On 21 March 2021, the European Commission published a proposal for a Regulation introducing a framework for the issuance, verification, and acceptance of interoperable certificates to citizens on vaccination, testing, and recovery to facilitate free movement during the COVID-19 pandemic. In addition, on 17 March 2021, the European Commission published a second proposal for a Regulation on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to third-country nationals legally staying or residing in the territories of Member States during the COVID-19 pandemic.

On 6 April 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on these Proposals for a Digital Green Certificate, looking at the aspects of the proposals relating to the protection of personal data. The EDPB and EDPS underline the importance of being consistent with the General Data Protection Regulation (GDPR) and complying with the principles of necessity and proportionality. While the EDPB and EDPS acknowledge the need for a comprehensive legal framework to remove restrictions on the right to free movement, which was adopted to fight the COVID-19 pandemic, they underline the need to mitigate the (unintended) risks that may result from use of the framework, e.g., any use of personal data exceeding the intended purpose of facilitating free movement between the EU Member States.

The EDPB and EDPS recommend better defining the purpose of the Green Digital Certificate and providing a mechanism to monitor the use of the certificate by Member States. Furthermore, the proposed Regulation should expressly stipulate that access and subsequent use of the data by Member States is not permitted once the pandemic is over and define the end of the pandemic. Its scope should be limited to the current COVID-19 pandemic as well as to the purpose of facilitating the free movement of persons in the current situation.