COVID-19 travel certificates questioned by Italian DPA
COVID-19 travel certificates launch in the EU soon, however the Italian DPA has pointed out some issues that need critical attention before the rollout.
This summer, COVID-19 travel certificates or “vaccine passports” will be rolled out throughout the EU, with the official launch of this scheduled for the end of June. The majority of EU countries should be technically prepared by the first week of June, according to this article from Euractiv. In order to avoid delays, the aim is to have the systems for the functioning of these certificates ready when the legislation is published. The passes are expected to be legally valid and operational all over Europe. These EU COVID-19 travel certificates, which we wrote about last month, will take the form of a QR code containing information related to a person’s status with regard to the COVID-19 vaccine, or virus (whether it be negative test results or the presence of antibodies). Due to the amount of data intended to be contained in these QR codes, and the nature of that data, data protection authorities around Europe are paying close attention to the rollout of these certificates to ensure the people’s rights and freedoms of natural persons. The Italian DPA has issued a statement pointing out certain key issues which will require special attention in ensuring that the rights and freedoms of natural persons remain protected.
Twenty countries, including Italy, are expected to be part of the first group to begin technical checks to interconnect the systems, from the second week of May.
EU member states have been divided into three groups and rated based on their preparedness to begin system testing. The first group which includes Italy, France, Spain and Germany are expected to start testing the interconnected systems from the second week of May. The third, and last group is expected to begin their phase of testing around the middle of June. This technical testing will include checking the entire setup, after checking that the system is validated, and changing the keys. For this reason, an EU official explained, the member states are divided into groups for testing and being tested in phases.
While the technical work is being done to lay the groundwork for COVID-19 travel certificates, the EU is working on the legal basis of the initiative.
On April 29th, European lawmakers adopted a negotiating decision on the proposal by the Commission for the COVID-19 travel certificates or digital green certificates. This set the stage for the inter-institutional negotiation, where the Council will represent the 27 member states. With the goal of having the certification system up and running for summer, in an effort to save the struggling European tourism sector. There may seem to be a bit of pressure for time, however data protection authorities appear to be keeping a watchful eye on the process.
The Italian DPA has released a statement pointing out some major critical issues for vaccination passes.
The COVID-19 travel certificates have been criticized by the Italian DPA. The EDPB reported that the supervisory authority has highlighted that this rollout is affected by several data protection shortcomings, including the lack of assessment of possible large scale risks affecting the rights and freedoms of individuals. Contrary to EU GDPR requirements, the decree called “Italy Reopens”, does not provide a suitable legal basis to introduce and regulate a nationwide green pass. Among the issues cited by the Italian DPA, the decree does not specify the purposes of the processing of health data, and paves the way to multifarious and unforeseeable future applications which potentially conflict with EU initiatives and go against the GDPR. The Italian SA has noted that the major critical issues that it has found are ones that could have easily and quickly been addressed beforehand, however the SA has offered its cooperation to the government in resolving those criticalities.