Digital Green Certificate – EDPB-EDPS Joint Opinion

Author: Sarah Cannataci, Associate

Further to the European Commission’s unveiling of its proposal to facilitate safe free movement of people during the pandemic (read more here), the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion  on the aspects relating to protection of personal data tied to the creation of a Digital Green Certificate (‘DGC’).

Whilst acknowledging the legitimate objective of the proposal, the two authorities stressed on the importance of observance of the principles of effectiveness, necessity, proportionality and non-discrimination, whilst highlighting that since at present, there is little scientific evidence to show the possibility of having Covid-19 immunity, and if so, how long such immunity lasts, the DCG should not be deemed to be an ‘immunity certificate’, but rather, a “verifiable proof of a timestamped factual medical application or history”. The EDPB and the EDPS further enunciated the need for the proposal to have  clear and precise rules governing the scope and application of the DCG, particularly on the issue of prohibited access and use of any of the personal data processed under the DCG by EU Member States once the state of pandemic ceases.

The Joint Opinion also includes guidance on points tied to data transfers, data storage, transparency obligations and identification of controllers and processors for the processing of any personal data under the DGC. Interestingly, the authorities also stressed that the proposal should apply solely to the Covid-19 pandemic and should not apply to other future emergencies. With this Joint Opinion, the EDPB and the EDPS invite the co-legislators to ensure that the DGC is fully compliant with data privacy law.