travel pass plans must prioritize data privacy, says European Data Protection Board

European privacy regulators warn Covid-status passports can only be temporary and must be introduced without discrimination

European privacy regulators have accepted the need for the EU’s proposed ‘digital green certificate’ while warning that plans need to be compliant with data protection legislation.

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) gave a cautious thumbs-up to the European Commission’s plan through a joint statement released on Tuesday (April 6).

The digital green certificate is designed to facilitate free movement within the EU during the ongoing Covid-19 pandemic by “establishing a common framework for the issuance, verification, and acceptance of interoperable Covid-19 vaccination, testing, and recovery certificates”.

Legal warning

In a joint statement, the EDPB and EDPS argue that any rollout should be based on the foundation of a solid legal framework before directly warning of the discriminatory potential of the proposed technology.

“The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality, and effectiveness,” they contend.

There are concerns both in Europe and the UK that the proposals could discriminate against those who are unable to get vaccinated, a population including pregnant women and those whose medical condition renders the vaccine a health risk.

Privacy advocates and others also worry about mission creep – the possibility that health data collected for the so-called Covid-19 passport could be used for other purposes.

YOU MAY ALSO LIKE Coronavirus and supply chain attacks highlight ‘lack of coordination’ across EU

Any measures introduced ought to be temporary and limited to the duration of the pandemic, according to the regulators.

Wojciech Wiewiórowski of the EDPS, said: “It must be made clear that the proposal does not allow for – and must not lead to – the creation of any sort of central database of personal data at EU level.

“In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended.”

Security experts reserved judgment on the EU's proposals and similar plans to introduce a ‘Covid status passport’ in the UK.

“Much depends on how it is implemented, where data is held, how identifiable it is and who can access the data,” Professor Alan Woodward, a computer scientist at the University of Surrey, told The Daily Swig. “Personally would prefer a privacy preserving technique such as used for” the government's Covid-19 contact tracing app.

READ MORE Fake Covid-19 vaccines pose ‘serious health hazard’, warns Interpol