Sage Journals: Discover world-class research

Abstract

The technological solutions adopted during the current pandemic will have a lasting impact on our societies. Currently, COVID-19 health status certificates are being deployed around the world, including in Europe, the United States and China. When combined with identity verification, these digital and paper-based certificates allow individuals to prove their health status by showing recent COVID-19 tests results, full vaccination records or evidence of recovery from COVID-19. Most countries in the Global South, where vaccination rates are low, have not yet fully implemented such certificates, although several initiatives are currently underway. That is, for instance, the case in the African Union. Yet, it is not sufficient to develop technical solutions for the verification of COVID-19 health status. Because technologies do not evolve in a legal vacuum, the existing laws and regulations must be respected. The risks of implementing such technologies must be anticipated and mitigated as much as possible before any large-scale deployment. Risk mitigation should also underpin strategies throughout the deployment of these certificates. This article evaluates the key legal implications of COVID-19 health status certificates for data privacy and human rights. In doing so, it contributes to the current debates, thus informing policymakers in this area of vital national and international interest

Keywords

COVID-19 certificates data protection digital green certificates human rights privacy vaccine passports

Introduction

The technological solutions adopted during the current pandemic will have a lasting impact on our societies. They will shape how we respond to the trade-offs between data privacy, human rights and public health interests in the future. Amongst these technologies, those aiming to verify individuals’ COVID-19 health status have attracted considerable attention in the past months.

A variety of terms have been used to describe them, notably in the media. These include ‘immunity passports’, ‘Covid-19 health status certificates’, ‘vaccine passports’, ‘digital green certificates’ or ‘Covid-19 status certificates.’ While these terms have been used interchangeably, it is essential to clarify that they do not refer to passports in the sense of official documents issued by governments as proof of nationality or citizenship. The term ‘vaccine passport’ is also misleading as it suggests that only vaccine records are concerned.

In this article, COVID-19 health status certificates (COVID-19 certificates) are understood as an all-encompassing term, defined as the digital and paper-based certificates that, combined with identity verification, allow individuals to prove their health status by showing recent COVID-19 tests results, full vaccination records and evidence of recovery from COVID-19.

Presently, COVID-19 certificates are being deployed in several European countries, the United States and China (Ada Lovelace Institute, 2021a). Most countries in the Global South, where vaccination rates are low (Mathieu et al., 2021), have not yet fully implemented such certificates, although several initiatives are currently underway. There is, for instance, a continent-wide scheme promoted by the African Union, and another national initiative in South Africa (Ada Lovelace Institute, 2021a). Private sector initiatives also aimed to develop technological solutions for these certificates (CommonPass, 2021; Good Health Pass, 2021; IATA, 2021).

The World Health Organization (WHO) and the World Tourism Organization (UNWTO) also reviewed COVID-19 certificates (UNWTO, 2021; WHO, 2021). In June 2021, the WHO announced that it was expanding the scope of its Smart Vaccination Certificate initiative and using instead the term Digital Documentation of COVID-19 certificates (WHO, 2021). Such change was necessary to include COVID-19-related vaccination records, test results and recovery status.

As more countries require COVID-19 certificates for international travel, a variety of concerns remain. These are particularly significant regarding the lack of equitable access to vaccines by populations worldwide (Padma, 2021), the costs of COVID-19 tests (Skytrax, 2021) and the lack of global standards for the mutual recognition of certificates.

The domestic uses of these certificates are also not always straightforward. Some countries such as France (Law No. 2021-1040) and Italy (Decree of the President of the Council of Ministers, 2021) have adopted legislation imposing their use for access to most private and public venues and services. Other countries such as England have partially imposed their use domestically (HM Government, 2021). While these initiatives respond to the urgent need of easing lockdown measures and reopening economies, they also raise a variety of legal, scientific and ethical issues (Ada Lovelace Institute, 2021b; Beduschi, 2020; Kofler and Baylis, 2020; Mills and Dye, 2021; Phelan, 2020)

COVID-19 certificates used in both international and domestic contexts pose essential legal questions for the protection of data privacy and human rights given that: (1) they use sensitive personal health information; (2) create a new distinction between individuals based on their health status; and (3) can be used to determine the degree of freedoms and rights individuals may enjoy (Beduschi, 2020).

This article builds on this premise to evaluate COVID-19 certificates’ legal implications for data privacy and human rights. It places the analysis within the legal frameworks of international human rights law (IHRL) and the European Union's General Data Protection Regulation (GDPR). While acknowledging that the GDPR is a European regulation, the article draws on this legal framework to analyse the data protection implications of COVID-19 certificates. The GDPR has a direct relevance beyond Europe (Article 3 GDPR) and has served as a model for similar regulations in other parts of the world. Accordingly, the article aims to contribute to the current debates, thus informing policymakers in this area of vital national and international interest

Protection of health data under the GDPR

COVID-19 certificates draw on personal health information. Within the scope of the GDPR, ‘data concerning health’ means ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’ (Article 4-15 GDPR). COVID-19 test results and vaccination records relate to a natural person's physical health and reveal information about their health status – thus, they are considered health data under the GDPR.

This type of personal data attracts a reinforced level of protection (Article 9 GDPR). For instance, even when pursuing public health interests, domestic laws must provide suitable and specific measures to safeguard individuals’ rights and freedoms (Article 9-2(i) GDPR).

Consent is undoubtedly a legal basis that can be used for the processing of health data (Article 9-2(a) GDPR). However, that does not exempt data processors from the fundamental principles and obligations put forward by the GDPR. Significantly, COVID-19 certificates providers will still have to comply with the principles laid down in Article 5 of the GDPR, including data minimisation and purpose limitation.

Although individuals may consent to have their health data collected, stored and processed to use such a digital or paper-based certificate, providers would still need to build data protection into their design by default (Article 25-1 GDPR). COVID-19 certificates are also likely to result in a high risk to natural persons’ rights and freedoms. Accordingly, providers should carry out data protection impact assessments before any large-scale deployment of these certificates (Article 35-1 GDPR).

In this regard, the legislation providing the legal basis for the deployment of these certificates must clarify the key questions concerning data access, purpose limitation and data storage conditions. For instance, in Singapore, data from the contact-tracing applications were reportedly shared with the police even though the government had initially claimed that the data would only be used for the limited purpose of managing the pandemic (Illmer, 2021). Similarly, experts and activists have highlighted the risk of having COVID-19 certificates re-purposed for further uses, such as gradually becoming a de facto digital identity system (Edwards, 2021; Pietropaoli, 2021; Privacy International, 2020).

Maintaining the confidentiality of health data should also be paramount. Health data must be processed in a manner that complies with the requirements of security and confidentiality, preventing any unauthorised access, accidental loss, damage or destruction of the data (Article 5-1 (f) GDPR). That is particularly significant when health data is stored and/or shared by private providers. For instance, data from COVID-19 tests of seven hundred thousand individuals have reportedly been leaked in France, due to a default in the private software of the French test platform (European Parliament, 2021). If such breaches were to become widespread, they would likely undermine societal trust in these certificates, notably regarding the management of health data.

Protection of data privacy under international human rights law

COVID-19 certificates interfere with the right to respect for one's private life (Article 12 of the Universal Declaration on Human Rights (UDHR); Article 17 of the International Covenant on Civil and Political Rights (ICCPR); Article 8 of the European Convention on Human Rights (ECHR); Article 11 of the American Convention on Human Rights (ACHR)). The concept of private life includes the protection of personal information in a digital format (S. and Marper v. UK, 2008; Gaughram v. UK, 2020). The mere storing of such data suffices to constitute an interference with the right to privacy (S. and Marper v. UK, 2008, para. 67).

However, the fact that a measure interferes with the right to privacy does not mean that such a measure is automatically unlawful. The protection afforded by this right is not absolute. Consequently, the right to privacy may be restricted, so long as such a restriction is not arbitrary. Public authorities may, therefore, be able to justify an interference with this right under specific conditions.

Within the ECHR framework, these conditions entail that public authorities’ measures must safeguard one of the legitimate aims enumerated in the second paragraph of Article 8 of the Convention. These include, for example, ‘the protection of health’ and ‘the economic well-being of the country’, both of which could be relied on in the management of the current health crisis. In addition, any interference with this right must satisfy the cumulative tests of legality, necessity and proportionality.

The legality test requires that measures interfering with the right to privacy must have a basis in domestic law, be compatible with the rule of law and protect against arbitrary interferences by public authorities (S. and Marper v. UK, 2008, para. 95; Malone v. UK, 1984, para. 67). Therefore, domestic laws providing the legal basis for the deployment of COVID-19 certificates must be adequately accessible and foreseeable and afford adequate legal protection against arbitrariness.

The necessity test demands that the measures adopted address a pressing social need (S. and Marper v. UK, 2008, para. 101). Arguably, in the context of COVID-19 certificates, the need to tackle the social and economic impact of the pandemic and lift lockdown measures that significantly restrict freedom of movement may satisfy the necessity test Still, public authorities will need to clear the proportionality hurdle.

The proportionality test requires that the measures taken by public authorities are proportionate to the legitimate aims pursued and entail the least restrictive viable solution (Kennedy v. UK, 2010, para. 155; Roman Zakharov v. Russia, 2015, para. 260). Yet, in striking a fair balance between the interests of the community as a whole and private individuals’ rights, states have a certain margin of appreciation (Letsas, 2006).

In this regard, it is possible to argue that, in the context of COVID-19 health status certificates, this hurdle could be cleared only if a fair balance is struck between the competing interests at stake. Such a balancing exercise would need to consider elements such as the degree, nature and duration of any restrictions on the right to privacy motivated by public interests.

For instance, the uses of COVID-19 certificates could be limited via sunset clauses inserted in relevant legislations. These clauses are normally used to set a clear expiry date for the rules provided for in a given legislative act, unless specific exceptions apply – for example, the extension of the statute by law after re-examination of the matter by Parliament. In the context of COVID-19 certificates, legislation should make it clear that they are to be used only during the current pandemic and not extended beyond.

Such limitations are important to prevent the normalisation of the current level of interference with individuals’ privacy, notably as the technical infrastructure used for COVID-19 certificates could be repurposed for broader uses after the pandemic. Limiting the duration of the usage of COVID-19 certificates also clarifies that measures adopted during the pandemic are only justified within the exceptional circumstances of the present health crisis. Such an approach would set a clear precedent in favour of safeguarding individuals’ right to privacy in the event of a future pandemic.

Equality and non-discrimination

COVID-19 certificates create a clear distinction between individuals based on their health status, and on that basis, determine the extent to which they can exercise their rights and freedoms. Yet, under IHRL, all persons are equal in dignity and rights (Article 1 UDHR) and are entitled without any discrimination to the equal protection of the law (Article 7 UDHR; Article 26 ICCPR; Article 14 ECHR; Article 24 ACHR; Article 3 of the African Charter on Human and Peoples’ Rights (ACHPR)).

While the international community shares a collective responsibility to fight the current pandemic (Machingaidze and Wiysonge, 2021), in democratic societies, public authorities must act within the limits of the rule of law and respect for human rights. Mandating COVID-19 certificates may contribute to the management of the pandemic. However, depending on how they are implemented, these certificates may lead to the exclusion of parts of the population based on their health status. That could be, for instance, the case of individuals in the Global South who do not yet have access to vaccines, or that of individuals in the Global North who cannot be vaccinated for medical reasons and also cannot afford COVID-19 tests (Council of Europe, 2021).

Accordingly, vaccines should be accessible to all before any global deployment of these certificates. Vaccine equity is of particular concern regarding populations not in priority groups, such as young people. Vaccination registrations and identity verification may also deter migrants in an irregular situation from being vaccinated, which may not only exclude them from access to COVID-19 certificates, but also jeopardise broader public health goals (UN Committee on Migrant Workers, 2021; UN Network on Migration, 2021).

Moreover, if COVID-19 tests are offered as alternatives to vaccines, they should be free of charge or at least affordable to everyone to avoid unlawful discrimination. If non-vaccinated individuals, for example, those who have medical reasons not to get vaccinated, cannot afford to pay for private COVID-19 tests repeatedly, they may be de facto excluded from exercising their basic rights. Unless policymakers tackle the affordability of COVID-19 tests, the deployment of these certificates risks creating a system in which only the vaccinated and the wealthy can have access to travel, culture and the enjoyment of life in society.

Conclusion

As vaccination campaigns progress in developed countries, so does the idea of implementing swift technology-powered solutions to ease our way out of lockdowns and manage the negative effects of the pandemic. However, as argued in this article, technical solutions for the verification of COVID-19 health status do not suffice on their own. Because technologies do not evolve in a legal vacuum, the existing laws and regulations must be respected. The risks of implementing such technologies must be anticipated and mitigated as much as possible before their deployment on a global scale. This article has offered an analysis of the legal consequences of COVID-19 certificates for data privacy and human rights, thus informing the debates about the lasting impact that such technological developments may have on our societies.

Footnotes

Acknowledgements

The author would like to thank Dr Kubo Mačák and Prof Hitoshi Nasu for their constructive feedback on an earlier version of this article and the Journal's editors and anonymous reviewers for their valuable insights and instructive comments.

Declaration of conflicting interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Economic and Social Research Council (grant number ES/V004980/1).

ORCID iD

Ana Beduschi

References

Ada Lovelace Institute (2021a) International monitor: vaccine passports and COVID status apps. Retrieved from Ada Lovelace Institute: https://www.adalovelaceinstitute.org/project/international-monitor-vaccine-passports-covid-status-apps/.

Ada Lovelace Institute (2021b) Checkpoints for Vaccine Passports. London: Ada Lovelace Institute. https://www.adalovelaceinstitute.org/report/checkpoints-vaccine-passports/

Beduschi

(2020) Digital Health Passports for COVID-19: Data Privacy and Human Rights Law. Exeter: University of Exeter. https://socialsciences.exeter.ac.uk/media/universityofexeter/collegeofsocialsciencesandinternationalstudies/lawimages/research/Policy_brief_-_Digital_Health_Passports_COVID-19_-_Beduschi.pdf

CommonPass. (2021) CommonPass. Retrieved from The Commons Project Foundation: https://commonpass.org/.

Council of Europe (2021) Protection of Human Rights and the “Vaccine Pass”. Strasbourg: Council of Europe. https://rm.coe.int/protection-of-human-rights-and-the-vaccine-pass/1680a1fac4

Decree of the President of the Council of Ministers, 21A06126 (GU Serie Generale n.246 del 14-10-2021 October 12, 2021).

Edwards

(2021) Part 1: The Great Vaccination Passports Debate: “ID Cards on Steroids” or the Rational Way Forward? British Institute of International and Comparative Law. Retrieved from https://www.biicl.org/blog/22/part-1-the-great-vaccination-passports-debate-id-cards-on-steroids-or-the-rational-way-forward?preview = true&cookiesset = 1&ts = 1624883298.

European Parliament, Question for written answer E-004275/2021 (European Parliament September 16, 2021).

Gaughram v. UK, 45245/15 (European Court of Human Rights February 13, 2020).

10.

Good Health Pass (2021) Good Health Pass Collaborative. Retrieved from Good Health Pass : https://www.goodhealthpass.org/.

11.

HM Government (2021) COVID-Status Certification Review: Report. London: HM Government.

12.

IATA

. (2021) IATA Travel Pass Initative. Retrieved from International Air Transport Association (IATA): https://www.iata.org/en/programs/passenger/travel-pass/.

13.

Illmer

(2021, January 5) Singapore reveals Covid privacy data available to police. BBC News.

14.

Kennedy v. UK, 26839/05 (European Court of Human Rights May 18, 2010).

15.

Kofler

Baylis

(2020) Ten reasons why immunity passports are a bad idea. Nature 581: 379–381.

16.

Law n° 2021-1040, Loi relative à la gestion de la crise sanitaire (JORF 181 August 5, 2021).

17.

Letsas

(2006) Two concepts of the margin of appreciation. Oxford Journal of Legal Studies 26: 705–732.

18.

Machingaidze

Wiysonge

(2021) Understanding COVID-19 vaccine hesitancy. Nature Medicine 27: 1338–1339.

19.

Malone v. UK, 8691/79 (European Court of Human Rights August 2, 1984).

20.

Mathieu

Ritchie

Ortiz-Ospina

, et al. (2021) A global database of COVID-19 vaccinations. Nature Human Behaviour 5: 947–953.

21.

Mills

Dye

(2021) Twelve Criteria for the Development and use of COVID-19 Vaccine Passports. London: The Royal Society.

22.

Padma

(2021) COVID Vaccines to reach poorest countries in 2023 — despite recent pledges. Nature 595: 342–343.

23.

Phelan

(2020) COVID-19 immunity passports and vaccination certificates: Scientific, equitable, and legal challenges. The Lancet 395: 1595–1597.

24.

Pietropaoli

(2021) Part 2: Getting Digital Health Passports Right? Legal, Ethical and Equality Considerations. London: BIICL Blog.

25.

Privacy International (2020) The Looming Disaster of Immunity Passports and Digital Identity. London: Privacy International.

26.

Roman Zakharov v. Russia, 47143/06 (European Court of Human Rights December 4, 2015).

27.

S. and Marper v. UK, 30562/04 and 30566/04 (European Court of Human Rights December 4, 2008).

28.

Skytrax (2021, April 16) The varying costs of a PCR test at airports around the world. Retrieved from Skytrax: https://skytraxratings.com/the-varying-costs-of-a-pcr-test-at-airports-around-the-world.

29.

UN Committee on Migrant Workers (2021) Joint Guidance Note on Equitable Access to COVID-19 Vaccines for All Migrants. Geneva: United Nations.

30.

UN Network on Migration (2021) Striving for Equitable Access to COVID-19 Vaccines to Leave No Migrant Behind. Geneva: United Nations.

31.

UNWTO. (2021) Global Tourism Crisis Committee Meets Again to. Madrid: World Tourism Organization.

32.

WHO (2021, June 4) Revised scope and direction for the Smart Vaccination Certificate and WHO's role in the Global Health Trust Framework. Retrieved from World Health Organization: https://www.who.int/news/item/04-06-2021-revised-scope-and-direction-for-the-smart-vaccination-certificate-and-who-s-role-in-the-global-health-trust-framework.