Covid-19 has led to the appearance of a multitude of changes, going far beyond the purely health aspect. We have been witnessing the implementation of numerous initiatives aimed at alleviating the harmful effects of this health pandemic. In this way, the development of technological tools based on the processing of specially protected personal data, such as health, raises important questions from the perspective of privacy and the right to freedom of movement.
One of these tools, available in all EU Member States as of July 1, 2021, is the Digital Covid Certificate. This tool seeks to ease the freedom of movement of citizens within the European Union during this Covid-19 pandemic. When traveling, the holder of the EU Digital Covid Certificate should be exempted from the restrictions on freedom of movement aiming at curbing the pandemic established by the countries belonging to the EU, including mandatory quarantines or additional tests.
COVID certificate: freedom of movement and personal data
In regards to the right to freedom of movement in member countries, the Digital Covid Certificate does not act as a passport or a travel document that conditions or restricts it itself, but rather as an instrument that facilitates mobility between countries, thus guaranteeing health protection of its citizens. People who do not own a Covid certificate may still travel, although the admission process is much slower and the destination countries may choose to apply additional measures and controls. Thus, Art. 3.6. of REGULATION (EU) 2021/953 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of June 14, 2021 establishes that “the possession of certificates mentioned in paragraph 1 will not be a precondition for exercising the right to freedom of movement”.
Moreover, when it comes to the right to the protection of personal data, both the European Data Protection Committee and the different European Control Authorities have made public statements in which they establish that the regulations on data protection do not prevent taking measures in the fight against the COVID pandemic, but do warn that even in these exceptional circumstances those who process personal data must ensure its protection. In this same line, this shall be done thoroughly, mainly if we take into account that we are dealing with especially sensitive data, including health related data. Health authorities are therefore obliged to be extremely careful when adopting measures that affect fundamental rights and that can be guided only by urgency or fear. For this reason, public health and data protection must go hand in hand.
Moreover, health authorities as well as the rest of agents dealing with Covid Certificates, i.e airport staff, etc., are both obliged to guarantee this protection of personal data. As a result, in the Resolution of June 21, 2021, of the Directorate of the State Agency for Air Safety, which updates the Operational Guidelines for the management of passengers and aviation personnel in relation to the Covid-19 pandemic, published in the BOE on July 2, 2020, which establishes mandatory rules for airport managers and specifically, on passenger management, in section 2 VIII, establishes that airlines, when it comes to checking the corresponding certificate held by passengers, under no circumstance will they have access to the health information contained therein.
To sum up, in such an emergency scenario we are currently immersed in, guaranteeing a certain degree of public health without safeguarding high standards of protection of personal data becomes unachievable. Such right constitutes the main foundation for full effectiveness and guarantee of the set of constitutionally recognized fundamental rights.
Palmira Cañete
Business Departament