The European Union is preparing the ground for vaccine passports. A common approach for mutual recognition of vaccination documentation is of the “utmost importance”, the Commission said today, adding that it wants “an appropriate trust framework” to be agreed upon by the end of January — “to allow Member States’ certificates to be rapidly useable in health systems across the EU and beyond”.
“Vaccination certificates allow for a clear record of each individual’s vaccination history, to ensure the right medical follow-up as well as the monitoring of possible adverse effects,” it writes, adding that: “A common EU approach to trusted, reliable and verifiable certificates would allow people to use their records in other Member States. Though it is premature to envisage the use of vaccine certificates for other purposes than health protection, an EU approach may facilitate other cross-border applications of such certificates in the future.”
It’s not clear what form (or forms) these pan-EU coronavirus vaccine certificates will take as yet — but presumably there will be both paper-based and digital formats, to ensure accessibility.
Nor is it clear exactly how EU citizens’ identity and medical data will be protected as checks on vaccination status take place. Or, indeed, who the trusted entities storing and managing sensitive health data will be. All that detail is to come — and may well vary by Member State, depending on how immunity certification verification systems get implemented.
Last week a number of tech companies, including Microsoft, Oracle and Salesforce, announced involvement in a separate, cross-industry effort to establish a universal standard for vaccination status that they said would build on existing standards, such as the SMART Health Cards specification which adheres to HL7 FHIR (Fast Healthcare Interoperability Resources).
That tech-backed effort is pushing for an “encrypted digital copy of [a person’s] immunization credentials to store in a digital wallet of their choice,” with a backup available as a printed QR code that includes W3C-standards verifiable credentials for those not wanting or able to use a smartphone. The PR also talked about a “privacy-preserving health status verification” solution that is at least in part “blockchain-enabled.”
Nothing so specific is being proposed for the common EU approach as yet. And it looks clear that a number of vaccine credential standards will be put forward globally — as a potential universal standard. (The Commission is touting its forthcoming framework on that front too.)
Whatever is devised in the EU must ensure compliance with the region’s data protection framework (which bakes in requirements for security and privacy by design and default when processing people’s information). So it could offer better privacy protection than a private sector-led effort, for example.
The EU’s eHealth Network — a body which includes representatives from relevant Member States’ authorities who are supported by a wider European Joint Action body, called eHAction — will be responsible for defining the minimum dataset needed for vaccination certificates used at the EU level, per the Commission.
It says this must include “a unique identifier and an appropriate trust framework ensuring privacy and security”.
Expect relevant stakeholders such as Europe’s Data Protection Supervisor and Data Protection Board to weigh in with expert advice, as happened last year with coronavirus contacts tracing apps.
“The Commission will continue to work with Member States on vaccination certificates which can be recognised and used in health systems across the EU in full compliance with EU data protection law — and scaled up globally through the certification systems of the World Health Organisation,” EU lawmakers add, saying the forthcoming framework will be presented in the WHO “as a possible universal standard”.
Commenting in the challenges ahead for developing privacy-safe vaccination verification, Lukasz Olejnik, a Europe-based independent cybersecurity and privacy researcher and consultant, told TechCrunch: “It is tricky to follow privacy by design for this particular [use-case]. It is unclear if anyone will be interested in identifying possible innovative privacy-preserving frameworks such as anonymous cryptographic credentials.
“In the end perhaps we will end up with some approach using verifiable credentials, but establishing trust will remain a challenge. What will be the source of trust? Is it possible to prove a particular status without the need to disclose the user identity? These are the core questions.”
“I hope this proposal will be public and transparent,” he added of the EU framework.
It’s worth emphasizing that all this effort is a bit ‘cart before the horse’ at this stage — being as it’s still not confirmed whether any of the currently available COVID-19 vaccinations, which have been developed primarily to protect the recipient from serious illness, also prevent transmission of the disease or not.
Nonetheless, systems for verifying proof of immunization status are fast being spun up — ushering in the possibility of ‘vaccine passport’ checks for travellers within the EU down the road, for example. It’s also not hard to envisage businesses requesting COVID-19 vaccination certification before granting access to a physical facility or service, in a bid to reassure customers they can spend money safety — i.e. once such documentation exists and can be verified in a standardized way.
Standardized frameworks for vaccination credentials could certainly have very broad implications for personal freedoms in the near future, as well as wide ramifications for privacy — depending on how these systems are architected, managed and operated.
Europe’s privacy and security research community mobilized heavily last year as the pandemic triggered early proposals to develop coronavirus contacts tracing apps — contributing to a push for exposure notification apps to be decentralized to ensure privacy of individuals’ social graph. However efforts toward establishing vaccination certification systems don’t appear to have generated the same level of academic engagement as yet.
In an analysis of the implications of immunity certificates, published last month, Privacy International warned that any systems that require proof of vaccination for entry or a service would be unfair “until everyone has access to an effective vaccine” — a bar that remains far off indeed.
European countries, which are among the global leaders on COVID-19 vaccination rollouts, have still only immunized tiny minorities of their national populations so far. (Even as the Commission today urged Member States to set targets to vaccinate a minimum of 80% of health and social care professionals and people over 80 by March 2021; and at least 70% of the total adult population by summer — targets which look like fantastical wishful thinking right now.)
“Governments must find alternatives to delivering vaccination schemes which do not perpetuate and reinforce exclusionary and discriminatory practices,” the rights group further urged, also warning that COVID-19 immunity should not be used as a justification for expanding or instating digital identity schemes.