With more than a million Europeans already holding digital COVID-19 certificates, the debate on so-called “vaccine passports” continues to rage.
But for aviation, the questions are different to, say, those around accessing gyms, indoor sports arenas or restaurants as countries reopen at different levels. By and large, public acceptance of some sort of COVID travel certification — including both vaccination and test status so as not to discriminate based on health status — is relatively high, and certainly high in comparison.
It will not, however, be plain sailing for airlines and other key players within the aviation ecosystem when it comes to implementing this certification for travel. Consider the question of how, for example, an American traveller to France proves their vaccination status, given that the US has no national system for certification beyond the flimsy cards scribbled on by vaccination providers. And what about that perennial bogeyman of airline datasharing and digitalisation, data privacy?
To learn more about the challenges and potential pitfalls, we sat down with independent academic and data regulation analyst Chiara Rustici— and, indeed, in this fast-moving context she notes that her statements about laws and regulations are correct as of 6th June 2021.
“Currently, we have no single universal legal standard or IT architecture” when it comes to global vaccine or testing certification, Rustici explains. In essence, it is left up to individual states, which in some cases — like in the European Union — pool their sovereignty to develop common frameworks.
“The World Health Organisation has now backed away from supporting an IT architecture Global Health Trust Framework,” she says, “recognising that Member States are still expected to decide how they want to implement these systems in their national digital architecture.”
Instead, the WHO has committed only to the Digital Documentation of COVID-19 Certificates (DDCC) specification, which documents either vaccination status, test results, or recent recovery from COVID-19 that gives antibody immunity.
This specification will be in three documents, which appear to correspond to the tripartite approach already used by pathfinder member states and, indeed, the EU. Says the WHO: “These guidance documents will include critical components such as the minimum datasets, expected functionality of digital systems, and preferred terminology code systems. They will also include a section on national digital architecture, recognizing that Member States are still expected to decide how they want to implement these systems. The DDCC specifications will include an HL7 FHIR Implementation Guide (IG), including example software implementations.”
Rustici notes that “the WHO has abstained so far — and will continue to abstain in the future — from specifying potential domestic use cases of their Smart Vaccination Certificate. In practice, however, airlines would do well to study carefully any COVID status certificate standards and how the public encryption keys of the EU Gateway works.
Indeed, and while there is no single universal legal standard or architecture, Rustici says, some actors “aspire to lead the way globally. One such standard is the EU Regulation for Digital COVID Certificates, which combines three possible attestations of your health status in order to facilitate cross border travel.”
Three-part attestations go some way to mitigating equity and public concerns
One of the key questions around the implementation of any kind of certification is that of equity, particularly in terms of age. It is inequitable, for example, to suggest that older age groups — vaccinated first — should have more freedoms than younger age groups. This is a matter of much discussion in various countries, with a recent report from the Tony Blair Institute for Global Change entitled Less Risk, More Freedom generating some controversy in the UK, for example.
Understanding this inequity, Rustici explains, “both the EU and the UK have agreed parallel regulatory efforts establishing a certificate that is a three-part attestation: either that you have had COVID and recovered from it in the last 6 months, or that you have been vaccinated or that you tested negative for the virus in the last 24 hours (rapid test) or 72 hours (molecular test).”
In France, this certification is referred to as the pass sanitaire (in French; English Google translation) and is, from 9 June, both used at the border and for “activities: in other words, to attend an event of more than 1000 people. French people can either load their documentation onto the wallet function of the national TousAntiCovid app, which displays QR codes for scanning at events, or present paper versions of test and vaccination certificates.
In the US, however, Rustici summarises, “the Biden administration rejected early on a federal-level scheme to certify vaccination. The more recent conversation in the US is about domestic use rather than international travel.” This lack of US national-level certification standard is already causing some uncertainty and confusion at borders.
Presentational risks remain high, though, and missteps in the process so far offer many lessons to learn for aviation and the travel industry more widely.
“It was a politicians’ mistake to call it ‘passport’ right from the start, and that name stuck,” Rustici suggests. “Now. many conflate COVID certificates with a form of mandatory digital identity card, and presume that this scheme is centralising their sensitive health data in a large database. An associated fear is that it’s only a matter of time before further, perhaps commercial use of that data is made.”
Decoupling the concerns around big data, and being specific about how data will be used, will be vital for public acceptance, as examples from Australia’s MyHealthRecord in 2018 through to this week’s #GPdatagrab in the UK show.
Aviation needs to mitigate the risk that any key part of the technology stack it uses is seen or can be portrayed — in good faith or bad — as this kind of data grab.
Mitigating this data creep risk and being clear about how data is used will be critical for airlines. To an extent, the work to do so is made somewhat easier by existing data protection regulations, particularly the EU GDPR.
Data protection regulation compliance is vital — but also helpful
“Most initial data protection – and also discrimination – concerns have, in fairness, been addressed by the latest incarnation of the EU Digital COVID Certificate,” Rustici notes.
“We have a sunset clause to allay fears of the scheme morphing into a permanent surveillance structure,” she explains. “The COVID Certificate will automatically be void the moment the WHO declares this pandemic over or after a year from go live date, July 1st, whichever is the earliest.”
Fundamentally, the state-by-state architecture mitigates allegations of any kind of Brussels power grab as well.
“We have a decentralised architecture so no central EU database with health data will be created. Any data ‘remains’ on the certificate and is stored by the Member State that issued an EU Digital COVID Certificate. It will not be stored or retained by the destination country verifying validity and authenticity of the certificate,” Rustici notes.
Equity issues around access to smartphones can also be mitigated by the QR code-based certificate being available via paper, as they are in the EU.
In summary, Rustici advises, “airlines will be in a good position if they follow the EU scheme and act as verifying authorities: it is important they do not request to see additional health data beyond what is covered by the scheme, otherwise they will enter a legal minefield of data collection and retention.”
Chiara Rustici’s views are her own and do not reflect the views of any institution with which she is associated.
Author: John Walton
Published: 17th June 2021
;
