EU Digital Green Certificate Implementation and Privacy Concerns in the Italian Context

This 1st of July saw the adoption of the EU Digital Green Certificate, introducing Europe-wide rules relating to the freedom of movement of both EU and non-EU citizens in the European area during the current pandemic crisis.

The EU Digital COVID-19 Certificate Framework legislation is specifically comprised of Regulation EU 2021/953 and Regulation EU 2021/954. Regulation EU 2021/953 lays down rules on EU citizens’ freedom of movement, whereas Regulation EU 2021/954 concerns third-country nationals (non-EU citizens) legally staying or residing in the territories of EU Member States. Essentially, Regulation EU 2021/953 and Regulation EU 2021/954 form a framework for the issuance, verification, and acceptance of interoperable COVID-19 vaccination, COVID-19 tests, and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic.

Furthermore, the two EU Digital Covid-19 Certificate regulations offer definitions concerning the concept of the EU Green Certificate, stating that it “means interoperable certificates containing information about the vaccination, testing and/or recovery status of the holder issued in the context of the COVID-19 pandemic”. Each Member State has implemented the EU Digital Green Certificate, passing national legislation that is adapted to the territorial organization of the country, existing rules governing, for instance, public health, or even the available technological tools and current COVID-19 spread situation for the country of concern.

Clearly, the lack of guidelines for EU countries relating to the EU Digital Green Certificate’s implementation is creating major discrepancies in the certificate’s use at the national level.

Concerning the Italian context, it should be remarked, then, that the EU Digital Green Certificate in Italy is not viewed as merely a cross-border interoperable certificate containing information about the vaccination, test result, or recovery of the holder issued in the context of the COVID-19 pandemic as provided in articles 2.3 and 3 of the Regulation EU 2021/953 and Regulation EU 2021/954. Instead, the Italian legislation implementing the EU Digital COVID Certificate framework outlines an extensive use of this tool. Indeed, the EU Digital COVID Certificate (also called “Green Pass”) is currently required in Italy for access to indoor restaurants, cultural events, concerts, or for traveling when using long-distance trains.

With wide use of the EU Digital COVID-19 Certificate comes the risk of massive personal data processing. It should be noted that the data processed in the case of the EU Digital Covid-19 Certificate are mainly “health data“, falling within the scope of Article 9 of the GDPR. Therefore, the EU Digital COVID-19 Certificate could create some privacy concerns, considering the nature itself of the data being processed or even assuming a potential data breach. The deputy chairman of the Italian Data Protection Authority, Prof. Ginevra Cerrina Ferroni, has recently, in the Videobacklight e-meeting with the Italian Data Protection Authority, underlined that it is mandatory to have a legal basis for processing the EU Digital Covid-19 Certificate data, as well as the necessity of respecting the fairness and non-discrimination principle.

Italian Green Pass: Certification Data

The Digital Green Certificate legislation in Italy is constituted by the Decree of the Presidency of the Council of Ministers n. 52 of April 22nd, 2021, and its implementing Decree dated July 22^nd 2021. According to article 3 of Decree n. 52, the Green Pass includes several types of data. Such information as the holder’s name and surname, date of birth, COVID-19 disease reference, the entity which issued the certification, and the EU Digital Green Certificate unique identification number are present in all Italian EU Digital Green Certificates, including the Vaccination Certificate, the Certificate of Recovery, or even the Test Certificate.

Vaccination Certificates feature information on the type of vaccine, the name of the vaccine itself, the vaccine manufacturer, and the dose number. The Certificate of COVID-19 Recovery indicates that the holder has recovered from a SARS-CoV-2 infection, the Member State name in which a positive result of a NAAT test was carried out, as well as the start and expiration dates of the certificate. Finally, the COVID-19 test Certificate provides information about the NAAT test or rapid antigen test to which the holder was subject and eventually the test manufacturer.

Italian Green Pass and the Verification Process

Article 13 of the Decree of July 22^nd, 2021 states that the Digital Green Certificate is carried out by reading the barcode included in the same certificate. VerificaC19 is the official Italian App that allows the verification of the authenticity and validity of the Italian Green Pass. Moreover, the same article 13 stipulates that certain subjects, such as public officials or restaurant owners, are authorized to verify the holder’s green pass when he/she is accessing indoor facilities or is attending cultural events or concerts.

Nevertheless, there is an aspect of the Green Pass Verification process that would seem unclear, as it is uncertain whether the Green Pass Verification subjects should check the Digital Green Certificate holder’s identity card.

According to the Italian Data Protection Authority, Green Pass Verification subjects should check the identity card of the Digital Green Certificate holders. Contradicting this statement, the Ministry of the Interior has recently stated that the Green Pass Verification subjects must not check the Digital Green Certificate identity card.

Italian Green Pass: Final Considerations

The Italian Digital Green Certificate implementation legislation has proven to be quite complex in its interpretation. In addition, its implementation in practice has been chaotic and often contradictory, as the opposing guidelines of the Italian Data Protection Authority and the Ministry of the Interior render evident. The privacy concerns derived by this extensive implementation are unfortunately a reality, as has been noted in the case of the Lazio region data breach. In the Lazio region data breach, the regional vaccination web page was hacked. As many users suffered the leaking of their sensitive data, said data could be used illicitly in the future

Finally, it has led to the first region-state conflict of power case relating to the Digital Green Certificate application. Effectively, the Governor of Sicily Nello Musumeci has stopped the Digital Green Certificate application from entering into public offices. However, the Italian Data Protection Authority, a few days ago, sent a request for information relating to the new rules of public office access. The Italian Data Protection Authority, then, has invited the region of Sicily to suspend such measures, complying with the Digital Green Certificate legislation.

In conclusion, Green Pass implementation in Italy is proving to be difficult, considering its territorial organization and the extensive use of this tool. It will probably also be necessary to pass further legislative measures to complete the implementation of regulatory mechanisms for issues such as the balance between state and regional power. In Europe, the EU Digital Green Certificate’s implementation would seem complicated as well: Germany has opted for a moderate and varying use across its Länder that is causing great confusion in the country. Lastly, several Spanish regional Supreme Courts are reversing the effects of the EU Digital Green Certificate implementation, consequently creating a legal conflict between Spain and the European Union.

Edited by Amedeo de Pretto