3 Questions To… Daniela Galatova, a PhD researcher at the Faculty of Law of Pan-European university in Slovakia. Her research examines the international legal and ethical aspects of the COVID-19 pandemics and focuses mainly on the proportionality of measures taken with regard to human rights, particularly within the sphere of privacy, personal data and health. In addition to her PhD research, she keeps working as a legal assistant for the European Commission, where she has been holding legal positions for several years.
Disclaimer: the answers provided herein include information exclusively from Daniela Galatova's PhD research and do not represent any official stand stemming from her job as a civil servant.
Vaccine passports are currently a burning issue. Governments from all over the world, as well as airline companies, seriously consider implementing this pass which consists in documentation proving that one got vaccinated against Covid-19 or, in some cases, got tested negative. Do you think it is a good idea?
We are currently facing a difficult and unprecedented situation of a complex character. It does not only touch upon legal aspects concerning fundamental rights, health, privacy and data protection, but also economy and psychology. The motivation of going "back-to-normal" is very strong. We can already observe that Member States are willing to establish a system of "vaccination certificates", the European Commission envisages a legislative proposal on this matter and some countries (Iceland) have already put such a system in place.
"I believe that if the vaccination certificates system is put in place in line with fundamental rights provisions, it might serve its purpose."
It is difficult to explicitly answer whether system of vaccination certificates is a good idea. In my opinion, not every good idea is legally possible and not every good idea, if wrongly put in practice, might result in fruitful consequences. In this particular case, I believe that if the vaccination certificates system is put in place in line with fundamental rights provisions, it might serve its purpose.
I am currently working on a research on vaccination certificates system and despite the fact that the idea is understandable, it is already evident that many legal and ethical aspects will be challenged. It will be therefore of an utmost importance to define the system as clearly as possible, with a thought-through approach and try to address the potential risks and challenges, applying the lessons learnt from the mobile tracing applications, before putting such a system in place.
In the US, the Mayor candidate for New York, Andrew Yang, asserts that vaccine passports should not be used only for travels, but that they should be extended to all sorts of activities, such as accessing office building, going to restaurants or sports room. Such use of vaccine passports applications certainly challenges fundamental rights like right to privacy or freedom of movement. Therefore, our next question : what legal challenges did you identified?
At this stage, we may observe the Member States’ will to find a common solution demonstrated in the Guidelines on verifiable vaccination certificates - basic interoperability elements - issued by the e-Health Network on 21 January 2021. The Guidelines specify the medical and travel purpose of processing, leaving space for potential future purposes to be defined on the basis of a mutual agreement of Member States. It identifies interoperable elements and basic datasets dividing personal data into obligatory and optional upon the purpose of processing. Last but not least, the Guidelines include information on technical proposals of vaccination certificates composition. In addition, the Commission's Factsheets of 9 March 2021 further informed about the vision of legal solution in order to facilitate free movement within the EU and thus confirmed the travel purpose having already been determined in the Guidelines. It announced the preliminary timeline for putting "Digital Green Certificates" in practice. The first predisposition is to prepare a legal proposal until mid-March 2021 and establishment of a digital infrastructure by the summer 2021. The competence of issuance and verification of "Digital Green Certificates" shall lie with each Member State.
The functioning of “Digital Green Certificates” will depend on many variables which have not been identified so far.
Despite this information, it is yet not very clear, how the system would be established with regards to the controllership, lawfulness and some other detailed elements, such as the interlink of the already existing digital systems in some Member States with the "to-be-proposed" mechanism. The functioning of "Digital Green Certificates" will depend on many variables which have not been identified so far. Although we can see some similarities with the Mobile tracing applications system, and therefore could presume a certain vision, guessing would only lead us to endless discussions lacking basic elements. What is important to emphasize is that no matter how the pieces of the system will look like, the rule of law principle safeguarding fundamental rights needs to be strictly applied in order to create an efficient, proportionate and legally correct mechanism.
On the basis of available documentation, I would like to mention two main aspects which I find challenging. The first one concerns the personal data protection. On the EU level, the biggest challenge would be to characterize carefully the interoperability elements in order to set up a mechanism that would overcome the cross-border character of different national legal frameworks, because the heterogeneous national legal systems might cause such a gap that it would lead to inconsistencies causing inefficiency of the vaccination certificate system. The "Digital Green Certificates" system would become efficient only if used by all Member States and under the most unified conditions as possible.
"we are in an emergency situation, but in my opinion, we are on a very thin ice here. Once such a system is put in place [...], I would not exclude a will to use these data for other, yet not defined, purposes."
It would be key to identify the purpose in a solid way without any leeway for further purposes. Since we fall under a very large scale processing of personal data of special categories presumably by vast number of controllers and processors (we cannot exclude using the system also with regards to third countries in the future), the responsible authorities would have to establish the strongest possible technical safeguards (full anonymization, no transfer of personal data) in order to be in line with GDPR. Stemming from the available sources, the certificate might not hold only information about vaccination, but also the immunized status due to an infection or a negative test result in case of persons who cannot get vaccinated. However, a question stays unanswered whether a full anonymization is even possible in case of vaccination certificates system. On one hand, the character of vaccination certificate as such indicates a piece of information on health. On the other, when used for travelling, we can envisage that the passengers would be clearly identified by passport/ID cards thus the health data would be very easily linked to that particular person. It will be very interesting to see how this element will be addressed.
Another risk which could potentially lead to a more complex issue is the data retention and the prudence of not creating a permanent system. It is true that for this moment, we are in an emergency situation, but in my opinion, we are on a very thin ice here. Once such a system is put in place and let's presume it would be efficient, I would not exclude a will to use these data for other, yet not defined, purposes. Applying the system for other compatible purposes or emergency situations would not necessarily represent an issue, but I see the problem rather in temptation to shift the purposes or in attempts to tailor any similar, yet not compatible, situations in order to simply use the already collected data.
The second aspect concerns a more general perspective of fundamental rights. Vaccinations are considered to be an invasive tool into privacy. In order to be in line with proportionality, it is important to ask whether there are really no other, yet less intrusive, instruments in order to safeguard the exercise of citizen´s rights in such a situation. In addition, I see an issue also in the fact that the pure vaccination does not necessarily lead to a possibility of withdrawal of other restrictive measures. Like that, we could see the vaccination as another supplemental interference into privacy rather than a tool replacing those already existing ones.
"I am not convinced that a non-discriminatory and viable mechanism could be created when taking into consideration the heterogeneous system of national legal frameworks of Member States"
As a consequence, I am rather skeptical about the efficiency and proportionality of the system of vaccination certificates on the basis of information outlined so far. I am not convinced that a non-discriminatory and viable mechanism could be created when taking into consideration the heterogeneous system of national legal frameworks of Member States (some Member States use vaccines not approved by the European Health Agency) and lack of health data on the COVID-19 and the available vaccines (for instance, it is yet not confirmed whether the vaccines serve also against other mutations). In addition, I can hardly envisage how the vaccination certificate regime would not lead into discrimination of one or another group of people (vaccinated or not) from the more general fundamental rights perspective.
Media also raised ethical challenges, especially the question of the access to the vaccines in poorer countries. The WHO even advises against mandating vaccine passports to enter a country because 1 in 4 nations will not access vaccinations this year. Do you see any other ethical challenges ?
While working on my research, I came across various ethical aspects, however I will mention only two of those that struck me the most. Firstly, I find it questionable whether people are interested in vaccination from their own conviction or they are somewhat “indirectly obliged” to get vaccinated in order to have a more facilitated life. There is yet not much information how the system would look like after the vaccination, nor is the information on how would the reality look like for those who do not get vaccinated. The only thing that people are indirectly promised is a pass for going back-to-normal once they get vaccinated. In addition, a distinction of population into “pro-vaccination” and “anti-vaccination” could lead to a certain stigmatization and could even deepen the society which slowly becomes polarized already.
"On daily basis, I am faced with individuals posting on their social media accounts information about being or having been infected with COVID-19, providing with information on their symptoms or information about having been in contact with a positively tested person."
Another element is the easiness and care-free attitude of people when sharing their opinions on the health data. With full consideration of the difficult situation of an easy spread of disinformation, I do not find it appropriate how easily people disclose or are even encouraged to disclose the information on their status of COVID-19 test results, vaccination or possible infection. On daily basis, I am faced with individuals posting on their social media accounts information about being or having been infected with COVID-19, providing with information on their symptoms or information about having been in contact with a positively tested person. In addition, many entities, NGOs and activists encourage individuals to post information about pro or anti vaccination approaches. It is inevitable to continue with open and transparent debates, but the protection of personal data should be applied in every situation, particularly when it comes to health data in an emergency situation and in my opinion, individuals should be supported to learn to protect their personal data, otherwise the GDPR concept and rationale would lose its sense.
TO GO FURTHER: