Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

The EDPB and the EDPS

The EDPB and the EDPS have released a joint opinion on SCCs for international data transfers and SCCs between controllers and processors

The EDPB and the EDPS have released joint opinions on standard contractual clauses for the transfer of data within the EEA and internationally. 

 

Last month, the EDPB and the EDPS released joint statements on standard contractual clauses between controllers and processors and on standard contractual clauses for the transfer of personal data to third-countries. Both are referred to as ‘SCCs’ but it should be noted that they are two separate documents. This update is intended to bring the SCCs in line with the new GDPR requirements and provide a better reflection of the use of more complex processing operations, as well as provide specific safeguards addressing the laws of third countries and their effect on the data importer’s compliance. The Draft SCCs include, on the one hand, controller processor relationships within the EEA and, on the other, international data transfers. The EDPB and EDPS are pleased to note the specific provisions included many recommendations made by the EDPB, as well as several which address some of the main issues presented by the Schrems II ruling.

The EDPB and EDPS expressed overall satisfaction with both the Draft Decision and Draft SCCs for international data transfers. 

 

The EDPB and EDPS are both generally satisfied with the reinforced level of protection that the updated Draft Decision and Draft SCCs provide for data subjects. This update sought to bring the SCCs in line with the new GDPR while making special provisions for addressing third country destination laws on compliance with the Draft SCCs. The organisations noted that the Draft SCCs covered several of the supplementary measures recommended by the EDPB, while for some others, the organizations would like to see more consistency. There were specific recommendations made regarding the transfer of data on an international level. Many organizations will need to rely on these standard contractual clauses for international data transfers, particularly with the invalidation of the EU-US Privacy Shield. 

 

In analysing the Draft Decision and Draft SCCs between controllers and processors, the EDPB and EDPS made a few key suggestions.

While the EDPB and EDPS were generally pleased with the Draft SCCs presented, they expressed a request for the European Commission to clarify some specific clauses, with the aim of further clarifying the text and ensuring it is practical and  useful in day-to-day operations of the controllers and processors.. 

 

The EDPB and EDPS also suggested that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity as any ambiguity in this regard could make it more difficult for the controllers or processors to fully meet their obligations under the accountability principle. The annexes are intended to provide a very technical explanation of how the SCCs will apply in specific situations. 

 

Andrea Jelinek, Chair of the EDPB, was quoted as saying: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

 

The opinions presented by the EDPB and EDPS  will be considered by the Commission, together with the numerous other responses to its consultation on the SCCs. The European Commission will then formally adopt a decision incorporating the finalized SCCs and provide details for their adoption by organizations. Once finalized, the SCCs for international data transfers to third-countries will replace the existing sets of SCCs for transfers of personal data from within the EEA to other non-EEA countries that have not been recognized as providing an adequate level of data protection. As for the SCCs between controllers and processors, they will provide a standard for the parties, but its implementation will not be mandatory as controllers and processors will still be able to use their own clauses.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

EDPS guidance on temperature checks

EDPS guidance on temperature checks during the COVID-19 pandemic

Temperature checks during COVID-19, the global health crisis, have become a necessary part of the continuity of general affairs. The EDPS has released guidance to help institutions in navigating this sphere keeping the privacy of the individual at the forefront.

 

Due to the COVID-19 situation many of the European Union members have implemented several safeguards and protocols to protect and prevent outbreaks during the COVID-19 pandemic. So many of the EU organisations actually have found it necessary to implement into workplaces and other important bureaucratic centres many key safety measures, one of which are mandatory temperature checks . However in the world of data protection and privacy and the rights of Citizens under the EU charter it is very possible that these safety mechanisms could infringe on the rights of many individuals who have the right to private life without interruption. 

 

The EDPS has indicated mandatory guidelines to ensure safety and privacy of EU individuals.

 

There are a few guidelines that the EDPS has made mandatory for these European institutions which promise to ensure that both safety and privacy protection are paramount in the pandemic ecosystem. One of the key measures implemented is that no recording or processing of personal data is allowed when temperature information is being measured. In other words either manual testing must be done using a hand thermometer and there is a personnel operating this manual thermometer and they must not record these results or add them to any filing system. However, if there is an automated system such as a thermal camera, it is paramount that these cameras are not setup or integrated into a cloud or filing system that will add the temperature information of the individuals, be it visitors or otherwise, to these sites’ database under any specific criteria as outlined by the EDPS guidelines . 

 

On site personnel must be trained to not only monitor the machine, but verify the validity of the initial reading, and recalibrate temperature measuring devices when necessary.

 

In addition, there must be a trained personnel who can not only monitor the machine in live time as it is not allowed to record information, but there must also be the ability to explain to individuals the reason for the thermal testing. The repeatability of the testing must be reliable due to  persons having the right for multiple tests or readings of their temperature to be taken to verify the validity of the initial reading. The personnel present must also be able to explain and discern how the machine works and also training on how to calibrate the sensor must also be implemented on to the personnel trusted with this task . Again it is a complete violation to take this temperature information added to any form of filing system or personnel file as this could lead to a direct violation of the EU charter of rights for its citizens and EDPS guidelines.

 

Institutions must meet  additional requirements to meet the minimum standard requirement for institutions navigating the pandemic.

 

However , one of the key factors in the charter are also workplaces and public spaces must have the minimum standard requirement to meet work health protocols and during the COVID-19 outbreak, masks, disinfecting gels/sanitizers and temperature checks all fall under the jurisdiction of minimum health protocols. Therefore this is mainly about achieving a key balancing act with the protocols of safety and privacy at these EUI sites. The key concern for the EDPS is maintaining the balance of legality and safety for its citizens so there are many clauses and subsections that can be related to the COVID situation as far as lawfulness goes. 

 

Individuals entering these sites must be kept informed and given full disclosure.

 

In addition to this, it is also very important that the persons who are entering the sites are aware of the reason for the screenings and that they are given full disclosure. This information should be readily available at any point in time. In the event that  a person has taken multiple readings and has surpassed the temperature threshold for entering one of these sites, they should also be given assistance in the form of directions to find a doctor or a nurse or a COVID testing centre nearby. They should be provided with some form of written receipt of denial of entry to validate any bureaucratic or official need to verify the reason for the inability to enter the site. 

 

Employees should all be given alternatives for continuing to work amid the health crisis.

 

In the case of employees, it is paramount that alternative working methods be considered such as remote work due to the disruption of one’s personal and private life due to this test that may be automated or carried out by machine or on-site personnel. These protocols allow persons to have minimal disruption in their life, while taking full advantage of health screenings and temperature checks without any privacy issues. 

 

It is imperative that devices used for temperature checks be maintained and recalibrated on a regular basis.

 

It is also important to note that due to the fact that the threshold for the COVID-19 temperature is within a 1 degree C margin of error, recalibration and maintenance on these automated or more complex temperature reading devices must be carried out regularly, and by qualified personnel. Again, these technologies must not be connected to any cloud storage or filing system and all of the readings must be done in live time with the aid of a person who is not simply viewing the data, but is qualified to understand, and to scrutinise any error that the machine may make, as it is  unconstitutional by the charter freedoms of the European Union to let an automated machine make those level of decisions without human input. Therefore, it is paramount that someone is there to verify and clarify the results gathered by these machines.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EDPB on Health Data

EDPB adopts Guidelines on the Processing of Health Data for Scientific Research Purposes during COVID-19

In the middle of the COVID-19 outbreak, the EDPB adopted Guidelines on the processing of health data for scientific research purposes to clarify some legal questions.

Considering that life may not return to normal until a COVID-19 vaccine becomes widely available, researchers from across the globe are focusing their efforts on producing results as soon as possible. In this context, questions regarding the application of the GDPR keep arising, therefore the European Data Protection Board (EDPB) has released guidelines on the processing of health data for scientific research purposes with the aim of providing basic guidance.

What is “health data”?

Article 4 (15) GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This meaning also covers the following:

  • Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks, such as the assumption of a person being at high risk for severe illness from COVID-19 because of his medical conditions.
  • Information that becomes health data because of its usage in a specific context, such as information regarding a recent trip to a region affected with COVID-19.

The EDPB points out that “processing for the purpose of scientific research” should be interpreted in a broad manner in line with Recital 159 GDPR.

What is the legal basis for the processing?

According to the GDPR, processing of special categories of personal data is only allowed in some scenarios. The ones that may be more relevant when it comes to the processing of health data for scientific research purposes during COVID-19 pandemic are the following:

  • The data subject has given explicit consent.
  • Processing relates to personal data which are manifestly made public by the data subject.
  • Processing is necessary for the purposes of preventive or occupational medicine.
  • Processing is necessary for reasons of public interest in the area of public health.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes based on Union or Member State law.

It should be noted also that “further processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes”, subject to appropriate safeguards.

Should the data subject be informed?

Pursuant to Articles 13 and 14 GDPR, the data subjects should be informed at the time when personal data is gathered, or “within a reasonable period after obtaining the personal data, but at the latest within one month” where it is not collected from the data subject.

However, considering that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection, the EDPB recommends to deliver the information to the data subject within a reasonable period of time before the implementation of the new research project. 

There are four exemptions of the information obligation though:

  • The data subject already has the information.
  • The provision of such information proves impossible, would involve a disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing. A controller seeking to rely on this exemption should demonstrate the factors that actually prevent it from providing the information to the data subjects or carry out a balancing exercise to assess the effort involved against the potential impact and effects of not providing the information.
  • Obtaining or disclosure is expressly laid down by Union or Member State law. This exemption is conditional upon the law in question providing “appropriate measures to protect the data subject’s legitimate interests”.
  • The personal data must remain confidential subject to an obligation of professional secrecy.

What other measures should be taken?

In light of the data minimisation principle, the EDPB deems essential to specify the research questions and assess the type and amount of data necessary to properly answer them before proceeding. Additionally, the data should be anonymised where possible.

Proportionate storage periods shall be set as well, taking into account criteria such as the length and the purpose of the research.

As for the security measures that should be implemented, together with pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, the EDPS stresses that a data protection impact assessment should be carried out when such processing is “likely to result in a high risk to the rights and freedoms of natural persons”, and remarks the importance of data protection officers as a key role that should be involved in the process.

What about the exercise of data subjects’ rights?

Together with the information obligation exemptions addressed above, Article 17 (3) (d) states that the right to erasure “shall not apply to the extent that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing”.

It has to be noted that, in the light of the jurisprudence of the CJEU, all restrictions of the rights of data subjects must apply only in so far as it is strictly necessary.

Are international data transfers allowed?

In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which transfers of personal data can take place as an exception, such as:

  • The data subject has explicitly consented to the proposed transfer.
  • The transfer is necessary for important reasons of public interest. 

It should be noted, however, that repetitive transfers of data to third countries, part of a long lasting research project in this regard, would need to be framed with appropriate safeguards in accordance with Article 46 GDPR.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

And if you want to be updated about COVID-19 and AI, don’t forget to subscribe to our YouTube channel.