Austria's winding road to a lawful Digital Green Certificate

What is a Digital Green Certificate and how does it work?

The Digital Green Certificate is intended to prove COVID-19 vaccination, a negative test result or recovery (i.e. "epidemiological harmlessness") wherever such proof is required (e.g. vis-à-vis controlling authorities such as the Border Police, event organisers, accommodation facilities, airlines, restaurants, sports venues, recreational facilities, etc.). Following a proposal of the European Commission, the Europe-wide green certificate is designed to standardise the use of the digital certificates of all EU Member States.¹

The certificate works by the controlling authority scanning a QR code containing a unique digital signature. Every certificate-issuing body (e.g. a testing centre, hospital, health authority, etc.) has its own digital signature key, with which it stores information about vaccination, test results or recovery from COVID-19 in a certificate which in turn can be analysed by the controlling authority. By presenting this certificate, it will be possible for the owner to travel, visit recreational facilities, go to restaurants, etc.

Austria's plans: widespread criticism, lawful solution?

Austria intends to implement the Digital Green Certificate even before the other EU Member States and to exceed the intended scope of application. The EU regulation is expected to enter into force on 1 July 2021, enabling mutual recognition of certificates throughout Europe. Austria aims to start using the national green certificate as early as the beginning of June. In addition to the intended European use to enable Intereuropean freedom of travel, the Austrian government also plans to use this certificate to replace the national vaccination card and as evidence for entry and exit tests from high-risk regions. In the first proposal for the certificate's domestic legal basis, the Minister of Health was to be authorised to link and process data related to health, social status, employment and education (e.g. frequency and duration of sick leave, highest completed education, graduation year, time of unemployment, income, work location, etc.) of vaccinated or recovered people living in Austria for the purpose of epidemiological surveillance and monitoring the effectiveness of the measures against COVID-19.² Moreover, data from the national vaccination register and from the register of notifiable diseases should have been combined and processed for the purpose of "outbreak and crisis management" by order of the Minister of Health. According to the proposal, an online verification process of certificates was to be implemented, making it possible to create movement profiles of people by simply analysing the IP addresses of the controlling bodies. This has naturally drawn massive criticism from domestic data protection activists.³ From a constitutional law point of view, critics also note that the equal treatment of tested, vaccinated and recovered persons is not objectively (i.e. scientifically) justified, and therefore not sufficiently substantiated, and may be subject to repeal by the Austrian Supreme Court.⁴ In addition, critics stated that the planned numerous authorisations for requesting data for the Minister of Health are only vaguely determined and may therefore not be constitutional.⁵ Moreover, it remains unclear whether there is sufficient justification to implement an Austrian digital certificate, i.e. if it is the most suitable and lenient remedy, because a national vaccination card (in which all a person's vaccinations are registered) already exists and no such certificate is required for travel within Austria.

After widespread criticism from various stakeholders during the legislative review process (in which people and entities are invited to issue formal notes of criticism to the legislator, of which a total of more than 16,000 were submitted⁶), the government decided to change the proposed text and to refrain from the online verification of certificates and from linking data from different databases, only allowing the combination of data from the vaccination register and the register of notifiable diseases. A few vague authorisations for the Austrian Minister of Health to request data at will have also been eliminated. On 26 May, the Austrian Parliament agreed on the renewed version of the governmental proposal.

The Austrian Digital Green Certificate has thus obtained a legal basis, but it remains to be seen whether the concerns about its vagueness and constitutionality will lead to a review or even to its annulment by the Constitutional Court of Austria. Most critics agree that it would probably have been better to wait for the legal framework from the EU and to implement the certificate along with the other Member States to the extent envisaged.

¹ https://eur-lex.europa.eu/resource.html?uri=cellar:38de66f4-8807-11eb-ac4c-01aa75ed71a1.0024.02/DOC_1&format=PDF (accessed on 18 May 2021).
² Ministerialentwurf vom 12 May 2021 - 122/ME XXVII. GP.
³ Cf https://epicenter.works/sites/default/files/epicenter.works_-_epig2021.pdf; https://www.bmj.gv.at/themen/datenschutz/datenschutzrat/stellungnahmen/stellungnahmen-des-datenschutzrates-2021.html.
⁴ Die Presse-rechtspezial 26 May 2021, 5.
⁵ https://epicenter.works/sites/default/files/epicenter.works_-_epig2021.pdf, 5 et seq. (accessed on 21 May 2021).
⁶ https://www.parlament.gv.at/PAKT/VHG/XXVII/SNME/SNME_109265/index.shtml (accessed on 19.05.2021).

author: Florian Terharen