The European Union is currently working towards establishing vaccine passports. The commission emphasized today that a unified strategy for the mutual acceptance of vaccination records is of “paramount importance,” and aims to have “a suitable trust framework” in place by the end of January – “to enable member states’ certificates to be swiftly utilized within healthcare systems throughout the EU and internationally.”

“Vaccination records provide a definitive account of an individual’s immunization history, supporting appropriate medical care and the monitoring of any potential adverse reactions,” the commission stated, further explaining that: “A standardized EU approach to trusted, reliable, and verifiable certificates would allow individuals to employ their records in other member states. While it is currently too early to consider using vaccine certificates for purposes beyond health protection, a unified EU strategy could facilitate other cross-border applications of these certificates in the future.”

The precise format – or formats – of these EU-wide coronavirus vaccine certificates remains undefined at this time, though it is anticipated that both physical and digital versions will be available to ensure broad accessibility.

The specifics regarding the protection of EU citizens’ identity and medical information during vaccination status verification are also yet to be determined. Similarly, the identities of the reliable organizations responsible for storing and managing this sensitive health data are still to be established. These details are forthcoming and may differ between member states, contingent upon the implementation of immunity certification verification systems.

Last week, several technology companies, including Microsoft, Oracle, and Salesforce, announced their participation in a separate, industry-wide initiative to create a universal standard for vaccination status, building upon existing standards like the SMART Health Cards specification, which aligns with HL7 FHIR (Fast Healthcare Interoperability Resources).

This technology-driven effort is advocating for “an encrypted digital copy of [an individual’s] immunization credentials to be stored in a digital wallet of their choosing,” with a printed QR code backup – incorporating W3C-standards verifiable credentials – available for those without or unable to use a smartphone. The announcement also highlighted a “privacy-preserving health status verification” solution that is, at least partially, “blockchain-enabled.”

Currently, no such specific proposals are being put forward for the common EU approach. It appears likely that multiple vaccine credential standards will emerge globally, potentially vying to become a universal standard. (The commission is also promoting its upcoming framework in this regard.)

Any system developed within the EU must adhere to the region’s data protection regulations, which inherently require security and privacy considerations to be integrated from the outset when processing personal information. This could potentially offer greater privacy safeguards than initiatives led by the private sector.

The EU’s eHealth Network – comprising representatives from relevant member state authorities, supported by the broader European Joint Action body, eHAction – will be tasked with defining the minimum data requirements for vaccination certificates used at the EU level, according to the commission.

This must include “a unique identifier and a robust trust framework guaranteeing privacy and security.”

Input from key stakeholders, such as Europe’s Data Protection Supervisor and Data Protection Board, is anticipated, mirroring their involvement last year with coronavirus contact tracing applications.

“The commission will continue to collaborate with member states on vaccination certificates that can be recognized and utilized in health systems across the EU, fully complying with EU data protection laws – and expanded globally through the certification systems of the World Health Organization,” EU officials added, noting that the forthcoming framework will be presented to the WHO “as a potential universal standard.”

Lukasz Olejnik, a Europe-based independent cybersecurity and privacy researcher and consultant, commented to TechCrunch on the challenges of developing privacy-focused vaccination verification, stating: “It is challenging to prioritize privacy by design for this specific [application]. It is uncertain whether there will be interest in exploring innovative privacy-preserving frameworks, such as anonymous cryptographic credentials.”

“Ultimately, we may arrive at an approach utilizing verifiable credentials, but establishing trust will remain a significant hurdle. What will serve as the foundation of trust? Is it feasible to demonstrate a particular status without revealing the user’s identity? These are the central questions.”

“I hope this proposal will be made public and transparent,” he further added regarding the EU framework.

It is important to note that this entire undertaking is somewhat “putting the cart before the horse,” as it remains unconfirmed whether the currently available COVID-19 vaccinations, primarily designed to protect recipients from severe illness, also prevent disease transmission.

Nevertheless, systems for verifying proof of immunization status are being rapidly developed, potentially leading to “vaccine passport” checks for travelers within the EU in the future. It is also conceivable that businesses may request COVID-19 vaccination certification before granting access to premises or services, aiming to reassure customers about their safety – assuming such documentation exists and can be verified in a standardized manner.

Standardized frameworks for vaccination credentials could have substantial implications for personal liberties in the near future, as well as significant ramifications for privacy – depending on how these systems are designed, managed, and operated.

Europe’s privacy and security research community was highly engaged last year as the pandemic prompted initial proposals for coronavirus contact tracing apps, contributing to a push for decentralized exposure notification apps to safeguard individual privacy. However, efforts towards establishing vaccination certification systems have not yet garnered the same level of academic involvement.

In an analysis of the implications of immunity certificates published last month, Privacy International cautioned that any systems requiring proof of vaccination for access to services would be inequitable “until everyone has access to an effective vaccine” – a goal that remains distant.

European countries, among the global leaders in COVID-19 vaccination rollouts, have thus far immunized only a small fraction of their populations. (Despite the commission today urging member states to set targets to vaccinate a minimum of 80% of health and social care professionals and individuals over 80 by March 2021, and at least 70% of the total adult population by summer – targets that appear highly ambitious at this time.)

“Governments must explore alternatives to vaccination schemes that do not perpetuate and reinforce exclusionary and discriminatory practices,” the rights group further urged, also warning that COVID-19 immunity should not be used as a justification for expanding or implementing digital identity schemes.