While some researchers see the certificate as an opportunity to develop an EU-wide standard in digital health, others have raised concerns about fundamental rights, including non-discrimination and privacy, as well as the underlying technical infrastructure of the certificate. We discussed the issue with Henrique Martins, from ISCTE-IUL, Lisbon where he teaches management and digital health. and with Sara Wilford, Senior Lecturer at the Centre for Computing and Social Responsibility at De Montfort University.
The regulatory basis of the EU Digital COVID Certificate was agreed by the Commission, Parliament and the Council in a fast-track procedure in mid-May 2021 and was signed on 14 June 2021. It promises to facilitate the lifting of travel restrictions in EU/EEA Member States for EU citizens and legal residents. In fact, the certificate has the political backing of all the EU institutions, as it promises to establish a way to gradually lift various travel restrictions imposed by Member States, such as entry bans and quarantine periods, which are currently restricting freedom of movement in the EU.
The certificate, which will be available in paper format or on a smartphone with a QR code, provides proof that a person has either been vaccinated against COVID-19, received a negative test result or recovered from the virus. However, the certificate should not be used as a precondition to the right of free movement and will not be considered as an official travel document. The EU COVID-19 certification scheme will be in place for 12 months.
Could the EU Digital COVID Certificate become the first step towards a health union?
Henrique Martins, from ISCTE-IUL, Lisbon where he teaches management and digital health, sees the certificate as one of two paths towards a central approach to EU healthcare – a national infrastructure that feeds into an EU-wide, interoperable system. As a former healthcare practitioner, Martins thinks the certificate will create numerous opportunities:
Henrique Martins, the past president of SPMS, Portugal’s Digital Health Agency, where he led eHealth efforts for about 7 years: “From a practitioner’s perspective, I think the certificate is well thought through. If successful, people may see the value in building an EU-wide standard in digital health. It would allow the scaling up of cross-border exchanges such as images, laboratory results or digital care, and would make the case for an EU healthcare system by building a single market for health. But in order to get there, we need to invest in the same way we did in the digital single market. The certificate is a first promising step in that direction, but to really harmonise patient-centred healthcare across the EU, more political and legal efforts are needed.” – Read the full interview
Privacy, platform infrastructure and interoperability
The collection of personal data, including sensitive health data, is strictly regulated by EU law. This is why data protection and security safeguards related to the certificate infrastructure are key issues in the legislative text, as the law does not permit destination Member States to collect personal and medical data from the certificate. Furthermore, the text states that a central database will not be established at EU level, and that data processing entities should be public, which would enable citizens to exercise their data protection rights under the General Data Protection Regulation.
Sara Wilford, Senior Lecturer at the Centre for Computing and Social Responsibility at De Montfort University, acknowledges the importance of legal safeguards and points to the enormous responsibility borne by the technical infrastructure provider. In her view, the unprecedented case of establishing a digital infrastructure where national authorities bear the main responsibility leaves too many security and data protection loopholes. These could be abused not only by private stakeholders with commercial interests or malicious cyber-actors, but also by governments seeking to increase state power.
Sara Wilford, Senior Lecturer at the Centre for Computing and Social Responsibility at De Montfort University: “Since the certificate will gather enormous amounts of data, it will essentially create a network of networks between all user data – and that data will need to be stored and owned by an entity. The statement from the European Commission indicating that SAP and T-Systems are the developers and operators still fails to provide sufficient detail about how permissions will be approved, and how to decide what is allowed and how to keep the system secure. Who else will have access to the back-end infrastructure (outsourcing, additional partners etc) and who will ultimately be the gatekeeper of the public key beyond the initial 12 months? These questions are essential to protecting our fundamental rights, but currently remain only partially answered. The EU institutions have good intentions, and I am sure that the partners have provided some assurances, but it is the unforeseen consequences of the further development of the network of networks that concern me.“ – Read the full interview
In fact, European Data Protection Supervisor Wojciech Wiewiórowski has emphasised that the scope of the certificate should be limited: ‘access to and subsequent use of individuals’ data by EU Member States, once the pandemic has ended, is not permitted and […] the application of the proposed Regulation must be strictly limited to the current COVID-19 crisis.’ This point is called into question by proponents of a common EU health care system. Should the use of the digital infrastructure, the interoperable systems and registered patients’ data be restricted to the pandemic, or could it mark the beginning of an EU-wide healthcare infrastructure?
Sara Wilford: “Overall, the EU Digital COVID Certificate is a great idea, but we have to be careful. I’m not in any way unenthusiastic about the idea. The provisions on equality cover many concerns about technophobia, people without access to technology, underprivileged persons and people living with disabilities, so to a large extent, the EU has anticipated potential problems. However, I believe the real issues could stem from what actually happens under the hood.”
• More information from the European Parliamentary Research Service
• More info from the European Commission
• More info on the technical foundation of the EU Digital COVID Certificate
• Q&A on the EU Digital COVID Certificate