Friday, May 3, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Because the Privacy Guarantor criticizes the government and Parliament on the green pass

2 years ago babelfish

Because the Privacy Guarantor criticizes the government and Parliament on the green pass

Privacy Guarantor: the amendment to Law Decree 127/21 is in contrast with the EU Regulation on the Green Pass, which provides for the non-retention of data. Here is the full text of the letter sent to the government and Parliament

+++

To the President of the Chamber of Deputies
Hon. Roberto Fico

To the Minister of Health
Hon. Roberto Speranza

To the Minister of Relations with Parliament
Hon. Federico D'Incà

Distinguished President,

distinguished Ministers,

I am writing to you in relation to some amendments approved, in the Senate, to the bill converting the decree-law n. 127 of 2021 (AS 2394), in relation to the possibility of delivery, by workers in the public and private sectors, of a copy of the green certification, to the employer, with the consequent exemption, from controls, for the entire duration of validity of the certificate (amendments 1.400 and 3.0.4, Commission file). As a result of the postponement, to article 9-quinquies, paragraph 5, legislative decree 52 of 2021, contained in paragraph 5 of article 9-sexies of the same decree-law, the same faculty is foreseen for magistrates.

The provision introduced presents some critical issues, on which further study is desirable, also in view of the examination of the provision at second reading.

In the first place, the envisaged exemption from controls – while the green certification is valid – risks substantially circumventing the overall public health purposes underlying the “green pass” system. It is, in fact, effective for epidemiological purposes to the extent that the certificate is subject to periodic checks on its persistent validity; this is made possible by the constant updating, through the national DGC platform, of the certificates based on any diagnostic results that may have occurred.

The absence of verifications during the period of validity of the certificate would not allow, on the other hand, to detect any positive condition occurred in the holder of the certificate, in contrast, however, with the principle of accuracy which must be informed of the treatment of personal data (Article 5, paragraph 1, letter d) EU Reg. 2016/679). The dynamism and potential variability of the health condition of the subject is therefore difficult to "crystallize" in a presumption of validity of the certification, insensitive to any eventual occurrence and, on the other hand, requires constant updating with corresponding checks.

The new provision, to the extent that it risks precluding the full realization of the health needs underlying the green pass system, therefore also makes the processing of the related data not entirely proportionate (because it is not fully functional with respect to) the purposes pursued.

Furthermore, the envisaged legitimation of the conservation (of copies) of green certifications contrasts with Recital 48 of Regulation (EU) 2021/953 which, in establishing a framework of homogeneous guarantees, also in terms of data protection, for the use of green certifications in Europe, states that "Where the certificate is used for non-medical purposes, the personal data accessed during the verification process must not be stored, according to the provisions of this regulation".

This prohibition is essentially functional to guaranteeing the confidentiality not only of the data on the clinical condition of the subject (in relation to the certifications of successful recovery), but also of the choices made by each one regarding vaccination prophylaxis. In fact, from the data relating to the expiry of the certification it is also possible to easily deduce the assumption of its issue, each of which (swab, recovery, vaccination) determines a different period of validity of the green pass. In this way, therefore, a choice such as that on vaccination – so strongly linked to the intimate convictions of the person – would be deprived of the necessary guarantees of confidentiality, with potentially prejudicial effects in relation to individual self-determination (in relation to the need to avoid possible discrimination due to the choice of vaccines, see also Resolution 2361 (2021) of the Council of Europe).

This potential prejudice is then aggravated by the working context in which it would mature. The expected display (and delivery) of the green certificate to a subject, such as the employer, who should be precluded from knowing the specific subjective conditions of workers such as the clinical situation and personal beliefs, seems in fact not very compatible with the guarantees established both by the data protection regulations, and by the labor law legislation (articles 88 of EU Reg. 2016/679; 113 of Legislative Decree 196 of 2003; 5 and 8 of Law 300 of 1970; 10 of Legislative Decree No. 276 of 2003).

Also in virtue of these requirements, art. 13, paragraph 5, Prime Ministerial Decree of 17 June 2021 and subsequent amendments, expressly provides that "the activity of verifying the certifications does not, in any case, involve the collection of the data of the holder in any form", without prejudice to, with exclusive reference to 'working environment, the processing "strictly necessary for the application of the measures provided for in articles 9-ter, paragraphs 2 and 5, 9-quinquies, paragraphs 6 and following, and 9-septies, paragraphs 6 and following".

In this perspective, the Guarantor also appreciated the provision of the explicit prohibition of conservation of the two-dimensional barcode (QR code) of the COVID-19 green certifications subjected to verification, as well as processing (in the most varied forms), for further purposes, of the information detected by reading the codes and the outcome of the checks.

Nor, moreover, the envisaged right of conservation of the green pass can be considered legitimate on the basis of an alleged implicit consent of the worker who delivers it, considering the underlying right fully available. From the point of view of the protection of personal data (and, therefore, for the purposes of the legitimacy of the related processing), consent in the workplace cannot, in fact, be considered a suitable prerequisite of lawfulness, due to the asymmetry that characterizes the employment relationship. itself (C 43 EU Reg. 2016/679).

Naturally, then, the conservation of the certificates would require the adoption, by the employer, of technical and organizational measures adequate to the degree of risk associated with the processing, with a not negligible increase in the costs (also for public finance, in relation to the public sector) .

Overall, these are profiles worthy of further study which I point out, pursuant to article 57, paragraph 1, lett. c), of Regulation (EU) 2016/679, grateful, also on behalf of the Board of the Guarantor, for the attention that will reserve you, with the widest availability of the Authority, which I represent you from now on, for every collaboration possibly deemed useful.

Pasquale Stanzione

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/perche-il-garante-privacy-critica-governo-e-parlamento-sul-green-pass/ on Fri, 12 Nov 2021 14:59:02 +0000.