Covid-19 Vaccine Passports and Their Impact on Privacy and Autonomy

COVID-19 Vaccination Passport. Photo by @lukassfr/Unsplash -

Share this Post

Authors: Oskar J. Gstrein and Dimitry Vladimirovich Kochenov


While most regions of the world are still struggling to get their hands on vaccines to protect themselves from the persistent threat of COVID-19, some countries such as Israel and the United Kingdom seem to make remarkable progress in their inoculation efforts. As of March 2021, a relatively large part of the population in these two countries has either been vaccinated or already suffered through the disease. This changed situation evokes the question whether this group of seemingly protected people should be allowed to go back to ‘normal’.

Since 21st of February the ‘green pass’ allows the vaccinated and recovered in Israel access to gyms, hotels, swimming pools, concerts, and places of worship. In the meanwhile, countries such as the United KingdomAustraliaDenmarkGermanyGreeceSweden and others have announced to consider the use of such immunity certifications, or vaccine passports. On March 1st, the President of the European Commission, Ursula von der Leyen announced that the bloc will consider the introduction of a ‘Digital Green Certificate’ to provide proof of inoculation, test results of those not yet jabbed, and information on the holder’s recovery. An initial assessment of the proposal presented on 17 March comes to the conclusion that this standardization effort has no direct connection to health safety and includes many gaps when it comes to concrete technical implementation. It remains to be seen how this attempt to restore free movement will mature in the European Parliament before summer, when it is supposed to be applied in practice.

The introduction of digital vaccine passports is the next wave of technology to fight the pandemic. It follows digital contact tracing apps, remote self-evaluation of symptoms, use of telecommunication and internet usage data for real-time surveillance and many others. Equally, it raises ethical, legal and social questions that we describe and discuss in more detail here. In this short commentary we focus on the introduction of vaccine passports from the perspectives of surveillance, data protection and privacy, as well as autonomy.

Potential Pitfalls for Democratic Values

Encroaching Surveillance Patterns

Starting with surveillance, the increased desire of governments across the world to collect (personal) data to better understand the development of the pandemic is well documented. While some developers promise that vaccine passports will ‘die’ with the decline of the virus, lessons from recent history point in a different direction. For example, the 9/11 attacks in New York came with the introduction of bulk surveillance capabilities, and a seemingly never ending ‘war on terror’, that ultimately provided the ground for the Snowden revelations in 2013. This is only one instance showing that once a large scale ‘surveillance assembly’ is in place, it is very difficult to effectively regulate the use of it, and avoid mission creep. It is concerning that countries such as China and Israel had little public and transparent discussion on their comprehensive use of data to tackle the pandemic prior to the introduction of intrusive surveillance regimes. More concretely, China has rolled out one of the most invasive tracking systems (Health Code or ‘jiankangma’) that requires users in many provinces to constantly share their location via smartphone and log their movements in central public and private places by scanning a QR code. While Israel also carried out invasive surveillance during the pandemic, the question looms whether the quick access to vaccines was enabled by sharing data with the supplier. Both parties acknowledge the sharing of data, but deny privileged access. In conclusion, considering the shaky track record of these and other nations in using data to mitigate the pandemic, the question is: What will happen with these practices once the pandemic is over, if it is ever officially over?

Protecting Sensitive Personal Health Data

Turning to data protection and privacy, the very elaborate and broad discussion on the rapid adoption of digital contact tracing apps and similar technologies has led to the development of a set of several useful principles which include voluntary use, purpose limitation, data minimization, the development of an exit strategy, transparency, as well as privacy and data protection by design and by default. Several of these data protection related principles overlap with what has been stated in the previous paragraph. Hence, before deploying vaccine passports, governments should carry out comprehensive impact assessments in order to be able to scrutinize whether these principles are being respected and protected, which in turn could make the technology more trustworthy. The importance of carefully considering issues of privacy and security was recently demonstrated by a case in Switzerland, where vaccination data of up to 400.000 people became accessible to hackers before the platform was taken offline.

Autonomy: the individual and the collective

When it comes to autonomy there are two perspectives which require attention. First, from a collective perspective many governments are highly dependent on the cooperation of large technology companies when rapidly rolling out new technologies such as digital contact tracing apps (see here p. 34-40). In Europe in particular, where the question of ‘digital sovereignty’ gains increased attention, the European Data Protection Supervisor has already raised concerns about data from vaccine passports leaving the bloc.

From an individual perspective, it remains to be seen how the introduction of vaccine passports by different sectors such as the aviation industry will indirectly influence the autonomy of individuals. Even if some governments – such as the Dutch – guarantee that the introduction of vaccine passports will not result in discrimination by state authorities, it is unclear how private parties such as restaurants, bars, concert venues or football clubs behave as they struggle to get back to business. A related question is how the owners of businesses – who can only offer services to carriers of a vaccine passport – treat employees when they refuse to get vaccinated. As we have discussed in our paper in more depth, governance frameworks need to be in place with detailed guidance on how such horizontal discrimination and stigmatization will be addressed and prevented. That is, if the owners of those establishments insist on checking their valued customers in the first place. This type of inconsistent enforcement and segregation affects people in their daily lives much more than their interaction with the government, which in many countries might be comparatively well checked by judicial and other oversight mechanisms.

Adding to the Toolbox

The introduction of vaccine passports might be attractive in scenarios where it cannot be expected that a vast majority of the population will have access to vaccines for a relatively long time period. There might also be concerns on how to behave towards parts of the population that do not want to join the inoculation effort due to medical conditions, religious reasons, or general skepticism against inoculation campaigns. At the same time, there is the real danger that the rushed introduction of vaccine passports adds yet another tool to the already concerning big box with surveillance systems, exacerbating the division of society in the process.


The Israel Public Policy Institute (IPPI) serves as a platform for exchange of ideas, knowledge and research among policy experts, researchers, and scholars. The opinions expressed in the publications on the IPPI website are solely that of the authors and do not necessarily reflect the views of IPPI.

Spread the word

Share this Post

Read More