Italian DPA signals critical privacy issues for vaccination pass

According to the Italian Data protection authority (Garante per la protezione dei dati personali), the decree that was recently adopted by the Italian government introducing the so-called ‘green pass’, or vaccination pass, is fraught with major criticalities such as to undermine – in the absence of the required amendments – the soundness and operation of the arrangements to lift travelling bans during the pandemic. Urgent measures are accordingly required to protect rights and freedoms of natural persons. The Italian DPA highlights that the so-called ‘Italy Reopens’ decree does not provide a suitable legal basis to introduce and regulate a nationwide green pass and it is affected additionally by several data protection shortcomings including the lack of any assessment of possible large-scale risks for the rights and freedoms of individuals. Contrary to the requirements laid down in the EU General Data Protection Regulation, the decree does not specify the purposes of the processing of health data and paves the way in this manner to multifarious, utterly unforeseeable future applications that are potentially in conflict with similar EU-wide initiatives. No mention is made of the controller of the processing at issue, which is in breach of the transparency principle and hampers or downright prevents exercise of data subjects’ rights – for instance, in case inaccurate information is contained in a green pass.