The introduction of some form of “Covid passport” for international travel is inevitable and regardless of whether the UK Government chooses to legislate for their introduction. Other countries are already developing their own certification systems, such as the “Digital Green Certificate” in the EU. Moreover, some businesses are already asking customers for proof of Covid status before they are able to travel. In the light of this inevitability, we look at the current position regarding Covid passports and the legal issues which travel companies need to be aware of.
What is the UK Government’s current position on Covid passports?
On 5 April 2021, the UK Government published an update on its current thinking on Covid passports or, as it prefers to call them, Covid-status certification. Whilst the Government is still consulting and making up its mind on the issue, the following key themes emerge from the update:
- It is likely that the requirement to have a test before entering the UK will remain, although the Government is looking at the implications of vaccination to this policy.
- The Government does not appear minded to legislate for when businesses may or may not require Covid-status certification except for in certain settings where no certification should ever be required. This is to ensure access for all to essential facilities, with public transport mentioned as one example of this.
- As vaccination is not suitable for everyone, the Government is looking at other ways in which individuals may acquire Covid-status certification because of their reduced risk of transmission. In particular, the Government appears eager to permit certification to be demonstrated by those in possession of a negative Covid test result, or those having natural immunity as a result of having previously contracted the coronavirus.
What is the position on UK residents travelling to the EU?
The EU appears to be taking a similar approach to the UK. It does not intend to legislate for when Covid-status certification may or may not be required for entry. This decision is left to individual Member States. Rather, the EU is looking to standardise the way in which individuals prove that they have either been vaccinated, have received a negative test, or have a natural immunity from having previously contracted the coronavirus. This will involve Member States issuing a “Digital Green Certificate”, which will largely be standardised across the EU so that there is consistency in the way in which they are issued, verified and accepted. This should allow a traveller with a Spanish-issued certificate to use this in Germany if there is a requirement to show a form of certification to enter Germany or to avoid quarantine or testing requirements.
This EU scheme will not immediately assist UK citizens wishing to travel into the EU and which hold UK-issued Covid-status certificates. Over time, the EU has said that it may issue an “adequacy decision” in relation to a third country such as the UK, which would mean that all Member States have to accept certificates produced in the UK as proof of vaccination, testing or recovery from Covid. However, until then, the EU suggests that UK citizens travelling to the EU may request a Digital Green Certificate from the country they are travelling to, but this will be left to the discretion of the Member State to decide whether the information provided (e.g. proof of vaccination in the UK) is sufficient.
Can travel companies require customers to produce Covid-status certification?
There are complicated legal issues involved in travel companies requiring customers to produce Covid-status certification before agreeing to supply them with a holiday. The main issue involves potential breaches of the Equality Act 2010 (“EA 2010”), which applies to all travel companies, including tour operators and travel agents, albeit there are certain exemptions for flights and cruises (which are governed by separate EU laws now incorporated into UK law).
The EA 2010 prohibits travel companies from discriminating against individuals on the basis of certain protected characteristics such as age, disability, race, sex, and religion or belief. Importantly, this prohibition extends to indirect discrimination, which can happen when a travel company applies the same policy to everyone, but it disadvantages a group of people who share a protected characteristic. For instance, if a holiday company were to refuse to take a customer’s booking unless the customer produced proof of vaccination, this might disadvantage customers advised not to take the vaccine because of a certain disability. Such a policy has the potential to amount to indirect disability discrimination if certain conditions are met.
However, a policy which appears to amount to indirect discrimination can still be lawful if it can be objectively justified by showing that it is a “proportionate means of achieving a legitimate aim”. On the face of it, a legitimate aim of a policy requiring proof of vaccination could be to manage/reduce the risk of transmitting coronavirus to other travellers. However, the question as to whether requiring proof of vaccination is a “proportionate means” of achieving that legitimate aim is much more complicated and dependent on the circumstances. Vaccination does not guarantee immunity or non-transmissibility to other travellers. Moreover, other measures might also be possible to manage the risk of transmission to other travellers – for instance, asking the traveller to take a test before travel. It might therefore not be proportionate to insist on proof of vaccination when, for example, a negative test result or evidence of having previously contracted the coronavirus in a certain timeframe might be an effective alternative. This is likely to be why the UK and the EU are both looking at a form of Covid-status certification which extends beyond mere vaccination.
If showing proof of having had a vaccine becomes a legal requirement in the UK to utilise a particular travel service or a legal requirement of a foreign country being travelled to, the legal analysis would become more straightforward because the requirement would be one imposed by a government rather than one that a company has chosen to impose. It remains to be seen whether the government will legislate in this way.
What are the data privacy implications?
There are a multitude of issues for travel companies to consider from a privacy perspective when operating or participating in a Covid-status certification scheme. Crucially, the success of any scheme will be contingent on people’s trust. Consumers will need to feel confident that their data is secure and only used for legitimate and lawful purposes. Getting this wrong could have serious consequences for a travel company including reputational damage, a loss of business and customer goodwill, compensation claims and monetary penalties imposed by regulators.
Principally, any scheme would need to comply with the GDPR. The GDPR regulates the use of personal data and, importantly, contains higher standards where the data is considered particularly sensitive such as health data. Whether or not someone is vaccinated, and Covid test results, are health data.
The GDPR requires that data be used in accordance with certain core data protection principles. In particular, this means that data needs to be processed:
- Fairly– as noted above, use of Covid passports could result in some sections of society being unfairly discriminated against;
- Lawfully– there are various legal grounds that apply to the use of data and at least one of them needs to be met. One option would be to have individuals consent to the use of Covid passports but that will not work if their use is a condition of travel. If it is a condition of travel, an appropriate term could be included in the contract with consumers which assists demonstrating lawfulness although this could be quite inflexible;
- Transparently– consumers need to be very clear about what data is being collected and how it will be used. Travel companies will need to update their privacy notices to reflect their Covid-status certification scheme;
- Securely–it is absolutely crucial that the data is kept secure especially as databases would be a prime target for hackers. The highest standards of security would be expected given the nature of the data. Consideration should be given to strong levels of encryption, access and a decentralised model where data is stored on a consumer’s device and not on a central server;
- Minimally– only the minimal amount of data should be collected for the purposes of operating the scheme and use should be restricted to the purposes of the scheme. Safeguards should be put in place to prevent any scope creep and the data being used for additional purposes such as tracking users’ movements and to ensure that the data is deleted as soon as it is not required.
In addition, there are further significant compliance challenges where data is shared with third parties especially on a cross border basis, and in meeting some of the more stringent requirements of the GDPR that apply to the use of health data.
Lastly, depending on the nature of the scheme, there may be a legal obligation to carry out a Data Protection Impact Assessment (DPIA) before the scheme is launched. A DPIA is a process to help you identify and minimise the data protection risks of a project. Even if a DPIA is not legally required, it is good practice to do a DPIA for any other major project which requires the processing of personal data. The implementation of a Covid-status certification scheme would likely fall into that category.