Italy’s data protection authority Garante has warned the European Commission’s digital ”green certificates” have privacy problems serious enough to warrant them invalid in their current form.

The certificates are intended to make travel between the 27 member states easier and safer during the Covid-19 pandemic by showing that the holder has either been vaccinated against the disease, has recovered from it or received a negative test result.

In its formal warning to Italy’s government, Garante says there is no suitable regulatory basis for the introduction and use of green certificates on a national scale.

“[It] is seriously incomplete in terms of data protection, without an assessment of possible risks on a large scale for personal rights and freedoms,” the authority added.

The certificate scheme does not define the purposes for processing data on the health of Italians, leaving room for multiple and unpredictable future uses, it contends. 

“It is not specified who the data controller is, in violation of the principle of transparency, thus making it difficult, if not impossible, to exercise the rights of the data subjects: for example, in the case of incorrect information contained in the green certificates,” Garante said.

Other flaws, as perceived by the DPA, include, an excessive use of data on the certificates in violation of the principle of minimisation; the risk the certificate will contain inaccurate or outdated data with serious effects on an individual’s freedom of movement; no data retention times; and inadequate measures to guarantee integrity and confidentiality.

“Urgent action is therefore needed to protect people’s rights and freedoms,” said Garante.

 Register to receive the latest data protection and privacy news and analysis straight to your inbox