Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Facebook case forwarded

German Facebook case forwarded to ECJ with questions pending

Facebook case forwarded to ECJ after Facebook appealed German competition authority’s order to halt data collection practices. 

 

In recent times, Facebook has come under fire for its data collection practices, which span several integrated platforms. The company has been accused of ‘superprofiling’, and has been in court with German authorities regarding a pro-privacy order, to stop combining user data across platforms without consent.  This order has been met with much resistance, and an appeal from Facebook has led German authorities to seek guidance from the European Court of Justice. 

 

Facebook was accused of abuse of power for collecting and sharing data across platforms without user consent. 

 

There has been major concern over Facebook sharing data between its platforms, including Instagram, WhatsApp, and Occulus as well as third party apps. This, coupled with the volume of data Facebook collects freely without the need for user consent has led to the tech giant being accused of abuse of power by German authorities. There has been some pushback on this, particularly from Düsseldorf’s Higher Regional Court Judge in preliminary hearings regarding the matter. Judge Jürgen Kühnen argued that Facebook’s data use did not result in an abuse of its dominant position in the market. The contention here is that Facebook’s ability to build a unique database for each individual gives the tech firm an unfair market advantage over other companies who do not have access to that much intricate data on users. The Bundeskartellamt (Federal Cartel Office, FCO) claims that this data collection is not lawful under the EU’s legal framework, as it essentially does not give users a choice. 

 

German Competition Authority has attempted to place restrictions on Facebook’s collection of user data. 

 

Earlier this year, Germany’s competition authority placed restrictions on Facebook’s data-processing activities. Facebook was ordered to stop combining data collected from WhatsApp, Instagram and other third parties, until they had received voluntary user consent. This would have led to Facebook needing to considerably reduce its collection and combining of user data, until it receives consent from users. Under Facebook’s terms and conditions, users operate on the social networking platform under the precondition that their data would be collected. However, in February of this year, the competition authority came to a preliminary decision regarding this practice and ordered Facebook to stop combining and collecting user data across these platforms until it has received genuine consent from users. This decision, however, was not final and left room for appeal from Facebook. 

 

Facebook appealed the decision, arguing that its terms allowed users to fully benefit from their services, and as a result this case has been forwarded to the ECJ. 

 

Facebook appealed the decision made by the German Competition Authority in February of this year. At the time, Facebook said in a blog; “While we’ve cooperated with the Bundeskartellamt for nearly three years and will continue our discussions, we disagree with their conclusions and intend to appeal so that people in Germany continue to benefit fully from all our services.” The German authority maintains that the social media company is guilty of a level of exploitative abuse which violates EU regulation. As a result, questions regarding this case have been forwarded to the European Court of Justice in order to arrive at a final conclusion. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

French court ruling provides greater context to the application of “Schrems II” under the GDPR

French court ruling provides further guidance as to the application of “Schrems II”, as data hosted by subsidiary of US company is found to be protected. 

 

France’s highest administrative court ruled earlier this month that the hosting of a booking platform for COVID-19 vaccinations on Amazon Web Service, also known as AWS, was indeed sufficiently protected under the EU GDPR. Initially there was some question as to whether using Amazon Web services as a hosting platform was compatible with the GDPR under the “Schrems II” ruling, due to the fact that the processor was a company bound by US law. The final ruling in this case was based on the fact that the court believes that enough legal and technical safeguards are in place in the event that US authorities ever request data access. This gives quite a bit of context and has big implications for many companies, underscoring the need for supplementary legal safeguards when data is entrusted to a subsidiary of a non-EU company. 

 

Health data hosted by a company bound by US law, while a cause of concern for many, was found to be sufficiently protected under the GDPR. 

 

The plaintiffs in this case worried that the hosting of health data by a company which is bound by US law presented various risks including not just the transfer of data to the US, but also access to that data being granted to US authorities if requested from the processor. Due to the level of perceived risk, the plaintiff deemed this a sensitive and urgent matter. However, what was thought to be a violation of the provisions of the GDPR under “Schrems II”, under further investigation and reflection, turned out to be sufficiently protected under the GDPR, due to the several legal and technical safeguards put in place by the defendant, Doctolib. The judge in this case ruled against the claim filed to have this service suspended. 

 

This French court ruling was the result of careful assessment of the technical and legal safeguards provided for in this agreement.

 

The French court ruling came after careful consideration and assessment of the legal and technical safeguards and other guarantees provided for between Doctolib and Amazon Web Services. The assessment found that distinct provisions had been made within the contract between the two, for a specific procedure in the event of access requests by a foreign authority. The legal guarantee in this case is that access requests from public authorities to the processor   will be challenged. The judge also noted that the data would be encrypted with the key being held by a trusted third-party within funds and not by Amazon Web Services. Furthermore, it was found that data transmitted to Doctolib through the vaccination campaign contained no sensitive health data specifying, for example, that a user is a priority candidate for vaccination due to a certain pre-existing condition. As an additional step any data entered by users for the purpose of identification for scheduling a vaccination appointment, is deleted at most within three months of their vaccination appointment. 

 

“The ruling signals that there is room for the rule of reason in the application of Schrems II, and should generally be seem as good news for the online industry,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

“It is paramount that companies carry out an assessment covering their data flows, the countries involved and the safeguards that should be applied based on the risk identified, what is known as ‘Data Transfer Impact Assessment’”, states Cristina Contero Almagro, Aphaia’s Partner.

This telling highlights the need for legal and technical safeguards, which are recommended even when data is not being transferred outside the EU.

 

A key part of complying with “Schrems II” rests on technical measures like pseudonymization and encryption, and ensuring that the processor has no way of accessing the re-identification key, particularly when the key may possibly be accessed by a public authority. Legal safeguards, like those taken by Doctolib are also essential. While the new draft standard contractual clauses recently published by the European Commission do make similar provisions, it is recommended, in anticipation of these new SCCs, that companies make provisions for this type of guarantee in a specific addendum, even in cases where there is no transfer of data outside the EU.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Data transfers to the UK

Data transfers to the UK: European Commission launches process for two adequacy decisions

Last month, the European Commission launched the process for two adequacy decisions for data transfers to the UK – one under the GDPR and one under the Law Enforcement Directive. 

 

The European Commission recently published two draft adequacy decisions for data transfers to the UK. One of those is under the GDPR and the other under the Law Enforcement Directive or LED. This is the first step in adopting those adequacy decisions. The next steps in this process would be to obtain an opinion from the EDPB and subsequently, get approval from a committee of representatives from the EU Member States. Once this is done these decisions can be adopted.

 

Under Article 45(3) of the GDPR and Article 36(3) of the Law Enforcement Directive, the Commission has the power to decide that a non-EU country fulfills the requirements for an adequate level of protection for personal data flows with the EU. If the European Commission has deemed a country “adequate”, personal data transfers can be made between EU Member States and that country without being subject to any further conditions. Currently personal data transfers in the UK are governed by the UK GDPR and the DPA, which are very similar to the EU GDPR & the LED. 

 

The Commission feels confident that data transfers to the UK will be adequately protected under their equivalent laws. 

 

The Commission has spent several months prior to drafting these decisions, studying the UK’s laws on data transfers. From this, came the conclusion that the UK’s equivalent laws to the GDPR and LED give data transfers a similar level of protection. As a result, The Commission believes that data transfers to the UK from the EU will indeed be adequately protected under their equivalent laws. Didier Reynders, Commissioner for Justice said in a statement, “EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”

 

UK data protection regime has been heavily influenced by EU law for decades, making this a very easy adequacy process. 

 

In most adequacy decisions the systems in place are often divergent making the adequacy process one that converges the two. However, in this case the UK has had a data protection regime modeled after that of the EU for decades now. Regardless, this process is essential now that the UK is no longer under EU data protection laws. Once the draft adequacy decisions have been adopted they will remain in place for four years. After this four year period, it will be possible to renew these decisions once the level of protection for data transfers between the EU and UK have proven to be, and are likely to continue to be adequate. 

 

Personal data transfers between the UK and the EU are currently protected during this interim period by the EU-UK Trade and Cooperation Agreement. 

 

On January 1, 2021 an interim period began during which the UK, while no longer under EU law, continues to enjoy lawful and seamless  data transfers under the EU-UK Trade and Cooperation Agreement, until June 30, 2021. Now that these initial steps in adopting adequacy decisions for data transfers to the UK, the European Commission awaits the opinion of the EDPB regarding this draft decision. Once this opinion has been taken into account, the so-called comitology procedure will ensue, during which the Commission will request approval from representatives of the EU member states in order to finalize adequacy for personal data transfers to the UK. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessmentstransfer impact assessments and Data Protection Officer outsourcing.  Contact us today.