EU Commission: Proposal for a “Digital Green Certificate” - the gateway to freedom?

Current steps in the digitization of healthcare in the face of the COVID-19 pandemic.

The digitization of the healthcare system has been progressing non-stop ever since long before the COVID-19 pandemic. Following milestones such as the E-Health Act, the Digital Health Care Act (DVG) and the Digital Health Applications Ordinance (DiGAV), the introduction of the electronic patient file (ePA) has now made it possible to collect and store medical findings and information on examinations and treatments in one central location, while ensuring the patient's data sovereignty. Theoretically, it would therefore be possible to use the electronic patient record for COVID-19-related information (CO-VID-19 vaccinations received, negative test results, infections survived, etc.) as well. However, since the electronic patient file is not yet in widespread use and a fast, uncomplicated and, above all, uniform solution throughout Europe is needed, the European Commission has now addressed the question of how a person's COVID-19-related information can be stored and proven if necessary.

For this purpose the Commission published a proposal for a “Regulation establishing a framework for the issuance, verification and acceptance of interoperable certificates for vaccination, testing and recovery to facilitate freedom of movement during the COVID 19 pandemic (Digital Green Certificate)” (COM/2021/130 final) on March 17, 2021.

Content of the “Digital Green Certificate”

According to Art. 2 No. 2 of the "Digital Green Certificate" Regulation (DGC-E), the “Digital Green Certificate” is an interoperable attestation of the holder's vaccination, testing or recovery status in connection with COVID-19. Each EU member state can decide for itself whether to issue the certificate in paper and/or digital form.  However, the certificate must always be accompanied by a machine-readable 2D code that can be used to verify the authenticity, integrity and validity of the certificate. In terms of content, the “Digital Green Certificate” is intended to enable the issuance and cross-border verification and recognition of various individual certificates in accordance with Art. 3 Par. 1 DGC-E:

• a certificate attesting that the holder has received COVID-19 vaccination in the member state issuing the certificate (“vaccination certificate”)
• A certificate listing the result and date of a qualified NAAT test or CO-VID-19 rapid antigen test performed by the holder (“Test Certificate”).
• A certificate indicating that the holder has recovered from SARS-CoV-2 infection following a qualifying positive NAAT test or positive rapid antigen test (“Recovery Certificate”).

The specific personal data to be stored is defined conclusively in the regulation for each type of certificate. All certificates contain the name and date of birth of the holder and are provided with a unique identifier. Vaccination and testing certificates also contain information about the vaccine used or the type, time, place and result of a test. Recovery certificates, on the other hand, show the date of the first positive test result.

Permitted processing purposes

Personal health data requires special protection. For this reason, the permissible processing purposes of the “Digital Green Certificate” are kept very restrictive. According to Article 9 (1) and (2) DGC-E, the personal data contained in the certificates may only be processed for the purposes of retrieving and verifying the information contained in the respective certificate (= confirmation of the vaccination, testing or recovery status of the holder) “in order to facilitate the exercise of the right of free movement within the Union during the CO-VID-19 pandemic”. Only the competent authorities of the Member State of entry and the operators of cross-border passenger transport services, which are required by national law to implement certain public health measures during the COVID 19 pandemic, are authorized to do so. Personal data will only be stored in the respective certificate itself, which will be protected by a digital signature. The public key required for an audit is to be made available in a central, publicly accessible database.

Other uses of the „Digital Green Certificate“?

It is questionable whether the “Digital Green Certificate” can also be used for other purposes in the future, for example as an “admission ticket” for visiting restaurants or cultural events. Technically, this would be possible without further ado, since the 2D code to be added to each certificate could easily be read and checked. The EU Commission has not (yet) taken a position on such a further-reaching possible use of the “Digital Green Certificate”, which is in any case ultimately relevant only in Germany. Since the reading and verification of the 2D code constitutes processing under data protection law within the meaning of the General Data Protection Regulation (GDPR), the verifying body - for example the operator of the restaurant or the concert promoter - would have to ensure in any case that the processing can be based on a permission standard of the GDPR. In this regard, only the consent of the data subject can be considered at present, which would also have to be expressly declared rather than tacitly or implied - since particularly sensitive health data is involved. The requirements for proof of such consent by the examining body are therefore high. The situation would only be different if the German legislature were to create a statutory permission standard that would expressly permit the use of the “Digital Green Certificate” for other purposes not mentioned in the DGC-E (for example, with reference to the existence of a public interest in the area of public health, such as protection against serious cross-border health risks).

Practical tip:

The EU Commission's proposal for the introduction of a “Digital Green Certificate” brings movement into the public discussion on how a person's vaccination, test or recovery status can be checked and proven. However, it is not a low-threshold offer such as apps like “luca” provide. In addition, the intended use of the “Digital Green Certificate” is currently still very restrictive. On the other hand, the “Digital Green Certificate” could develop - especially in cross-border travel - into an “official” proof of vaccination that can claim increased trust. For this reason, the further development, especially the possible opening for further purposes, should be closely monitored. Before using the “Digital Green Certificate” as an “admission ticket” for public places such as restaurants or hotels or for events, it is always advisable to check the data protection laws.