Privacy First position on draft test evidence bill covid-19
It was with great concern that Privacy First noted the draft bill test evidence covid-19. Under this bill, a negative corona-test certificate will become mandatory for access to public places, including catering, events, sports and youth activities, cultural institutions and probably also part of (higher) education, all under penalty of high fines. This puts pressure on everyone's right to privacy.
Severe violation of fundamental rights
The draft bill severely infringes numerous fundamental and human rights, including the right to protection of privacy, physical integrity and freedom of movement in conjunction with other relevant human rights such as the right to participate in cultural life, the right to education and various children's rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. However, the current draft bill fails to demonstrate this and simply assumes the required necessity in the public interest. Privacy-friendly alternatives to re-open and normalise society do not seem to have been considered. For these reasons alone, the proposal cannot pass the human rights test and should therefore be withdrawn.
In addition, the proposal violates the general prohibition of discrimination as it introduces a broad social distinction based on medical status. This puts pressure on social life and could lead to large-scale inequality, stigmatisation, social segregation and even possible tensions, as large groups in society will not (or not systematically) want or be able to get tested (for various reasons). The recent National Privacy Conference by Privacy First and ECP also showed that the introduction of a mandatory "corona passport" could be socially disruptive. See also this fragment at the National Privacy Conference, 28 January 2021.
On that occasion, the Personal Data Authority, among others, therefore took an explicit stand against it. Such social risks apply all the more strongly to the indirect vaccination obligation that follows on from the corona test evidence. In this context, Privacy First likes to recall that recently both the Lower House (on 28 Oct 2020, and 5 Jan 2021) as the Parliamentary Assembly of the Council of Europe have spoken out against a direct or indirect vaccination requirement. In addition, the present draft bill will have the potential to set precedents for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For all these reasons, Privacy First strongly advises the government to withdraw this draft bill.
Multiple privacy violation
Moreover, from the perspective of the right to privacy, a number of specific objections and questions apply. First, the draft bill introduces a mandatory "health proof" for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Also, the draft bill introduces an identification requirement "at the front door" in public places, in violation of the right to anonymity in public spaces. In addition, the draft bill results in inconsistent application of existing legislation to the same act, namely testing, with far-reaching consequences on the one hand for an important asset like medical secrecy and citizens' trust in that secrecy, and on the other hand for the practical implementation of retention periods while the processing does not change. After all, it should not be the result of the test that determines whether the file falls under the Wgbo (with medical secrecy and a 20-year retention period on it) or rather under the Public Health Act (with a 5-year retention period), but the act of testing itself. Moreover, the question is why in the current draft bill connection is sought with Wpg and/or Wgbo if this is only about obtaining a test certificate for the purpose of participation in society (and thus no medical treatment nor public health task for that purpose). Here, the only possibility for processing and for breaking medical secrecy would be the basis permission should be. In this case, however, there cannot be the legally required freely consent given, now that testing will be a mandatory requirement for participation in society.
Privacy requires clarity
Many other issues are still unclear: what data will be stored, where, by whom and what will be able to be exchanged? To what extent will there be personal localisation and identification, or only occasional verification and authentication? Why could test results be stored for an unnecessarily long time (5 or even 20 years)? What are the risks of hacking, data breaches, fraud and forgery? To what extent will decentralised, privacy-friendly technology and privacy by design, open source software, data minimisation and anonymisation? Will test proofs remain free of charge, and to what extent will privacy-friendly diversity and choice in test applications be possible? Is work already underway to introduce an "alternative digital carrier" instead of the CoronaCheck app, namely a chip, with all its risks? How will target shifting (function creep) and profiling are prevented, and how is privacy monitoring regulated? Will non-digital, paper-based alternatives always be available? What happens to the test material taken, or everyone's DNA? And when will corona test certificates be abolished again?
As long as such concerns and questions remain unanswered, tabling this bill makes no sense at all and corona test evidence will only lead to social capital destruction. Privacy First therefore again requests you to withdraw the current proposal and not submit it to Parliament. Failing to do so, Privacy First will reserve the right to have it judicially tested and declared unlawful.