This brief paper builds on related work by the author and others on health data research and data protection, legal safeguards for emergency COVID-19 measures, and a presentation by the author on this topic. The following analysis also responds to a previous paper published in this e-conference on ‘Data Protection Issues and Covid-19: Comparative Perspectives’. Three main issues are addressed below: the concept of ‘immunity passports’; data protection implications; and future use and governance of COVID-19 vaccination certification.
‘Immunity passports’ – an inaccurate and misleading term
As others have rightly highlighted, serious doubts surround use of the concept of ‘immunity passport’ in the COVID-19 context. Both the WHO and the scientific research community warned in April and July that there is ‘not yet a clear, measurable marker in the body that correlates with long-term immunity’. This of course could change following future research developments, but for now there is still crucially no evidence of any test or treatment that would ensure long-term immunity.
Based on the lack of any such evidence to date, it is deeply inappropriate from an ethical, legal, and scientific standpoint to use such a term. Its use may mislead the public which could result in unnecessary risks being taken such as unnecessary travel and gathering at work places, thereby endangering the health and lives of many. Development of a vaccine, however, is taking place at an unprecedented pace worldwide and it has been reported that following the necessary clinical trials a collaboration between the University of Oxford and AstraZeneca could deliver a vaccine that works by 2021.
Thus, it is argued that any such future public health identity system for COVID-19 immunity is a medium term measure and much more testing is required before long-term immunity can be established. It is therefore suggested that a more appropriate and accurate term to be adopted following the delivery of a vaccine proven to be effective would be a ‘certification of vaccination’.
As the European Data Protection Board has stated, given the tremendous level of risk to fundamental rights that such highly sensitive data collection would entail, any such legal assessment of necessity and proportionality measures should also ‘be based on scientific evidence’.
COVID-19 vaccination certificates and legal implications
The following two sections briefly address the currently hypothetical situation raised by Iñigo de Miguel Beriain where future scientific developments could verify a person’s immunity to COVID-19 (over a specific period).
As the European Commission and the academic community have stated, any public health monitoring systems are high risk measures that must be shown to be lawful and necessary in a democratic society. These should be adopted with legal safeguards put in place by design and default in order to counter or mitigate such risks.
These conflicts with human rights particularly include high levels of interference with the rights to private life, data protection, and non-discrimination which are protected by Articles 8 and 14 of the European Convention on Human Rights, the EU Charter of Fundamental Rights, and the EU General Data Protection Regulation (GDPR).
The relevant proportionality test for policymakers is whether there is ‘a pressing social need’ to introduce legislation that would specifically permit the introduction and scope of use of COVID vaccination certificates. This threshold is based on well-established Article 8 ECHR case law concerning State surveillance. It also reflects the high risk such an identity system would pose for the privacy and security of an individual’s health data, which is especially sensitive and warrants a higher threshold of safeguards under the EU GDPR, their right to non-discrimination, and their freedom to work and travel.
In line with EU GDPR requirements regarding the collection of health data at such scale, a Data Protection Impact Assessment would have to be undertaken by any EU Member State prior to the development of any such health monitoring. This would have to address:
- What legal basis would permit the adoption of such health monitoring and what safeguards does it provide for?
- How would these safeguards counter/reduce the harms to privacy, data security, and equality?
- What types of personal data would be collected under such a certification scheme?
- In addition to the person’s health data how will other data be used (e.g. biometric data used to verify and authenticate an individual with their antibody test result for them to enter a building)
- What authorities will be given the power to collect and request access to this certificate, and for what purpose
- Will this data be shared with other bodies, and for what purposes?
- What independent oversight body will be responsible for the monitoring and review of this health monitoring? And what powers of oversight and enforcement will be allocated to such an organisation?
- On what grounds, is the use of this system necessary and proportionate in a democratic society? Are there any less intrusive alternative methods available?
WHO vaccination certification: existing governance and purpose limitation
It is worth considering the scope and purpose of existing governance frameworks for vaccination certificates before we reinvent the governance wheel.
For instance, the WHO already uses an established and trustworthy international system of such certification for diseases such as Yellow Fever. Provided that the WHO could be provided with the adequate resources, it is proposed that an international certification regime could be established with respect to countries where such certification is necessary based on the available evidence of health risk to travellers.
The sole purpose of such a certification scheme would require COVID-19 vaccination certificates to be permitted solely for the purpose of travel in order to counter transmission of the virus between countries. In line with the current framework adopted by the WHO, which enables the protection of health and not identity monitoring, this certificate would be a standalone document and thereby separate from an individual’s passport. Lessons on how to implement such an international certification scheme could also draw and build on existing relevant accreditation training courses, such as that provided by the US CDC.
Dr Nóra Ní Loideáin PhD (Cantab) is Director and Lecturer in Law of the Information Law and Policy Centre at the Institute of Advanced Legal Studies (IALS), University of London. Nóra is an academic lawyer by qualification and experience and her research interests and publications focus on governance, human rights law, and technology. She also holds the posts of: Associate Fellow, Leverhulme Centre for the Future of Intelligence, University of Cambridge; CIPIL Research Associate, Faculty of Law, University of Cambridge; and Senior Research Fellow, Faculty of Humanities, University of Johannesburg. In 2019, Nóra was appointed as legal advisor to the UK Home Office, as part of the Biometrics and Forensics Ethics Group which provides independent advice on the ethical impact of using biometrics within the contexts of criminal justice and national security. Nóra is also an editor of the peer-review law journal International Data Privacy Law published by Oxford University Press. Prior to her academic career, Nóra was a Legal and Policy Officer for the Office of the Director of Public Prosecutions of Ireland and clerked for the Irish Supreme Court.