EU Parliament adopts the Covid Pass: risks for data protection and new forms of discrimination

On April 28, 2021, the European Parliament adopted its position on the Covid Pass (the "Digital Green Certificate" or "Green Passport"). The legislative proposal has been designed to make travel within the EU possible again. The proposal aims to provide EU countries with a common framework which would allow certificates detailing test results, recovered Covid infections or vaccinations to be issued and verified.

At first glance, this may sound interesting, but upon further reflection, it quickly becomes clear that the proposed system has the potential to divide society and expose certificate holders to far-reaching surveillance by the authorities that issue the documents. Even worse, it exacerbates inequalities and increases social exclusion.

No two-tier society

In order to allow people to travel again, the EU proposes to recognise test results as an acceptable alternative to vaccination certificates. Considering that it will still take time before everyone who wants a vaccine can actually get one, this would seem to be a positive step. But there is a catch: for this to work at all, it is necessary that member states make the tests accessible both financially and geographically. In many countries, tests are not readily available or are simply not affordable. For the people in these member states, the advertised alternative is just an empty shell without any real benefit. The European Parliament has taken a very important step in this regard by obliging member states to guarantee the availability of free antigen tests. Socio-economically weaker groups need this easy access if they are not to become second-class citizens who would be excluded from many areas of social life for not holding a Covid passport.

Furthermore, the Covid Pass must be available in both paper and digital format. Otherwise, people without a smartphone or people who do not want to use their mobile phone for this purpose would be excluded. Moreover, not every person owns a printer at home. If rights are to be granted through the Covid Pass, then this must also apply to everyone without exception and free of charge. This is another issue that has meanwhile been clarified by the European Parliament; those who need the document can now choose whether the Covid Pass is issued on paper or electronically, and here too, this must also be possible for everyone.

Big Brother is lurking?

Another issue that we find concerning is the uncertainty of the technology behind the certificate. It exposes individuals to the risk that extensive data records will be created on them. And this does not just concern vaccination and recovery status or past test results, as one might expect. Without the safeguards that the European Parliament has decided on, it would be technically easy to collect and store in a centralized location profiles of people's movements, religious affiliation or even information about what they do in their free time.

Some EU member states, such as Denmark, Austria or Hungary, have already announced that they intend to also use this system to allow admission to restaurants, religious sites or sports facilities. This is where a potentially incendiary control infrastructure can be set up, allowing authorities to not only to track people's access to social events, but also giving them the potential to monitor the entire population's every move.

What we want: Offline verification & rock-solid application limits

It is now essential that the EU Covid Pass regulation clearly states that only offline verifications with pre-downloaded digital signature keys would be allowed, in compliance with the principles of Privacy by Design. These measures would guarantee that issuers cannot obtain any information on passport holders through the verification process or on the circumstances of a verification, and thus that there is no central record of who was where, and when.

It is also important that the regulation clarifies that any further use of this certificate system is at best outright banned, or must at least be authorised by national legislation and must under all circumstances be accompanied by a data protection impact assessment. Otherwise, in countries such as Denmark or Austria, private restaurateurs or stadium security agencies might be able to do as they please with the data on vaccinations or recoveries of their customers.

So where do we go from here with the Covid Pass at EU level?

Fortunately, we are not alone with the fears described above. For this reason, on April 26, 2021, together with 28 human rights and internet policy organisations, we wrote an open letter to the MEPs of the EU Parliament to point out the shortcomings of the draft before the parliamentary vote on April 28, 2021, and to inform them about the issues that could potentially arise.

Now that the member states in the Council of the EU have already decided on their negotiating mandate, the trialogue will get underway.  This means that the European Parliament, represented by the negotiating team around rapporteur Lopez-Aguilar (Spain, Social Democrat), from the Canary Islands, is negotiating the final regulation with the Portuguese Council Presidency, which represents all 27 member states. We expect a final law in May and will do all we can to make our voice heard in the negotiations.

Since you're here

… we have a small favour to ask. For articles like this, we analyse legal texts, assess official documents and read T&Cs (really!). We make sure that as many people as possible concern themselves with complicated legal and technical content and understand the enormous effects it has on their lives. We do this with the firm conviction that together we are stronger than all lobbyists, powerful decision makers and corporations. For all of this we need your support. Help us be a strong voice for civil society!

Become a supporter now!