September 25, 2023

Digital health passports: The challenges

Christel Cao-Delebarre, Global Head of Privacy and Group DPO, CWT, believes balancing innovation and regulation is key in the race to introduce digital health passports

In tandem with the pharmaceutical industry competing in the race to produce better and faster Covid vaccines, the travel industry is simultaneously working at pace to launch Digital Health Passports (DHP), to get (tested and vaccinated) people traveling again, and the industry back on its feet.

There are a number of players, such as The Common Project, VeriFly and IATA, which are working at breakneck speed to produce an app that enables the storage and processing of certified Covid test results and vaccination status.

IATA is about to launch its Travel Pass. Last month Emirates became one of the first airlines to announce its partnership with IATA travel pass and other airlines such as American Airlines and British Airways have announced the expansion of health passes available through a partnership with VeriFly.

The sweet spot would be a combination of proof of a negative test and vaccination, with the user’s government-issued ID or “Digital Passport” and biometric liveness verification (facial recognition technology) feeding into health institutions (i.e. those performing the tests and administering the vaccines) to provide irrefutable proof of eligibility to travel to airlines, airports, border control and governmental authorities – and potentially to hospitality and entertainment venues. However, the successful assimilation of each component is complex.

Looking at DHP products specifically, they promise immediate benefits for travellers: the streamlining and facilitation of booking and check-in processes, the end of paperwork shuffling at airports and border controls, the prevention of forgery and ultimately the re-opening of borders and a return to travel. However, in the race to introduce DHPs, there are a number of challenges from a privacy and data protection perspective:

Privacy. DHPs aren’t new. In fact, vaccination certificates for yellow fever, for example, are already regulated as a condition of entry in some countries. However, DHPs will convey sensitive personal health data automatically “tagging” a person as immune or not immune, to lead to a decision as to whether to allow or restrict movement. All of these elements are both sensitive and regulated topics under GDPR and other legal frameworks.

Vaccine effectiveness. We’re at the beginning of the vaccine roll-out and there is no scientific evidence, as yet, that Covid vaccines prevent transmission. Furthermore, most policymakers are yet to adopt a clear position on mandating Covid vaccines and digital certificates, or indeed partnering with stakeholders to define interoperable standards globally.

Data issues. Individual consent isn’t a catch-all solution. Individual consent is often brandished as the ultimate path to granting “total control” to the user over one’s data. However, in the business travel world traveller consent can rarely act as the legal basis. Post-GDPR consent has proven to be the weaker or impracticable choice of legal basis, owing to the complexities of new technologies, supply chains and data sharing models.

An impact assessment should be carried out early on. Many data protection laws prescribe that a Data Protection Impact Assessment (DPIA) be carried out at the onset of the development of any new product that poses a high risk to the rights and freedoms of individuals. Any DHP product should therefore ensure that a DPIA is performed in consultation with relevant stakeholders, including regulators and policymakers.

‘Sandboxing’ is an innovative idea that some regulators offer which consists of accessing regulatory expertise and advice during product development in a safe environment. DHP ’sandboxing’ is certainly a positive way forward to mitigate privacy product risks, thus contributing to its viability and sustainability, for example when using new technology like blockchain and handling sensitive data on a large scale.

Prototyping and testing DHP products among a small population, being open and transparent during product development and collaborating with relevant stakeholders, are all key ingredients to mitigate privacy risk and to garner social uptake.

In my view, there is no better time to apply the ‘Privacy by Design’ principle to adequately balance innovation versus regulation, because privacy should never be an afterthought.   

While DHPs clearly have the potential to benefit travellers and support economic recovery, the products that have integrated privacy-preserving solutions with the upfront endorsement of stakeholders will not only make the cut, but will survive for the long term.