In a bid to make progress ahead of the summer travel season, Members of the European Parliament adopted a mandate on 28 April to begin negotiations with the Council on a proposal for an “EU COVID-19 certificate” (“the Certificate”), which they envisage being in place for a maximum of 12 months.

To recall, on 17 March, the Commission had tabled a proposal for what was then called a “Digital Green Certificate”, which would make it easier for people to travel within the EU during the COVID-19 pandemic. This certificate is due to provide proof either that someone is vaccinated, has tested negative or has recovered from COVID-19. It will be issued by national authorities, mainly in a digital format, with the option of a paper version, and will be valid in all EU Member States. Each issuing body is expected to have its own digital signature key, which will be stored in a secure database in each country.

Restoring free movement

Following the plenary vote, MEP Juan Fernando López Aguilar (S&D, Spain), rapporteur and chair of the Civil Liberties Committee, noted that the Certificate was needed in order “to re-establish people’s confidence in the Schengen zone while we continue to fight against the pandemic.” During a European Parliament debate on 26 April, shadow rapporteur Sophia in ‘t Veld (Renew, The Netherlands) noted that the fundamental right to free movement had become an essentially theoretical right during the pandemic, due to the fragmentation of restrictions across the EU. She noted that the aim of the Certificate, and related proposals, was to ensure that free movement could once again become a practical reality for citizens. MEPs have also underlined the need to avoid discrimination between those who are already eligible for a vaccine and those who will need to wait longer, highlighting that no distinction will be made between the three uses of the Certificate (vaccine, negative test or recovery).

Interoperability

Shadow rapporteur Jeroen Lenaers (EPP/The Netherlands) highlighted the need for the Certificate to be of “added value” rather than being “another piece of paper that you need to have for your administration.” He noted that if the cost of testing was not controlled, it would contradict the practical aim of the proposal, as those of lesser means would be discriminated against. The need to make the Certificate interoperable with any existing schemes at national level was also highlighted, to avoid a situation where we see 27 different systems, as well as one EU system.

In the same vein, MEPs were keen to eliminate the possibility for Member States to impose additional travel restrictions, alongside the Certificate, that would again undermine its efficacy in facilitating free movement. However, this is likely to be the source of considerable conflict in negotiations with the Council, as Member States have shown throughout the pandemic that they wish to retain their autonomy in this regard.

Another area where the co-legislators may clash is on the exact vaccines which will be covered by the Certificate. While Council’s position to date leaves it open for EU Member States to accept certificates for other vaccines (such as the Russian Sputnik and Chinese Sinopharm vaccines used in Hungary), the position of Parliament is that only those approved by the European Medicines Agency should be included in the scheme.

Data protection issues

As the certificate will necessarily include personal and health data, including name, date of birth, vaccine or test result received, along with a unique identifier, concerns have been raised regarding the data protection safeguards contained in the proposals. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have already adopted a joint opinion on the proposals, inviting the co-legislators to ensure that the Certificate is fully in line with EU personal data protection legislation.

Andrea Jelinek, Chair of the EDPB emphasised the need to consider secondary uses of the Certificate, noting that any further use of the Certificate by Member States “must have an appropriate legal basis and all the necessary safeguards must be in place.” This was echoed by the EDPS, Wojciech Wiewiórowski, who underlined that subsequent use of individuals’ data by Member States after the pandemic should not be permitted.

Data protection issues were also on the radar of the European Parliament, with the Chair of the Civil Liberties committee, Mr López Aguilar, noting that “citizen’s data must be safe and only necessary data should be included in the certificate.” MEPs also agreed that no central database would be established at EU level to store personal data obtained from the certificates. Furthermore, the list of entities at national level that will process and receive data will be public, so that citizens can exercise their data protection rights under the General Data Protection Regime (GDPR). However, it was acknowledged that gaps might remain on a national level if Member States do not enforce such safeguards.

Next steps

Once agreement is reached between the European Parliament and Council, the European Commission will set up a digital infrastructure to facilitate the authentication of the Certificate. At the same time, Member States will need to ensure the necessary changes have been made to their national health records systems so that the system can be functional by the summer.