Vaccination Certificates and Algorithmic Vulnerability

KHK Senior Research Fellow Janet Xue has published a new article in the European Journal of Risk and Regulation (Cambridge University Press) titled ‘Algorithmic Vulnerability in Deploying Vaccination Certificates in the European Union and China’. The article examines the often-imperceptible risks faced by vulnerable populations in the EU and China through algorithmic data processing related to the COVID-19 pandemic and its associated medical and administrative countermeasures.

The article describes algorithms as ‘mathematical optimisation techniques used to perform one or more tasks such as gathering, combining, cleaning, sorting, classifying and inferring data, as well as selection, prioritisation, the making of recommendations and decision making’ (335). These automated processes suffer from an inability to factor in the actual, nuanced human dimension of data sets and can therefore lead to inequal prioritization and exclusion of particular populations when applied to real-world scenarios. Dr. Xue’s paper focusses on the deployment of vaccination certificates, a delicate subject that has been handled differently around the world and has manifold consequences, affecting both national jurisdictions and cross-border travel for the purposes of employment and trade.


‘Algorithms trigger the linking of data systems of vaccination records, COVID-19 test results, personal IDs and contact information that may enable micro-targeting of individuals for a variety of exclusionary purposes, including job rejection’ (333).

The EU and China face similar problems with certification deployment, the most obvious of which is regional variation in policy and data collection methods. For example, one brand of vaccine may be ratified for use in a particular region and could entitle the vaccinated to free movement and activity locally, but at the same time may be rejected in another region. The discrepancies are amplified when the focus is place on vulnerable populations. ‘The profound ever-present risk, writes Xue, ‘is that classifying, profiling, and grouping individuals based on nationality now linked to COVID-19 status will risk further social stratification of people through systematic vulnerability’ (333). This systemic vulnerability, she warns, is at risk of being entrenched at the level of policymaking. Leaving this kind of database management to algorithmic administration may ‘disadvantage individuals in accessing employment, study, and business opportunities, as well as in processing medical insurance claims’ (333).

‘Algorithmic vulnerability’, then, entails unfair treatment of individuals and can affect limitations on socioeconomic wellbeing, autonomy, free movement, and independent decision making. Unless the structure of data sets involves information representative of certain racial, ethnic, and social strata, there exists the risk of indiscriminately disadvantaging one group and prioritising another. Xue seems to infer that there is a certain trust in algorithmic data administration that needs to be questioned. Whether used as a means to expediate data processing, or even in a misguided effort to eliminate human error, algorithms suffer from the fatal flaw that they cannot – and are not designed to – address the complex of real human experience, including the vested interests of certain groups and the full spectrum of individual consideration.

Xue identifies three major challenges that are being faced both in China and in the EU: finding a balance between rapid rollout and minimising algorithmic vulnerability; how to roll out vaccine certificates quickly both inside and outside the space(s) they cover; and, how to accomplish interoperability in order to ensure the same standards of accuracy and authentication between regions.


‘The worst-case scenario is that automated profiling (e.g., the vaccinated, non-vaccinated and COVID-19 free, non-vaccinated but COVID-19 infected) may be triggered by an algorithm that makes certain groups subject to more vulnerable positions, who would then be absent from the database and thus unrecognised by the digitised vaccination certificate system’ (334).

Overcoming this risk of automated profiling requires additional oversight in the vaccine certification process. ‘Automatically generated reports fail to identify and prioritise risk groups among those who really need to be vaccinated first such as cross-border workers in essential services if these workers are unregistered with the database where the algorithm applies’ (337). In China, as in the EU, many of the same challenges persist: ‘sustaining trust between the general public and governments; using a transparent approach to ensure the fair design of the algorithm and data use; and initiating a plan to ensure data security during the COVID-19 pandemic and an exit plan to prevent the repurposing of data collected for vaccination certificates’ (339).

In both regions, data retention also remains a central concern. To varying degrees, each region has claimed that individuals’ data will be retain ‘until the pandemic ends’, but the question of a later implementation of similar measures for a future medical crisis remains open. Data privacy is also under threat of algorithmic administration, and, as of yet, there seem to be only preliminary sketches of how this will influence policy making down the road.

In the end, Xue asks, ‘Should we accept the normalisation of these kinds of emergency plans as part of the social-technological infrastructure in our future society?’ (340). If so, we risk the development of a systemic bias toward certain groups that, at first, does not seem to inhere in the algorithm itself. In conclusion, three suggestions are offered: data collection should be minimized to limited purposes and disclosure scenarios; usability of certificates should be defined for both cross-border travel and local purposes; verification authorities need to be advised as to how much information is available at given checkpoints.


‘Despite differing national and regional policy responses to the pandemic, reducing vulnerability should be a shared value among human beings. The artificial boundaries created by vaccination certificates, which now delimit both nationality and COVID-19 status, risk creating further exclusion rather than remedying vulnerability. Rather, regional cooperation and sharing of lessons and practices to reduce vulnerability should be the starting points in reconnecting the world’ (342).

Dr Janet Hui Xue joined the research group 'Global Cooperation and Polycentric Governance' in October 2020 and will be a Senior Research Fellow at the Centre until the end of September 2021. Her project at the Centre is titled  ‘Governing Personal Data in the Digital Economy: A Comparative Study of the EU and China and Implications for Future Regulation’ and critically analyses the regulatory tools and governance models that have been tried in either the EU or China in attempts to strike a balance between business innovation and the protection of consumer rights in the context of personal data.


Read the full article here.