The European Commission is currently working out a Digital Green Certificate mechanism with the eHealth Network. The setting-up of this framework may be considered a trial for wider reform in the EU e-ID framework.

On 17 March 2021, the European Commission presented a proposal to create a Digital Green Certificate to facilitate the safe free movement of citizens within the EU during the COVID-19 pandemic and support the recovery of the travel and tourism sectors (DGC I and DGC II). The Digital Green Certificate is to be a form of commonly recognized digital proof that a person has either (i) been vaccinated against COVID-19, (ii) received a negative test result, or (iii) recovered from COVID-19.

The Commission has been working in the last few weeks with the Member States in the eHealth Network, a voluntary network established by Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare and connecting national authorities responsible for eHealth on preparing the interoperability of vaccination certificates.

The execution of the DGC Regulation may be considered a first trial case of a potential extension of eIDAS as foreseen by the European Commission.

Background

With the various different approaches taken to the COVID-19 pandemic by the EU Member States, the European Council adopted recommendations on 13 and 30 October 2020 to take a coordinated approach to imposing restrictions on free movement within the EU and the Schengen area.

Aside from the introduction of common thresholds and color mapping by the European Centre for Disease Prevention and Control (ECDC) in view of considering restrictions of free movement for public health reasons (green zones have no restrictions to free movement), it was agreed by the Council that Member States could require people travelling from risk areas in another Member State to undergo quarantine/self-isolation and/or to undergo a test for SARS-CoV-2 infection before and/or after arrival. Travellers arriving from areas marked in dark red should, according to point 17 of the Council Recommendation, be subject to reinforced public health measures.

To show compliance with the different requirements, travellers have been asked to provide various types of documentary evidence, such as medical certificates, test results, or declarations. Confronted with various reports regarding the sale of illicit false negative COVID-19 test reports (see Europol Report), the European Council agreed in the conferences of 25 and 26 February 2021 to call for a common approach to the certification of vaccinations.

The proposed Digital Green Certificate (DGC) in a nutshell

The proposed DGC framework allows for three types of certificates to be issued, verified and accepted:

• a “vaccination certificate” confirming that the holder has received a COVID-19 vaccine in the Member State which issues the certificate;
• a “test certificate” indicating the result and date of a NAAT test or a rapid antigen test; and
• a “certificate of recovery” confirming that the holder has recovered from a SARS-CoV-2 infection following a positive NAAT test or a positive rapid antigen test.

The three different certificates would permit Member States to adopt appropriate legislation to have as many people as possible benefitting from the certificate scheme when travelling, avoiding undue discrimination.

If the conditions for a vaccination, test or recovery are met, each Member State must put in place the required infrastructure to be able to provide a DGC certificate either automatically or upon request.

These certificates are to be issued free of charge to EU citizens and can be in digital, paper-based or hybrid format. In all cases they must display an interoperable QR code enabling the competent authorities to verify their authenticity, validity and integrity. The information contained in the certificates must also be shown in human-readable form and shall be, at least, in the official language or languages of the issuing Member State and English.

The certificates are to include a limited set of information, such as name, date of birth, date of issuance, relevant information about vaccine/test/recovery and a unique identifier, which may only be processed by authorities of visited countries for the strict purpose of confirming and verifying the holder’s vaccination, testing or recovery status, and cannot be retained. All health data is to remain with the Member State that issued a Digital Green Certificate, whereby the issuing authorities of a Member State shall act as the data controllers under the GDPR.

National authorities are in charge of issuing the certificates. Each issuing body (eg a hospital, a test center, a health authority) will have its own digital signature key. All of these are stored in a secure database in each country. All certificate signatures are to be verified on the basis of a secure EU trust framework (“gateway”) to be constructed by the European Commission. The personal data encoded in the certificate does not pass through the gateway, as this is not necessary to verify the digital signature. The  Commission will also help Member States to develop software that authorities can use to check the QR codes.

The Digital Green Certificate must be accepted in all EU Member States (and open to EEA countries, but not yet to the UK). When travelling, every EU citizen or third-country national legally staying or residing in the EU, who holds a Digital Green Certificate, should be exempted from free movement restrictions in the same way as citizens from the visited Member State. If a Member State continues to require holders of a Digital Green Certificate to quarantine or test (or deny entry), it must notify the Commission and all other Member States and justify this decision.

It is important to note that the Digital Green Certificate system is a temporary measure, and it will be suspended once the World Health Organization (WHO) declares the end of the COVID-19 international health emergency.

The need for trusted attribute providers within the identification network

While the DGC framework continues to be debated (see eg here, here or here), the proposal highlights a broader need for the recognition of attributes, credentials and attestations issued in electronic form within a trusted framework in the EU.

The existing regulatory framework concerning electronic identification in the EU, the 2014 eIDAS Regulation, has not been constructed to permit the sharing of selective subsets of personal data linked to a digital identity which are commonly recognized. For instance, it is not possible to leverage the pan-European identity framework to share electronic attestations of academic credentials or for a bank to issue verifiable attestations linked to costly KYC procedures in a form which is commonly recognized within the EU. The lack of such a secure, trusted harmonized framework under eIDAS – particularly in view of the COVID-19 pandemic – is part of the reason why the eIDAS framework is today no longer deemed fit for purpose by stakeholders and the European Commission, and why a specific DGC framework must now be enacted.

The proposed DGC Regulation must undoubtedly be read together with the upcoming review of the eIDAS Regulation as announced by the European Commission on 23 July 2020. At the date of this blogpost, the European Commission has not yet published the final impact assessment or circulated any draft working paper – with deliberations on the possible policy options still pending. Nevertheless, it should be noted that the Inception Impact Assessment of the Commission (see here) includes a proposal to "extend the scope of eID regulation under eIDAS to the private sector, notably introducing new trust services for identification, authentication and for the provision of attributes, credentials and attestations" and states that "The possibility for the user to actively manage attributes, credentials and attestations (eg gender, age, professional qualification etc) would empower user control of digital identity and enable personalized online services in a trusted environment where online privacy can be ensured and data is protected." The execution of the DGC Regulation may be considered a first trial case of a potential extension of eIDAS as foreseen by the European Commission.

Aided by our close proximity to the EU institutions in Brussels, we will continue to actively monitor the discussions regarding this key legal act and the relevant electronic identification framework for the EU digital market. With a large majority of MEPs recently supporting a swift creation of the DGC via the emergency procedure of the European Parliament and the European Council already planning a vote by the end of April 2021, we may already see this ambitious project go live by the summer of 2021.

See here for the full Proposal for a Regulation on interoperable certificates on vaccination, testing and recovery (Digital Green Certificate) and here for the Proposal for a Regulation on Digital Green Certificates for third-country nationals legally staying or residing in the EU .