Privacy First call to House of Representatives to block coronapas

Severe violation of fundamental rights

The corona ticket ("coronapas") is a severe violation of numerous fundamental and human rights, including the right to protection of privacy, physical self-determination, physical integrity and freedom of movement in conjunction with other classic human rights such as the right to participate in cultural life and various children's rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. With coronapas, however, this has so far not been demonstrated and the required necessity in the public interest is simply assumed. Privacy-friendly alternatives to re-open and normalise society never seem to have been seriously considered.

For these reasons alone, the coronapas cannot pass the human rights test and should therefore be withdrawn. In this context, Privacy First would also like to remind you of countries such as England, Belgium and Denmark where a similar pass was deliberately not introduced or has since been abolished. In the Netherlands, a great lack of public support for the coronapas has emerged in recent days and many thousands of business owners have already let it be known that they will not cooperate. Privacy First therefore expects the introduction of the coronapas to lead to massive civil disobedience and promising lawsuits against the State.

Social exclusion

Moreover, the introduction of the coronapas violates the general prohibition of discrimination, as it introduces broad social distinctions based on medical status. This puts pressure on social life and could lead to large-scale inequality, stigmatisation, social segregation and even possible tensions, as large groups in society will (for various reasons) not want or be able (or not systematically) to get tested or vaccinated, or obtain a digital test or vaccination certificate. Already at our National Privacy Conference in early 2021, Privacy First took the position that the introduction of a mandatory "corona passport" would be socially disruptive. See also this fragment at the National Privacy Conference, 28 January 2021.

See also this fragment on The National Privacy Conference, 28 January 2021.

On that occasion, the Personal Data Authority, among others, took an emphatic stand against the introduction of a corona pass. The aforementioned social risks apply all the more strongly to the vaccination compulsion implied by the corona pass. In this context, Privacy First would like to remind MPs that both the Lower House (on 28 Oct 2020, and 5 Jan 2021) as the Parliamentary Assembly of the Council of Europe have spoken out against a direct or indirect vaccination requirement. In addition, the coronapas will have the potential to set precedents for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For these reasons, Privacy First calls on you to block the introduction of the coronapas.

Multiple privacy violation

From the perspective of the right to privacy, a number of specific objections and questions also apply. First, the corona pass introduces a mandatory "health proof" for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Through the mandatory display of ID proof alongside the coronapas, a whole new identification requirement is created in public places. It removes the existing anonymity in public places, with all the dangers and risks that this entails. Moreover, this new identification requirement raises questions about the authority of an operator to establish a person's identity and assess health status through the coronapas.

In addition, the underlying legislation results in inconsistent application of existing legislation to the same act, namely testing, with far-reaching consequences on the one hand for an important asset like medical secrecy and citizens' trust in that secrecy, and on the other hand for the practical implementation of retention periods while the processing does not change. After all, it should not be the result of the test that determines whether the recording of the testing falls under the Medical Treatment Agreement Act (Wgbo) (with medical secrecy and a 20-year retention period on it) or, on the contrary, under the Public Health Act (with a 5-year retention period), but the act of testing itself. Moreover, the question is why precisely connection to Wpg and/or Wgbo was sought now that it concerns obtaining proof of participation in society and does not involve medical treatment (Wgbo) nor public health task for that purpose. Here, the only possibility for processing personal data for the purpose of obtaining corona proof and for breaking medical secrecy would be the basis permission should be. In this case, however, there cannot be the legally required freely given consent, now that testing and vaccination will be an imperative condition for participation in society.

Privacy requires clarity

Many other issues are and will remain constantly unclear: what data will be stored, where, by whom and in which systems, to what extent will international and European data exchange take place, which parties with which purposes will have access or copy data or put it in huge new, national databases containing our health data? To what extent will personal localisation and identification be possible, or only occasional verification and authentication? Why can test results be kept unnecessarily long? What are the risks of hacking, data breaches, fraud and falsification? To what extent has decentralised, privacy-friendly technologies and privacy by design, open source software, data minimisation and anonymisation? How long will test certificates remain free of charge? Is work already underway to introduce an "alternative digital carrier" besides the CoronaCheck app, namely a chip (card), with all its concerns and risks? Why has there been no independent Privacy Impact Assessment (PIA)? How many times does the country have to accept emergency and emergency laws to plug leaky privacy gaps, when our overstretched and understaffed Personal Data Authority already notes that there is no legal basis for processing? How will adventitious use and abuse, purpose-shifting (function creep) and profiling are prevented, and how is privacy monitoring regulated? Will non-digital, paper-based alternatives always remain available? Why is the "yellow booklet" not accepted as a privacy-friendly alternative, as it is in other countries? What happens at the various testing sites with the test material taken, or everyone's DNA? And when will the coronapas be abolished again? In other words, to what extent is this actually "temporary"?

In Privacy First's view, introduction of the coronapas will only lead to unworkable burdens on entrepreneurs, numerous abuses and major social capital destruction. Privacy First therefore requests you to block introduction of the coronapas. Failing this, Privacy First reserves the right to have the legislation introducing the coronapas tested under international and European law and set aside by the courts. Preparations for such a court case are already being made by us and many others.

An earlier, similar version of this commentary appeared as early as March 2021.