Smart Vaccination Certificate

As COVID-19 vaccination programmes are carried out in many countries, governments worldwide are moving towards issuing smart vaccination certificates (SVCs), which are interoperable and include information on individuals’ vaccination status. Governments facilitate the re-opening of their economies by easing some restrictions for the free movement and travelling of individuals who have been vaccinated against COVID-19 and can demonstrate this with a vaccination certificate. 

The European Union adopted its Regulation on the EU Digital COVID Certificate (EU DGC) to enable free movement during the pandemic. When travelling across EU Member States, the EU Digital COVID Certificate holder should, in principle, be exempt from restrictions relating to their freedom of movement. EU Member States should refrain from imposing additional travel restrictions on the holders of an EU Digital COVID Certificate, unless they are necessary and proportionate to safeguard public health. 

Currently, many European countries, such as France, Greece and Italy have already or are requesting SVCs from individuals, as proof of their vaccination status or immunity, if they wish to enter all indoor hospitality venues like cafés, restaurants, workplaces and a range of other venues. This measure reveals itself as necessary after the spread of new variants across the EU.

SVCs use machine-readable images as barcodes with digital signatures and have been considered early on during the pandemic for their higher security against forgery and higher convenience both for the carrier and for the verifier. The World Health Organisation (WHO) tasked a global working group of experts in early 2021 to provide recommendations for secure and interoperable SVCs. These recommendations include an examination of situations with no printer, internet or smartphone. In May 2021, the scope and direction of the working group’s recommendations has been updated by WHO and now refers to Digital Documentation of COVID-19 Certificates (DDCC) which, like the EU’s DGC, also encompasses certificates on COVID tests and individuals’ recovery status. The EU’s use of interoperable SVCs provide for a sunset clause to retire the SVCs, but some experts expect that societies will rely on them to also fight future pandemics.

Amongst other countries, Israel is issuing COVID-19 certificates to Israeli citizens, and private businesses are already relying on these certificates to grant access to private spaces e.g. restaurants, shopping malls, events. The USA are now also considering federal certificates or passports for travelling and other purposes, such as authorising the entry to specific public and private places.


Positive foreseen impacts on data protection:

  • Easier and more secure access to personal data concerning health: certificate bearers have easier access to their own health data. Because of the verification of digital signatures, their health data offers a high degree of integrity and is, as such, more trustworthy. SVCs are convenient, because they may be verified partially or entirely automatically. 
  • Improved interoperability based on trust: the interoperability design scheme of SVCs may enable the bearer to verify their health status with security across borders. For this interoperability between countries, authorities exchange cryptographic country keys, as is already the case for the verification of electronic passports. Such a system relies on reciprocal trust amongst countries and the capacity of each country to accurately issue and manage COVID-19 vaccine certificates and the personal data included in these certificates. 


Negative foreseen impacts on data protection:

  • High risk of repurposing bearers’ personal data: SVCs must contain personal data allowing verifiers to link the health data to the carrier. However, this data may be repurposed to use SVCs as identity documents, enabling the tracking of bearers. This opens doors to discrimination or infringement of the fundamental rights and freedoms of the bearers. For instance, event organisers or shops could recognise first-time and frequent guests and treat them differently.  
  • Several risks from the software solution: depending on the deployment of the software for bearers to manage and display their certificates, bearers may be nudged to use certain software solutions that do not fully comply with data protection rules. If health data is stored on blockchains, risks for individual rights, such as the right to correction or deletion of personal day, may emerge. The potential centralisation of health data in backend IT infrastructure increases incentives for malicious actors to obtain this data. 


Further readings:

Tech Champions: Dina Kampouraki; Robert Riemann