Expert Interview with Mag. Dr. Oskar J. Gstrein, LL.M.
Q: After a couple of Nordic states presented their plans to introduce vaccine passports in February, the European Commission proposed what is now called the EU Digital Covid Certificate on 17 March 2021.Now, many Member States already brought some form of legislation on the way to privilege those who are already vaccinated, have recovered from a COVID-19-infection, or recently tested negative. What does an EU Regulation add to this mix? Is it not too late?
A: I understand that the public perceives this topic as relatively new, but actually discussions about the (digital) certification of vaccination against COVID-19 have been there from the beginning of the pandemic. Last year the politicians and the governments focused on data-driven programs to see whether people stay at home or how to facilitate contact tracing. Now we see the third wave of COVID related programs designed to mitigate the impact of the pandemic. Unfortunately, I believe that this generation will remain to be a topic for several years, especially in the context of international travel. What all of these initiatives have in common is that there is too little consideration of how these technology-driven systems integrate in established organizational processes and societal practices. That is why they tend to fail or being picked up by the actors needed to make them work. Essentially, there is a lack of consideration of the role of trust when developing these measures. To answer your question in one sentence: It is too late in the sense that it is too rushed.
Q: Does the EU even have the competence under EU Law to introduce such a comprehensive “certificate”? Does the reference to Art. 21 (2) TFEU suffice?
A: From the perspective of EU Law the proposed regulatory framework only aims at the facilitation of free movement in the internal market. The EU Commission takes the stance that EU regulation is necessary to protect free movement, while the use of the certificates is not mandatory to move between Member States. The Commission believes it can protect EU citizens from discrimination since it harmonizes the national efforts. I understand this motivation from a political perspective, but I have also criticized that the resulting regulatory framework misses the point of what should be regulated here. I actually believe the proposed framework can be dangerous since it is not addressing the actual issue at stake – which is how to enable citizens to show that they are vaccinated, have recovered, or are tested whenever that provides them a benefit – and rather facilitates the creation of a large-scale digital identity infrastructure that can be abused for surveillance.
Q: Especially in the German discussion advocates of rules, which give special privileges to people who are COVID-19 vaccinated or have recovered, see this as a constitutional necessity: The proportionality principle determines that people who are of no risk for others anymore have to be excluded from the general restrictions. However, digital COVID certificates can be a double-edged sword, as they inevitable lead to differentiation. Even the Committee on Bioethics set up the Committee of Ministers of the Council of Europe recently raised concerns about vaccination certificates or passes.
What and especially whose human rights are affected negatively by such certificates?
A: Quite frankly, a very narrow interpretation of necessity and proportionality can be problematic here. The problem is that current human rights frameworks are too focused on individual rights and therefore often miss the collective dimension. We should not forget that the introduction of these certificates adds another layer of complexity to our lives which are easier to navigate for people with a higher socio-economic status and access to technology. This is not only a question of resources, it is also a question of digital literacy. At the same time, the pandemic has shown us that our society is also vulnerable if people who have to live and work in precarious conditions (e.g. think of the workers in the meat factories in Lower Saxony) will continue to give the virus space even if the more privileged feel safe. In that sense it is clearly a social question that needs to include ethical concerns, which are not easy to address. I think the German Ethics Council has mapped this dilemma well. My own research on this topic is mostly driven by understanding how digital identity infrastructures shape personality and human dignity in the digital age. This is why I am mostly concerned about privacy and the establishment of large databases that will exist on national levels as a consequence of the certificates and which will keep storing the data from the certificates once the pandemic is over, whenever it will be officially over.
Q: In contrast to other states, which seem to go with traditional passes in paper form (e.g. the first German regulation relies on the traditional “Yellow Booklet”), the Commission proposed a digital form for its certificate. What advantages does a digital pass give and what problems especially from a data protection point of view can occur in this field?
A: Initially many information security experts were concerned about the rush in which the national digital systems have been developed. In fact, in many countries such as Germany we see delays of the introduction of the digital certificates (at least of certain promised features). Therefore, the initial reaction was to suggest the use of paper and avoid potentially unsecure digital infrastructures. However, the problem is that the circulation of forged paper-based certificates is a real issue in Germany and other countries. Here digital certificates could actually make a difference, if there would be sufficient time to carefully develop the systems. Personally, I will use my paper-based booklet to register vaccination and hope it will not be necessary to prove it in a year since a high number of people choose to get vaccinated in the EU. However, that will often not solve the problem if I would like to do international travel and need to prove my status to an airline or an airport.
Q: In general, digital means, such as digital contract tracing or constant monitoring of self-isolation, can be an effective way out of the pandemic. How are vaccine passports linked to those instruments? From a data protection point of view, is it desirable or even possible to have an EU-wide certificate or application that combines information about inoculation with, for instance, contact tracing?
A: In general, I think it would be desirable to have a uniform approach in the EU. If the EU Parliament, Council and Commission take enough time and there is open collaboration with civil society and technical expertise I would be confident that an effective solution could be developed which also respects human rights such as privacy. However, the reality is that the EU is dependent on the will of Member States on the one hand, as well as the grace of large technology companies such as Google and Apple to access their digital infrastructure on the other hand. All the EU Commission can do in such a situation is to rush to the fore and propose a standardization of efforts, which is exactly what it did. As a European citizen I would have wished that the EU took a bolder stance, considering viable options earlier and presenting a more holistic and independent vision for how this could work.
 Mag. Dr. Oskar J. Gstrein, LL.M. is an Assistant Professor at the University of Groningen, Campus Fryslân Data Research Centre.
 REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0130&from=EN;last accessed 10/06/2021. In this first proposal the EC used the term “Digital Green Certificate”, during the negotiation rounds the name was changed to EU Digital Covid Certificate (EUDCC).
 https://rm.coe.int/dh-bio-2021-7-final-statemfient-vaccines-e/1680a259dd ; last accessed 10/06/2021.
 With regard to the upcoming EU regulation, the German Federal Government announced the gradual introduction of a digital certificate called “CovPass” on June 10, 2021. See: https://www.zeit.de/politik/deutschland/2021-06/covpass-app-digitaler-impfnachweis-jens-spahn-corona-pandemie-rki ; last accessed 10/06/2021.