On 1 July, the EU Digital COVID Certificate was launched across all EU Member States. 

While many people naturally see this new measure as a ticket to freedom following over a year of stringent COVID-19 measures, digital rights advocates remain concerned about its possible impact on people’s human rights.

As EU countries rapidly adopt this new tool, we must remain alert to its potential for surveillance, exclusion and “function creep”.

The new digital COVID certificate was introduced in the EU on 1 July and aims to “facilitate free movement of citizens” during the pandemic. The digital certificate uses a unique QR code to identify individuals, and contains key information such as people’s full name and date of birth, as well as whether they’ve been vaccinated, recently tested, or recovered from COVID-19.

After over a year of lockdown measures, people are understandably itching to get away this summer. But this eagerness shouldn’t stop us taking a critical eye to this new tool, and asking key questions about what its impact will be for human rights in both the short and long-term.

…this eagerness shouldn’t stop us taking a critical eye to this new tool, and asking key questions about what its impact will be for human rights

The onus is on lawmakers to make the case for why the roll-out of a digital certificate is a necessary and proportionate response to the challenge at hand. This is something that many feel has yet to be adequately proved, especially given that previous “vaccination passports” – such as for yellow fever – have always used paper rather than digital systems. 

Vaccines – a new discriminator?

Many human rights organisations have voiced concerns about the certificate creating a two-tiered system and becoming a new discriminator. Despite the EU’s assurances to the contrary, worries abound that, in practice, a divide will materialise between those who have been vaccinated and those who have not. 

The COVID-19 vaccine is not yet accessible to all, whether due to age, legal status or the speed of a country’s inoculation campaign.

This cannot be allowed to happen. The COVID-19 vaccine is not yet accessible to all, whether due to age, legal status or the speed of a country’s inoculation campaign. The vaccine is also not mandatory in any EU country, and is unlikely to be so in the near future, meaning that people retain the right to opt out. 

At the same time, it’s cause for optimism that the EU has committed to boosting its member states’ testing capacity, suggesting that the option of not being vaccinated remains on the table. 

However, how the new certificate will affect non-EU citizens both when first entering an EU member state from a non-EU country and during their subsequent residence remains unclear. Almost 5% of people living in the EU aren’t actually citizens. Free testing facilities may not be easily accessible to all, which risks creating a class distinction and a two-tier society.

While a paper format of the new digital certificate is currently promised, it still remains to be seen just how accessible this is for those without an up-to-date smartphone, or without a smartphone at all.

The pitfalls of haste

The breakneck speed at which this certificate has been developed has sparked fears that necessary and rigorous impact assessments may have been bypassed. Are we satisfied that the lawmakers have done enough due diligence? What unprecedented shifts could this new tool lead to? How could it be repurposed in the future? Any legislation supporting the introduction of a digital certificate should ideally include clear and effective protections against function creep.

Are we satisfied that the lawmakers have done enough due diligence?

When it comes to digital tools, updates and revisions are often necessary and happen quickly, and this is all the more likely against the backdrop of this fast-paced pandemic. This has left some understandably alarmed about the possibility of “mission creep”. Time and time again throughout history, we’ve seen measures introduced in a crisis that have never been retracted. This could be addressed by ensuring that the use of any digital certificate is time-limited to the period of the pandemic.

The Institute for Technology in the Public Interest (TITiPI) has pointed out that the certificate will result in the digitisation of the public health system on a scale never previously seen in Europe. The tool will tie public health authorities with the regulation of people’s freedom of movement, creating a complex new power dynamic with potentially unforeseen, problematic consequences. 

The tool will tie public health authorities with the regulation of people’s freedom of movement, creating a complex new power dynamic with potentially unforeseen, problematic consequences

As well as this, the new certificate demands new forms of everyday policing. As TITiPI puts it: “By virtue of regulating which test and which brand of vaccine can allow the holder of the certificate to enter a space, participating [sic] in an activity, or cross a border, the EU Digital COVID Certificate will act as a powerful gatekeeper between private partners, governments and the public.”

While it is arguably not the certificate itself that establishes these rules, it will contribute to their effective enforcement. This means that in addition to the more fundamental question – whether it should be necessary, in principle, for individuals to evidence immunity when going about their daily business – the certificate also raises additional concerns about data protection, data security and fraud protection.

Data fears

As with any digital tool containing sensitive, personal information, this new certificate poses risks for our data that must be taken very seriously. 

…this development can’t be treated as yet another opportunity for a data grab by governments and other organisations

Right now, the EU is promising that data won’t be retained or stored when verified by another country. However, the possibility of this data being repurposed in the future, or of this data being breached, remains. The pandemic has already seen a worldwide explosion in health data collection: as Privacy International (PI) has put it, this development can’t be treated as yet another opportunity for a data grab by governments and other organisations.

It’s clear that this new tool could have immediate, practical benefits for millions of people across Europe. At the same time, its drawbacks can’t be underestimated – and as its use begins to spread through the continent, it’s crucial that digital rights organisations remain vigilant.