Once the campaign of vaccination of the public in Belgium gets under way next week, the names of all of those who have been vaccinated will be entered into a database held by the government, a proposed new law has revealed.
The storage of data of anyone who has been vaccinated is being described as a service for the public, to allow them to present a certificate of vaccination to anyone who may demand it. Examples include the authorities of other countries who require visitors to show a certificate to enter the territory and escape quarantine.
“This system already exists in Flanders and will be available in Brussels and Wallonia in a few weeks. It is under development,” Caroline Leys, spokesperson for the corona commission of the federal government told news agency Belga.
“The tool will be personal and individualised, and personal data will be protected,” she said.
However the Data Protection Authority (DPA), formerly known as the Privacy Commission, has other ideas.
In an opinion published on 18 December, shortly before the authority closed down until the new year, the authority immediately raises a red flag:
“The creation/extension of a centralised vaccination database, which is a large-scale
processing of, among other things, special categories of sensitive personal data (in this case
health data) […] undoubtedly constitutes considerable interference in the right to protection of personal data,” the DPA states.
“The Authority recalls in this regard that each interference in the right to respect for the protection of personal data, and certainly where significant interference is involved, is permitted only if necessary and in is proportionate to the goal (or goals) pursued.”
The opinion goes on to criticise the lack of any specific purpose outlined for the collection of personal data on those vaccinated. If people’s personal information is to be taken and stored, the law states, there has to be a valid purpose, and people need to be informed in advance as to what that purpose is.
The opinion takes up 19 pages, but the gist is contained in one paragraph:
“The Authority notes that the draft does not sufficiently meet the requirements of clarity and foreseeability of the standard in terms of content,” meaning the legal protections of data already laid down are not being respected by the draft law presented by the government.
“The web platform will provide access to a small digital card of their vaccines, on a personal basis, and then print their vaccination certificate if necessary. Everything will be recorded in this system, along with all the other vaccines. Thus, this will provide a direct overview of a person’s vaccination situation,” explained Caroline Leys of the corona commission.
The very fact that ‘everything’ is being recorded, without the need for the overview being adequately explained, is the core of the DPA’s objections.
The opinion will be considered when business resumes in the new year. While the opinion is not binding on the government, unless the objections are taken into account, the problems could form the basis of legal challenges in the future – in the first instance before the Council of State, which has the power to demand, rather than advise, that changes be made.