First published on March 31st 2021.
Since the beginning of the COVID-19 pandemic crisis, the discussion about certificates for vaccines, immunity and negative test results, has been a slowly burning topic. In April 2020, the World Health Organization (WHO) already warned against immunity certificates, at the time because of scientific uncertainty surrounding actual immunity.[1] More recently, the Emergency Committee regarding the coronavirus disease pandemic of the WHO advised against vaccine or other kinds of certificates in relation to international traffic,[2] as was recently repeated by Dr. Michael Ryan as executive director of the WHO’s Health Emergency Program.[3]
Even though the WHO has its hands full in handling the public health and geopolitical consequences of the COVID-19 pandemic, the reluctance of the WHO to proactively set standards for such passports or certificates has not stopped nations from developing them.
Notably, the European Union (27 European countries) has widely announced its plans to introduce a ‘Digital Green Certificate’.[4] In concrete terms, the European Commission has, on March 17th 2021, presented its proposal for a regulation to introduce such a certificate.[5] The EU stated at the same time it remains in contact with the WHO during the development of the Digital Green Certificate.[6] This initiative runs parallel and supranational to (local) initiatives across Europe, such as the one that some cities in Germany have developed using blockchain technology, or the Hungarian ”immunity certificate”.[7]
“The WHO needs to be in the driver’s seat for this intrinsically global reaching issue.”
Meanwhile, Israel is issuing COVID-19 vaccine certificates to Israeli citizens, and private businesses are already relying on those to grant access to events a.o.[8] The United States of America is also considering federal certificates or passports, for travel and other purposes.[9]
The WHO cannot fall behind and needs to set minimum standards.
We would like to follow up on the proposal of Eskild Petersen and others to extend the use of the WHO International Certificate of Vaccination or Prophylaxis (‘Yellow Card’) to include COVID-19 vaccinations, and argue for streamlining the use for international travel and other purposes.[10] The World Health Assembly of May 2021 would, according to the authors, be the proper time to reach a global compromise on the matter.[11] Said otherwise, the WHO needs to be in the driver’s seat for this intrinsically global reaching issue and update its International Health Regulations to include COVID-19 vaccine certification standards.
The WHO has stated in a position paper in the beginning of 2021 it wants to make use of the Yellow Card to include the COVID-19 vaccination status, but that it is “premature” to introduce it.[12] In the meanwhile, the WHO has put into place a “Smart Vaccination Certificate Working Group” to ascertain its global overview, as well as interoperability support, by means of a consortium.[13] While finishing this blogpost, a document that contains “interim guidance for developing a smart vaccination certificate” was published by the WHO – likely as a direct response to several initiatives in this regard by its members (i.a. EU countries).[14] Even though this document already clarifies a lot of issues (mainly technical ones), we are convinced the content of this blogpost remains relevant to bring global issues under further scrutiny.
The WHO mustn’t wait any longer to put its own standards out there.
Digitalisation, counterfeit and data storage. What are the cyber security & data protection challenges?
Authorities and academics have already pointed out the counterfeit and fraud problems with COVID-19 test and vaccine certificates.[15] Likewise, there are potential issues with fake medicines and devices circulating, linked to the vaccination campaign.[16] Digitalization will be a condition for effective and practically usable certification standards. Our belief is that the mere extension of the use of the paper Yellow Card as a condition for international travel won’t be acceptable for many countries. We are well aware that digitally linking certifications will be an issue for countries still facing challenges in digital development (infra, discrimination issues).
It seems the WHO is already convinced of digital vaccination certificates, if we may believe its webpage of the Smart Vaccination Certificate Working Group. [17]
“Digitalization will be a condition for effective and practically usable certification standards.”
Whereas the use of paper-only COVID-19 certificates would be a dream in terms of cyber security and data protection, digitally linked Yellow Cards would bring major challenges in these areas. In this regard, we feel comfortable referring to the European Commission’s current proposal with regard to the Digital Green Certificate, which excludes central (ergo: on an EU level) storage of health data – including the vaccination status – for the purpose of the Digital Green Certificate while reaffirming the European principle of data minimisation.[18]
This type of decentralization and local data storage brings other issues, such as the need for reciprocal trust amongst countries to properly store and update the personal data for the purpose of a COVID-19 vaccine certificate. Here, also, the WHO needs to issue guidelines to nations with regard to what data can be stored (compare: Annex 1 Digital Green Certificate Proposal), which cybersecurity measures and quality control measures (such as external audits) should be taken, what the purpose of the personal data is limited to etc.
For the sake of simplicity, we will call the set of standards and digital measures issued by the WHO for COVID-19 vaccine certificates: the Digital Yellow Card.
Documents carrying the vaccination data: Could there be a role for ID cards or passports?
At present, vaccination certificates are (being) put in place for yellow fever and COVID-19. However, it is not inconceivable that in the near future we will be faced with another pandemic against which a vaccine is the main way out. In this scenario, it is likely that some kind of vaccination certificate will be introduced again, in order to allow free travel and movement as much as possible. The most accessible solution in this case may be the integration of the vaccination status for different preconditions into one single document linked to the individual human being.
At first sight, an ideal application for this seems to be the electronic identity card. As an example of international harmonization efforts in this regard, the eIDAS Regulation can be mentioned. This regulation provides a legal basis for using national electronic identity cards across national borders within Europe, and a framework for a secure and efficient way to prove one’s identity in the European Union.[19] Nevertheless, significant practical difficulties remain before it will be possible to include the vaccination status in this document. While the regulation imposes an obligation on Member States to recognize other Member States’ eID’s, there is no current obligation in the opposite direction – Member States are therefore still free to continue to use a paper-based identity card.
In addition, the regulation is primarily aimed at the public sector. Private companies have the option of voluntarily joining the European regulation for identification purposes, but this is not an obligation. [20] Finally, the regulation is European in scope, whilst this system can only work optimally if electronic identity cards become a global feature. As indicated through this paper, there are still many problems concerning the interoperability of paper and electronic vaccination passports and their respective reading devices at the moment – this is no different for identity cards.
“The fact that there are currently too many national differences in the use of (electronic) identity cards and (electronic) health cards makes it, in our opinion, not (yet) suitable to include the vaccination status.”
In addition to the identity card, several countries also have health cards,[21] a document that collects health information from citizens. Although this document seems to be more suitable in terms of content to reflect a vaccination status, the difference with an identity card is that this is not a universally known document. In Belgium, for example, the so called SIS-card has been repealed and integrated in the eID, or replaced by the ISI+-card for people who do not possess an eID.[22] As long as not universally known, the health card does not offer enough added value for the display of a vaccination status.
The fact that there are currently too many national differences in the use of (electronic) identity cards and (electronic) health cards makes it, in our opinion, not (yet) suitable to include the vaccination status. The Digital Green Card and/or Yellow Card are indeed only valid for one type of vaccine, but show fewer problems in terms of interoperability at present. A mixed system, where the vaccination status is displayed on the document available to the person concerned (ISI+, eID or other) seems to be a good interim solution.
What about equity? Discriminatory issues at a glance
The introduction of a digital certificate, such as proposed by the EU, raises many problems in terms of non-discrimination, both from a micro and a macro perspective. It is not the intention of this brief discussion to review all of them, but we will limit ourselves to listing the most obvious.
Notably, one of the main problems is recognising a special status for people who, despite being vaccinated, do not develop immunity. This group of people can be divided into two sub-categories: individuals who, due to a personal medical condition, do not respond to the vaccine despite having any contraindications for it (non-responders), and those who do not develop antibodies due to the inherently limited effectiveness of the vaccine. For the second category of people, it would be unfair to not provide them with the Digital Green Certificate because of a detected non-immunity that is certainly not dependent on the person. On the other hand, the doubts about the non-responders’ status are manifold and of a nuanced ethical-legal nature. The choice here is between allowing these people to be vaccinated, foreseeing the vaccine’s ineffectiveness, and providing them with the relevant certificate, putting them on a par with other potentially non-immune people. The other option is to let these people fall into a wider grey area, including all those who, by choice or not, must undergo quarantine and testing. Whatever the choice made, the protection to be granted to them should avoid inequalities based either on a privileged status and therefore unequal treatment of others (a kind of reverse discrimination) or an excessive burden of proof regarding their health status. The recognition to conferred should circumvent foreseeable discriminations and give them a status from which they can benefit anywhere, without restricting their free travel and movement.
“Opting for an utterly paper-based certification would not appear to be without problems linked to the principle of non-discrimination either.”
Another problem in terms of non-discrimination stems from the digital nature of the Digital Green Certificate. If a simple scan of a QR code seems to open the door to public events and much-needed travel, in reality, these opportunities would remain a privilege granted to a few. According to estimates, about 30% of the population in Europe[23] does not have a smartphone, thus disadvantaging non-users from accessing the benefits granted to holders of the digital certificate. However, the debate is already raging about the proposal of alternative or additional methods[24] to compensate for the lack of devices connected to the internet, suggesting the use of tools based on facial recognition to track vaccinated people or those tested negative or otherwise immune. There is no need to dwell on the fact that such a strategy does not solve the problem but shifts the spotlight to other important criticisms from the point of view of non-discrimination arising from facial recognition[25]. On the other hand, opting for an utterly paper-based certification would not appear to be without problems linked to the principle of non-discrimination either. Such a decision would, in any case, require private individuals to have devices connected to the Internet and capable of printing the certificate (raising issues relating to counterfeiting) or further administrative efforts to distribute it on paper.
As already mentioned, issues concerning non-discrimination can also be analysed from a macro perspective. In addition to the problems posed by the digital divide between individuals, similar concerns also fall upon individual countries. Indeed, it is clear that even countries themselves may find it difficult to enforce restrictions based on a fully digitalised system. This first point only exacerbates and deepens a gap that is already sufficiently and dangerously marked between developed and developing countries. The discrepancy that is deepening between countries is also and primarily identifiable in terms of the allocation of vaccines. A commendable initiative that underlines the importance of organisations, such as the WHO, in harmonising non-convergent and individualistic national and international initiatives is COVAX. COVAX scope is to ensure access to COVID-19 vaccination to people in all corners of the world, providing donor-funded vaccines to lower-income countries. Similar initiatives should be taken at the global level to mitigate the large differences, such as the digital divide, between developing and rich countries, and thus be able to tackle this struggle on their own. The COVAX should be seen as an inspiring initiative, demonstrating how winning the battle at Covid means concerting the efforts, leaving no-one behind.
The mutual recognition challenges
The blossoming of regulatory initiatives for vaccination certificates by international bodies, as the EU proposal, poses considerable harmonisation problems. While creating agreed areas in which to return to the full enjoyment of everyone’s rights, these sectorial efforts need to be concerted to have consistent and easily knowable regulations. It seems desirable to harmonise vaccination certificates structural requirements, safety standards, and access requirements (i.e. recognised vaccines).
To keep things simple, it would be desirable the International Health Regulations of the WHO foresee a framework in which the WHO has the final say in the recognition of a vaccine for certification in the Digital Yellow Card scheme. The WHO could perhaps foresee an exception scheme for countries that want to do their own analysis of the vaccine. But as a rule, the WHO analysis would be authoritative and binding, and countries should only be able to deviate from that analysis if they have divergent scientific evidence. Ergo, refusal of the recognition of certification of certain vaccines should not be accepted on geopolitical grounds.
Practical issues with the Digital Yellow Card
The Digital Green Certificate Regulation proposal does not specify in which cases the Digital Green Certificate can be used, but only imposes equal treatment for all EU citizens. If a Member State accepts a negative test or proof of antibodies for its own citizens, it must also do so for citizens of other Member States.[26]
“Measures will have to be taken in any case, in order to ascertain only authorized persons can check the necessary and up to date vaccination – or other relevant – status.”
This has several consequences of importance for the integration of the Yellow Card. Firstly, while the Digital Green Certificate can also be used for private purposes (such as access to a hotel or mass event), Yellow Cards however are at the moment only used at border control. A second important difference in this area is the ways in which a negative result can be proven. While the Yellow Card only shows a vaccination status,[27] the Digital Green Certificate can also show a negative test result or proof of immunity through antibodies. Finally, the renewability of the certificate should also be taken into account: while a vaccination against yellow fever is valid for life, the immunity obtained after a COVID-19 vaccine will fade after some time, so it is likely that a new vaccine will have to be obtained after this period.
As a result, if a Digital Yellow Card would be introduced, measures will have to be taken in any case, in order to ascertain only authorized persons (public or private) can check the necessary and up to date vaccination – or other relevant – status. This makes the case for an electronic form all the more compelling.
Conclusion
The WHO mustn’t wait any longer to put forward its own standards.
The risk is that many countries will have introduced certificates that wouldn’t live up to the WHO’s standards. Even if vaccine certificates could be currently useless for international travel in certain countries that follow WHO guidance, because the organization believes it’s unfair and discriminatory to already introduce the certificates, there is no reason to linger. If the WHO is in the driver’s seat, it can aim to avoid (the most excessive) discriminatory effects and geopolitical tensions resulting from issues surrounding reciprocity. It can also set the standards in terms of data protection and cyber security, and issue guidance in terms of what documents (ID’s, passports) could be usable for the practical side of a ‘Digital Yellow Card’.
“The certificates will come in any case, in fact, they’re already here.”
Academic scholars arguing against certificates, citing i.a. major discrimination and data protection concerns, are absolutely making valuable points, such as the limited access to vaccines at this point (March 2021) and the dominant buy-up of those vaccines by developed countries. However, the existing initiatives and proposals have shown that the political pressure – mainly originating from economic interests, but also the public opinion wanting to break free from quarantine measures and travel restrictions – is very high.
The certificates will come in any case, in fact, they’re already here. It’s in the interest of every citizen of the globe to streamline this via the WHO – and avoid major discriminatory and other excesses. A Digital Yellow Card should be the way to go.
[This blogpost does not seek to offer a conclusive answer to the issue of global COVID-19 certification. It does however pitch some ideas in a simple, accessible and readable text at this point of the pandemic.]
Authors: Pieter De Smet, Sofia Palmieri and Paulien Walraet, PhD researchers in Health Law and Health Privacy Law at Ghent University and members of Metamedica.
Key words: World Health Organization, Digital Green Certificate, European Union, global health, discrimination, mutual recognition of certificates, private use of certificates, data protection, cyber security, digitalization.
References
[1] WHO communication, April 24th 2020, available at: https://www.who.int/news-room/commentaries/detail/immunity-passports-in-the-context-of-covid-19.
[2] WHO Statement, January 15th 2021, available at: https://www.who.int/news/item/15-01-2021-statement-on-the-sixth-meeting-of-the-international-health-regulations-(2005)-emergency-committee-regarding-the-coronavirus-disease-(covid-19)-pandemic.
[3] Youtube clip by CNBC, March 17th 2021, available at: WHO warns against developing vaccine passports, fears it will create inequities.
[4] Politico EU report, March 1st 2021, available at: https://www.politico.eu/article/commission-to-propose-digital-green-pass-for-travel-this-month/;
The New York Times report, March 1st 2021, https://www.nytimes.com/2021/03/01/world/eu-vaccine-passport.html.
[5] European Commission, Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), COM(2020)130 final, March 17th 2021 (hereafter: Digital Green Certificate Proposal), available at: https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/covid-19-digital-green-certificates_en; The European Association of Health Law has organised a webinar on this proposal shortly after its release – the presentations are available at: https://eahl.eu/reports/webinar-covid.
[6] On the European Commission website this is written as follows: “the Commission is working with the World Health Organization to ensure that certificates issued in the EU can be recognised elsewhere in the world as well.”
Note that the proposal also includes recitals and provisions linking the EU’s legislative policies to the WHO policies, but this is not the theme of this blogpost; the proposal, along with the guiding communication, available at: https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/covid-19-digital-green-certificates_en (accessed on March 18th 2021).
[7] M. BECKER, S. BECKER, P. BEUTH, J. FRIEDMANN, M. ROSENBACH, C. SCHMERGAL, Tinte statt blockchain, Der Spiegel, March 6th 2021, ed. 10, 32-33; Hungary Today report, March 12th 2021, available at: https://hungarytoday.hu/hungary-issue-coronavirus-immunity-certificate-vaccination-infected-govt-jab/.
[8] Government website Israel: https://corona.health.gov.il/en/directives/vaccination-certificate/ ; The New York Times Podcast reporting on the situation in Israel mid-March, referring to concert access via vaccine certificates, March 15th 2021, available at: https://www.nytimes.com/2021/03/15/podcasts/the-daily/israel-vaccinations-coronavirus.html.
[9] Politico USA report, March 17th 2021, available at: https://www.politico.com/news/2021/03/17/vaccine-passports-ethics-biden-administration-476384.
[10] E. PETERSEN et al., “COVID-19 vaccines under the International Health Regulations – We must use the WHO International Certificate of Vaccination or Prophylaxis, March 1st 2021, available at: https://www.ijidonline.com/article/S1201-9712(21)00050-3/abstract.
[11] Ibidem.
[12] WHO Interim Position Paper, Considerations regarding proof of COVID-19 vaccination for international travellers, February 5th 2021, available at: https://www.who.int/news-room/articles-detail/interim-position-paper-considerations-regarding-proof-of-covid-19-vaccination-for-international-travellers.
[13] WHO informative webpage on the Smart Vaccination Certificate Working Group, available at: https://www.who.int/groups/smart-vaccination-certificate-working-group/about.
[14] WHO Interim guidance for developing a Smart Vaccination Certificate, March 19th 2021, available at: https://www.who.int/publications/m/item/interim-guidance-for-developing-a-smart-vaccination-certificate.
[15] Europol communication on the illicit sales of false negative COVID-19 test certificates, February 2021, available at https://www.europol.europa.eu/early-warning-notification-illicit-sales-of-false-negative-covid-19-test-certificates: S. BRENT et al., “International travel between global urban centres vulnerable to yellow fever transmission”, Bulletin of the World Health Organization, April 11th 2018, available at: https://www.who.int/bulletin/volumes/96/5/17-205658/en/; general overview of issues in S. VANDERSLOTT and T. MARKS, “Travel restrictions as a disease control measure: Lessons from yellow fever”, Global Public Health Journal, August 10th 2020, available at: https://www.tandfonline.com/doi/full/10.1080/17441692.2020.1805786?scroll=top&needAccess=true.
[16] For example, the United Kingdom has established a central notification point for “counterfeit or fake medicines or medical devices, including coronavirus testing kits” through a government website: https://coronavirus-yellowcard.mhra.gov.uk/.
[17] WHO informative webpage on the Smart Vaccination Certificate Working Group, mentioning it is exploring “standards for digital vaccination certificates, architected to linkage to national and cross-border digital systems”(own underlining) available at: https://www.who.int/groups/smart-vaccination-certificate-working-group/about.
[18] Specifically article 9, recitals 37 to 40 and annex 1 of the Digital Green Certificate Proposal. See also explanatory memorandum Digital Green Certificate Proposal, medio p. 3.
[19] Regulation 910/2014 Of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, O.J. L. August 28th 2014, 73-114, available at https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A32014R0910.
[20]European Commission webpage on eID, available at: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eID ;
H., GRAUX, Verordening elektronische en vertrouwensdiensten eIDAS gepubliceerd, October 12th 2014, available at: https://www.timelex.eu/nl/blog/verordening-elektronische-identificatie-en-vertrouwensdiensten-eidas-gepubliceerd.
[21] This should not be mistaken with the European Health Insurance Card (EHIC), see the informative webpage, available at: https://ec.europa.eu/social/main.jsp?catId=559.
[22] BALES, S., “The introduction of the electronic health card in Germany”, Bundesgesundheitsblatt Gesundheitsforschung Gesundheidsschutz 2005, 48 (7). 727-731; SENBRITZKI, J., “Use and Development of Health Cards in Europe”, available at: https://library.ahima.org/doc?oid=59461#.YFi8rp1KiUk; Belgian administration webpage on the disappearance of the so called ‘SIS-kaart’, available at: https://www.riziv.fgov.be/nl/themas/kost-terugbetaling/verzekerbaarheid/Paginas/SIS-kaart-zal-geleidelijk-verdwijnen.aspx#Vaarwel_SIS-kaart.
[23] New Zoo Trend Report, available at: https://newzoo.com/insights/trend-reports/newzoo-global-mobile-market-report-2019-light-version/.
[24] Related links: “https://www.techrepublic.com/article/facial-recognition-executive-talks-vaccine-passports-data-privacy-and-surveillance/”https://www.techrepublic.com/article/facial-recognition-executive-talks-vaccine-passports-data-privacy-and-surveillance/
https://www.computerweekly.com/opinion/Vaccine-passports-highlight-social-impact-of-systems-design
https://www.openaccessgovernment.org/preventing-fraud-in-vaccine-passports/106342/
[25] Criticisms expressed in January 2021 by the Council of Europe, available at https://www.coe.int/it/web/portal/full-news/-/asset_publisher/y5xQt7QdunzT/content/facial-recognition-strict-regulation-is-needed-to-prevent-human-rights-violations-?_101_INSTANCE_y5xQt7QdunzT_languageId=en_GB.
[26] Arts. 5(5), 6(5), 7(5) Digital Green Certificate Proposal.
[27] Amendment of 11 July 2016 on the International Health Regulations (2005), Annex 7.