Legal Update

Apr 26, 2021

Overview of Technology and Data Privacy Issues Arising from COVID Passports

Click for PDF

As the world progresses with COVID vaccinations, the scenario where you have to show a COVID passport before crossing a border, taking a public mode of transportation, or entering a public space like a cinema no longer seems like a scene out of a dystopian sci-fi movie. Colloquially dubbed the “COVID passport,” the concept refers to various forms of a  certificate of COVID vaccination and/or negative test status recognized on a national or inter-state basis, the use of which remains a controversial topic at this juncture, giving rise to technical, legal and ethical concerns.

Having said that, some countries have already adopted or proposed adopting various versions of COVID passports on a national or inter-member states basis, such as the “Green Pass” for visiting certain premises or events within Israel[1], the “Green Health Code” for domestic travel and entry into certain premises within mainland China[2], and the proposed “Digital Green Certificate” for travelling between member countries of EU and abroad[3].  The decentralized initial approach and the practical challenges of implementing an universally recognized COVID passport remains as the world grapples with the COVID-19 pandemic.

The Technology Issues

Initially, it is crucial to verify the authenticity of COVID passports, which requires reliability and security of the technology used.  Connecting the data pool of medical institutions, pharmaceutical companies, regulatory authorities across different jurisdictions, or even within the same jurisdiction, will be a challenging task. Already there have been reports of hundreds of fake CDC vaccination cards being sold on e-Bay in the United States.[4]

Fundamentally, how can technology protect information safety and data privacy? During last year, many countries have used or developed contact tracking Apps on different platforms. Whether it is mandatory to use these Apps, whether the data management and information process system are centralized all give rise to concerns. However, the information contained in COVID passports is somewhat different from, and more limited than, contact tracking Apps. The protection of data privacy may be enhanced by limiting the scope of information collected and using a de-centralized platform.

The Legal Issues

Among the heated debate over the EU Digital Green Certificate, on 31 March 2021, The European Data Protection Board and the European Data Protection Supervisor adopted a Joint Opinion on the Proposals for a Digital Green Certificate, which aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates[5] (“Joint Opinion”).

The key messages from this Joint Opinion include:

  • the Digital Green Certificate shall be fully in line with EU personal data protection legislation to mitigate the risks to fundamental rights of EU citizens and residents, including its possible unintended secondary uses.
  • the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness.
  • the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.

The recommendations in the Joint Opinion are helpful. However, even if a comprehensive legal framework is established in each jurisdiction, the next question will be how to coordinate and/or integrate different national laws to make COVID passports interoperable globally. Limiting the type of information collected, stored or transferred may simplify the mutual recognition process.

Before the current pandemic, some countries had already been requiring foreign visitors to provide proof of vaccination status to foreign visitors in order to obtain a visa. COVID passports could be viewed as a similar concept, especially considering that the EU’s proposal provides that the Digital Green Certificate can be issued in paper form with a printed QR code, which could amount to a yellow vaccination card submitted for a visa application.  

Besides the use of COVID passports for international travel, its use in domestic settings, such as for entering restaurants or the workplace, could create further legal issues, such as triggering discrimination laws. In any event, exceptions should be made to accommodate people who are unable to receive the vaccine due to disability or religious reasons.

The COVID passports in the workplace

In the absence of any clear guidance from the government regarding the domestic use of COVID passports, the common questions from employers in a domestic workplace setting may include:

  • Can the employer ask for the vaccination status of the employee?
  • Can the employer require the employee to be vaccinated or show a COVID passport?

Answers to the first question are different across jurisdictions. Mostly yes, but with limitations. In some jurisdictions, an employee’s express consent is required. In other jurisdictions, only the medical provider authorized by the company can ask the question.

Answers to the second question are negative in most jurisdictions, except in limited circumstances where the risk of infection is high, such as emergency medical care. Other than in the US, employers can still offer the opportunity to employees to get vaccinated or actively promote the vaccine for safety and health purposes.

It is strongly recommended that employers, especially those in industries with higher risk of infection, consider reviewing their employment manuals and contracts to see whether any consent is required from employees under specific circumstances and, if so, obtaining such consent in advance. Internal guidance should be put in place in respect of the collection of information on vaccine status. For instance, employees must be notified what information is collected, on voluntary or mandatory basis, the purpose of use, etc. Keep an eye out for the next installment in this series, which we expect to post within a couple of weeks. And please do not hesitate to reach out to the authors or your favorite Seyfarth counselors to discuss these issues in a more personalized manner.

 

[1] https://corona.health.gov.il/en/directives/green-pass-info

[2] http://cs.mfa.gov.cn/gyls/lsgz/fwxx/t1859289.shtml

[3] https://ec.europa.eu/commission/presscorner/detail/en/qanda_21_1187

[4] https://www.nytimes.com/2021/04/08/technology/vaccine-card-scam.html

[5] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_edps_joint_opinion_dgc_en.pdf

Related Trends