On 17 March 2021 the European Commission issued a draft regulation on a framework for the 'Digital Green Certificate', which is designed to prove the health status of its holder as regards COVID-19, showing either vaccination, a negative test result or recovery from the disease (ie, a "low epidemiological risk"). As such, it must be able to store certain (health) data of the holder and display it to controlling authorities. With this functionality, difficulties arise regarding:
- the technical implementation and mutual recognition of the certificates in different EU member states;
- data protection issues;
- discrimination of non-vaccinated people; and
- different handling or functionality of the certificates in EU member states.
Digital Green Certificate in Austria
Austria intends to implement the Digital Green Certificate before the other EU member states and exceed the intended scope of application. The EU regulation is expected to take effect on 1 July 2021 and aims to enable mutual recognition, define the technical requirements for the use of certificates throughout the European Union and ensure the same scope of application. Austria initially aimed to start using the national Digital Green Certificate as early as the beginning of June. However, due to technical issues, it became clear that the launch would be postponed for at least one week, to mid-June. After further difficulties, the Austrian Digital Green Certificate was launched on 20 June and all its features can now be used to their full extent. In addition to the intended use to enable inter-EU freedom of travel, the Austrian legislature planned to use the certificate to partially replace the national vaccination card and as evidence for entry and exit tests from high-risk regions.
Technical implementation in Austria
The certificate works by the controlling authority scanning a QR code which contains a unique digital signature. Every certificate-issuing body (eg, testing centres, hospitals and health authorities) has its own digital signature key, with which it stores information about vaccination, test results or recovery from COVID-19 in a certificate that, in turn, can be analysed by the controlling authority. By presenting such a certificate, it will be possible for the holder to partake in activities such as travelling, visiting recreational facilities and going to restaurants. Various options are available to analyse digital certificates, which differ regarding their impact on the protection of user data.
Offline authentication works by only checking the validity of the certificate without contacting a central server online for confirmation. This method works because the underlying key, based on which the certificates are created, is secret and known only to the issuing bodies. Another alternative is online verification (the method originally intended by the Austrian government), in which authentication is ensured by contacting a central server that confirms the validity of the certificate.
From a privacy point of view, offline authentication is the preferred method, because the validation of certificates is decentralised and leaves no online digital trace that could be processed, analysed or retained.
In the first governmental proposal for the certificate's domestic legal basis, the minister of health was to be authorised to link and process data relating to health, social status, employment and education (eg, frequency and duration of sick leave, highest completed education, graduation year, time of unemployment, income and work location) of vaccinated or recovered citizens or other people residing in Austria. The purpose of the processing of this data was epidemiological surveillance and monitoring the effectiveness of the implemented measures. Even though the data should have been pseudonymised, because of the linking of diverse and differing data, a personal reference could have been easily established, rendering the pseudonymisation useless.
Further, data from the national vaccination register was to have been duplicated, combined with data from the register of notifiable diseases and processed for the purpose of "outbreak and crisis management" on an order of the minister. Considering the EU General Data Protection Regulation's (GDPR's) principle of data minimisation, it is doubtful that this duplication of (health) data would have been "limited to what is necessary" to reach the intended goal. An authorisation to compare both registers would arguably have been sufficient. Further, Article 1(2) of the Austrian Data Protection Act stipulates that any interference with the fundamental right to data protection must be carried out only in the most lenient manner that leads to the intended goal.
The provision that should govern the deletion of data from the certificates database "as soon as it is no longer necessary" for the intended purpose was also insufficiently determined. This weighed even more heavily, because the data would also consist of special categories of personal data pursuant to Article 9 of the GDPR (ie, health data). A deletion obligation already arises directly from the GDPR, meaning that either a specific retention period would have had to have been set or the circumstances under which to delete the data would have had to have been precisely substantiated.
According to the proposal, an online verification process of certificates was to be implemented, which would have allowed the creation of movement profiles of people by simply analysing the internet protocol addresses of the controlling bodies. Further, the assessment of personal preferences (ie, bars, restaurants or recreational facilities) through internet protocol addresses would have been possible.
Because the planned features of the digital certificate could result in a high risk to the rights and freedoms of natural people, the government carried out a data protection impact assessment (DPIA) of the envisaged processing operations according to Article 35 of the GDPR. However, for most of those who took a closer look at the DPIA, it was incomprehensible that, even though referring to it, the structure of the guidelines on DPIAs, as provided by Article 29 Data Protection Working Party, was not followed (ie, data subjects' rights to access, rectification, erasure, restriction of processing were not discussed) and the overall risk assessment concluded only a low or medium risk for data subjects. In line with this view, no prior consultation of the Austrian Data Protection Authority (DPA), as stated under Article 36 GPDR, would have been necessary before implementing the national green certificate.
All of these issues have drawn criticism from domestic data protection activists. From a constitutional law perspective, critics note that the equal treatment of tested, vaccinated and recovered people is not objectively (ie, scientifically) justified, not sufficiently substantiated and therefore unconstitutional, and may be subject to repeal by the Constitutional Court. Further, critics state that the planned numerous authorisations (eg, for requesting data) for the minister of health are only vaguely determined and may therefore not be constitutional either. Moreover, it remains unclear whether there is sufficient justification to implement an Austrian digital certificate – that is, whether this is the most suitable and lenient remedy for the intended purpose – because a national vaccination card (in which all of a person's vaccinations are registered) already exists and no such certificate is required for travel within Austria.
After widespread criticism from various stakeholders during the legislative review process (in which people and entities were invited to issue formal notes of criticism to the legislature, of which more than 16,000 were submitted), the government decided to change the proposed text. It refrained from the online verification of certificates and linking data from different databases, allowing only the combination of data from the vaccination register and the register of notifiable diseases. Some vague authorisations for the minister of health to request data at will have also been eliminated. Other parts of the proposal remained unchanged and the associated criticism did not lead to an adjustment thereto (eg, regarding DPA consultation, the DPIA, the data retention period, the constitutionality, or determination or substantiation). On 26 May 2021 Parliament agreed the renewed version of the government proposal.
The national Digital Green Certificate has thus obtained a legal basis and was launched in the second half of June, earlier than the EU Digital Green Certificate. However, it remains to be seen whether the legal concerns will lead to a review or even its annulment by the Constitutional Court. Most critics agree that it would probably have been better to wait for the legal framework from the European Union and to implement the certificate along with the other member states to the extent envisaged.
