The Covid pandemic has forced us to a difficult exercise of new balances between fundamental rights and freedoms, some synergistic – such as public and private health as well as protection of personal data – others where there was more evidence of a backward step in favor of the contrast and treatment of the pandemic, such as freedom of movement, association, individual choice, economic initiative.
As was the case with contact tracing apps, the current green pass is also an emblematic example of this delicate balance pursued, inevitably, by an articulated system of checks and balances. The current regulatory obligation in Italy of the possession and exhibition of the individual green certificate, as a condition for access, among other things, to public and private workplaces, operating a widespread use of this tool, leads to some reflections on the intersection of the two disciplines on the application of the green pass and the related processing of personal data.
Green pass EU
The global nature of the pandemic and its consequent impact on the free movement of persons within the EU and EEA, raised the need for EU regulatory intervention for the harmonization and interoperability of this tool among Member States.
Regulation (EU) 2021/953 of 14 June 2021 established a common framework for the issuance, verification and acceptance of interoperable certificates of vaccination, testing and healing in relation to Covid-19, the so-called EU digital Covid certificate. The subsequent Regulation (EU) 2021/954, of the same date, extended the framework to third-country nationals legally residing or residing in the “Schengen area.”
In application of the fair balance of rights, Regulation 2021/953 specifies, however, that the certificate is not a precondition for exercising the right to free movement and is not to be considered a travel document (art. 5.5 and 5.6, Regulation 2021/953). It, therefore, is an instrument of facilitation of movement within the Union, as indicated in the heading of the rule: “to facilitate the free movement of persons during the COVID-19 pandemic”.
The European framework on the “EU digital COVID certificate” applies for the period July 1, 2021-June 30, 2022.
The above-mentioned Regulation 2021/953 envisages compliance with requirements regarding the related processing of personal data that may be considered general in scope, i.e. extendable to green passes issued by individual member states and their consequent use. Below is a summary of these requirements.
- The unique identifier of the certificate primarily satisfies a need to minimize personal data, as it avoids the direct identification of the holder as well as the need to process other personal data necessary to identify individual certificates [Recital (19)]; the certificate must contain only the data strictly necessary for the purpose pursued and the law establishes the categories of personal data to be included in green passes [Recital (50) and art. 10.3].
- The issuance of green passes must not “give rise to discrimination on the basis of possession of a specific category of certificate” [Recital (20) and art. 5.7].
- Compliance of green passes “with EU data protection law (is) essential” [Recital (22)].
- The legal basis for the processing of personal data necessary for the issuance and verification of certificates is found in the fulfilment of a legal obligation to which the holder is subject [Art. 6.1(c)], and – with regard to special categories of data – as necessary for reasons of substantial public interest on the basis of EU or Member State law [Art. 9.2(g) GDPR] [Recital (48) and Art. 1, Regulation 2021/953].
- The aforementioned legal basis relates exclusively to the purposes of issuing and verifying certificates and not also to other purposes, e.g. pharmacovigilance purposes or storage of individual medical records. For the use of the certificate for other purposes, these must be provided for in national legislation, ‘which must be in accordance with Union data protection law and the principles of effectiveness, necessity and proportionality, and should contain provisions clearly defining the scope and extent of the processing, the specific purpose in question, the categories of persons who may verify the certificate as well as the relevant safeguards to prevent discrimination and abuse, taking into account the risks to the rights and freedoms of data subjects. Where the certificate is used for non-medical purposes, personal data accessed during the verification process shall not be retained” [Recital (48) and Article 10.3, Regulation 2021/953].
- “(I) data controllers and data processors are required to take technical and organizational measures to ensure a level of security appropriate to the risk of the processing” [Recital (53)].
“This Regulation (2021/953, ed.) respects the fundamental rights and observes the principles recognized in particular by the Charter of Fundamental Rights of the European Union (“Charter”), including the right to respect for private and family life, the right to the protection of personal data, the right to equality before the law and non-discrimination, freedom of movement and the right to an effective remedy. In implementing this Regulation, Member States must respect the Charter.” [Recital (62)].