EU Parliament adopts the Covid Pass: risks for data protection and new forms of discrimination

On March 28, 2021, the European Parliament adopted its position on the Covid Pass (the “Digital Green Certificate” or “Green Passport”). The legislative proposal has been designed to make travel within the EU possible again. The proposal aims to provide EU countries with a common framework which would allow certificates detailing test results, recovered Covid infections or vaccinations to be issued and verified.

At first glance, this may sound interesting, but upon further reflection, it quickly becomes clear that the proposed system has the potential to divide society and expose certificate holders to far-reaching surveillance by the authorities that issue the documents. Even worse, it exacerbates inequalities and increases social exclusion.

No two-tier society

In order to allow people to travel again, the EU proposes to recognise test results as an acceptable alternative to vaccination certificates. Considering that it will still take time before everyone who wants a vaccine can actually get one, this would seem to be a positive step. But there is a catch: for this to work at all, it is necessary that member states make the tests accessible both financially and geographically. In many countries, tests are not readily available or are simply not affordable. For the people in these member states, the advertised alternative is just an empty shell without any real benefit. The European Parliament has taken a very important step in this regard by obliging member states to guarantee the availability of free antigen tests. Socio-economically weaker groups need this easy access if they are not to become second-class citizens who would be excluded from many areas of social life for not holding a Covid passport.

Furthermore, the Covid Pass must be available in both paper and digital format. Otherwise, people without a smartphone or people who do not want to use their mobile phone for this purpose would be excluded. Moreover, not every person owns a printer at home. If rights are to be granted through the Covid Pass, then this must also apply to everyone without exception and free of charge. This is another issue that has meanwhile been clarified by the European Parliament; those who need the document can now choose whether the Covid Pass is issued on paper or electronically, and here too, this must also be possible for everyone.

Big Brother is lurking?

Another issue that we find concerning is the uncertainty of the technology behind the certificate. It exposes individuals to the risk that extensive data records will be created about them. And this does not just concern vaccination and recovery status or past test results, as one might expect. Without the safeguards that the European Parliament has decided on, it would be technically easy to collect profiles of people’s movements, religious affiliation or even information about what they do in their free time and store these in a centralised location.

Some EU member states, such as Denmark, Austria or Hungary, have already announced that they intend to also use this system to allow admission to restaurants, religious sites or sports facilities. This is where a potentially incendiary control infrastructure can be set up, allowing authorities to not only to track people’s access to social events, but also giving them the potential to monitor the entire population’s every move.

What we want: Offline verification & rock-solid application limits

It is now essential that the EU Covid Pass regulation clearly states that only offline verification with pre-downloaded digital signature keys would be allowed, in compliance with the principles of Privacy by Design. These measures would guarantee that issuers cannot obtain any information on passport holders through the verification process or on the circumstances of a verification, and thus that there is no central record of who was where, and when.

It is also important that the regulation clarifies that any further use of this certificate system is at best outright banned, or must at least be authorised by national legislation and must under all circumstances be accompanied by a data protection impact assessment. Otherwise, in countries such as Denmark or Austria, private restaurateurs or stadium security agencies might be able to do as they please with the data on vaccinations or recoveries of their customers.

So where do we go from here with the Covid Pass at EU level?

Fortunately, epicenter.works is not alone with the fears described above. For this reason, on April 26, 2021, together with 28 human rights and internet policy organisations, they wrote an open letter to the MEPs of the EU Parliament to point out the shortcomings of the draft before the parliamentary vote on April 28, 2021, and to inform them about the issues that could potentially arise.

Now that the member states in the Council of the EU have already decided on their negotiating mandate, the trialogue will get underway. This means that the European Parliament, represented by the negotiating team around rapporteur Lopez-Aguilar (Spain, Social Democrat), is negotiating the final regulation with the Portuguese Council Presidency, which represents all 27 member states. Epicenter.works expects a final law in May and will do all they can to make their voice heard in the negotiations.

The article was first published here.

(Image credit: Claudio Schwarz | @purzlbaum)

(Contribution by: EDRi’s member Epicenter.works)