The key to Austria’s grand reopening on May 19, the so-called “Green Pass” is designed to simplify access to facilities and businesses previously off limits due to the risk of infection by providing evidence of a negative COVID test, full immunization, or recovery via a simple smartphone app or a physical ID.
Inspired by a similar system implemented by Israel, Chancellor Sebastian Kurz championed the notion of an EU-wide digital COVID certificate during an EU summit in February alongside states like Greece and Portugal. And while Brussels aims to have the system go live by July, Austria has resolved to introduce their version early, positioning itself as a “pioneer” on the international stage.
The national Green Pass rollout will occur in three phases:
From May 19 until the introduction of digital certificates, previous documents such as a negative COVID test, proof of recent recovery from an infection, or a completed vaccine record will be sufficient for entering cultural institutions, eateries, and sports facilities. Antigen tests (valid for 48 hours), PCR tests (valid for 72 hours), or self-tests (valid for 24 hours) are permitted. Children can use tests carried out at their school. Results are typically sent via e-mail and text; you can also print them out directly at testing sites. Proof of vaccination – valid 22 days after the first jab and up to nine months after the second – can be downloaded directly from the electronic vaccine portal. Alternatively, general practitioners or municipal offices can also issue printed certificates. Evidence of recovery can be requested via e-mail or post.
Beginning in June, the Green Pass will transition to a QR code either as an app or a paper ID – however, it will be valid only within Austria. The certificate will be downloadable from gesundheit.gv.at with mobile phone signature or Bürgerkarte (citizen card). While the exact details of the QR code are still being hashed out, the federal government has promised it will be compliant with European data protection laws.
The final phase is set to start at the end of June, with the European Union projected to introduce a digital certificate valid for the entire bloc as well as in the EEA area and Switzerland, with each country deciding for themselves what simplifications that will bring.
A Rocky Road to Greenlighting
Data privacy activists, however, were initially skeptical. The government’s original plan relied on everyone from hairdressers to concert organizers scanning the 20-digit code, name, and date of birth printed on the back of e-cards to verify a person’s status. They would then run the information through the so-called “Green Check” app, which would have lit up either green or red to signal admission.
However, the NGO epicenter.works warned that this would pose significant security risks: As the first ten code digits printed on e-cards are always the same, hackers could simply try combinations for the remaining numbers via brute force attack, potentially gaining access to the private medical data of millions of Austrians. In addition, attackers could take photos during entry checks, opening the door to stalking and blackmail.
Furthermore, experts argued that the plan to utilize a central server essentially amounted to people tracking. During entry checks, operators would have logged who, when and where someone was requesting admission, making it easy to create movement profiles of users. The Austrian Medical Association and the Chamber of Commerce voiced similar concerns and this concept has since been scrapped.
In general, most experts approve of the QR code concept that replaced proposal to use e-cards, but some criticize its temporary nature. With the EU introducing its own system just a few weeks later, epicenter.works has called the Austrian version an “obvious PR effect” for Kurz.
However, the EU has assured that mutual interfaces between national systems will be created. Thus, the Austrian QR code will eventually be readable at every border, enabling free travel across Europe.