green, red, and yellow qr codes on phones.

The Promise and Pitfalls of China’s QR Codes as Health Certificates

This article is adapted from a longer paper published in the Harvard Journal of Law and Technology (JOLT)’s Digest section. To access the original paper, please visit JOLT.

By April Xiaoyi Xu

At this point in the COVID-19 pandemic, China has successfully managed to contain the spread of the virus, due in large part to its technological strategy, which uses QR codes as a kind of health certificate.

These color-coded QR codes are automatically generated using cell phone data. Green indicates that an individual is healthy and can move freely, yellow signals that the user must quarantine for up to seven days, and red for fourteen days. The basis for these determinations, as well as the extent of the data collected in order to make them, remains opaque.

Characterized broadly, the QR health codes operate as “mini apps” embedded in two ubiquitous apps in China: the social media app WeChat and the payment app Alipay. Virtually all public venues in China — shopping malls, office buildings, parks, and even hutongs: narrow alleyway neighborhoods — require visitors to check in with their QR code; failure to comply results in denial of entry. This helps expedite later contact tracing efforts.

Promptly after the QR health code debut in Hangzhou only weeks after the Wuhan outbreak, other provinces launched similar QR health codes; along with the launch of a national health code system, various jurisdictions have worked on increasing the level of compatibility and mutual recognition. Countries including Singapore and Australia also introduced similar technologies. In November 2020, President Xi Jinping openly recommended that other countries also implement this technology and pushed for mutual recognition of each other’s QR codes internationally.

Despite valid skepticisms regarding China’s ulterior motives, given this technology’s overall effectiveness thus far, it is worth evaluating whether more countries should seriously consider incorporating similar technologies as part of their broader strategies in combating COVID-19. Politics aside, a key concern that many experts share is individuals’ privacy, due to the amount of personal information involved in the digital process as part of the QR health code framework.

Pursuant to most international human rights laws (IHRL), measures that interfere with fundamental rights must satisfy a three-part test: legality, necessity, and proportionality. The legality principle does not necessarily require a specific law authorizing the interference in question. China, for instance, has yet to adopt comprehensive legislation regulating privacy and data protection, although there are relevant civil, criminal, and cybersecurity laws, and national guidelines. Specific to the QR health code context, China “released a series of national guidelines for personal health information codes” specifying “requirements for the collection, processing, and use of personal health information.” However, recommended guidelines lack the force of law.

But other examples exist of a legislative approach to QR health codes that some consider compliant with the legality principle: for South Australia’s QR-based COVIDSafe app, for example, the government made specific amendments to the 1998 Privacy Act in ensuring “stronger statutory privacy protections for users and their collected data.”

The other two key IHRL principles, necessity and proportionality, both involve much subjectivity. Is the QR health code necessary? Some may argue that QR health codes are not necessary, but are merely one of several, if not many, ways to keep COVID-19 cases under control. China has announced that “elements of its QR-code tracking system are likely to remain in place after the pandemic ends,” which is concerning from a privacy analysis based on necessity. By contrast, South Australia has “committed to holding the data for no more than 28 days and only releasing it to SA Health for official contact tracing purposes,” demonstrating that may be possible for QR health codes to comply with the necessity principle.

The next question to consider is whether the use of QR codes as a form of COVID-era health certificates is proportionate to the aim pursued. One might perform an inevitably subjective balancing test typical in judicial decision-making. While some have suggested than in a pandemic context, it is reasonable to prioritize public health over individuals’ data privacy, others disagree.

China’s QR health code heavily relies on data on national IDs in identifying and verifying app users; although the U.S. federal “Real ID” law similarly centralizes government control over individuals’ identities, mandating that the entire population share ID/SSN information could raise substantial privacy concerns. Further, from a fairness standpoint, many in the world, especially the elderly, children, and the rural population, do not have smartphones, and can be left out of public health benefits that the QR tracing system provides. Lastly, the techno-solutionism critique is valid in the QR context as well.

As prevailing IHRL principles as criteria are insufficient due to ambiguity and subjectivity, we also evaluate Xi’s proposal using other metrics: accuracy, transparency, privacy safeguards, and transferability. First, accuracy is crucial in QR health code application. While the QR health code successes so far cast little doubt on the system’s accuracy, a critical drawback is that the QR health code system partially relies on self-reported information, such as whether one has visited an area with a coronavirus outbreak in the past fourteen days or has been in close contact with an infected person. Although the threat of criminal penalties for false self-reports can deter misinformation, accuracy remains an important consideration.

Second, transparency — clearly communicating details about QR technology to citizens, including how QR health code works, who has access to the data, and for how long — is crucial to increasing public trust and cooperation. Although China de facto mandated the use of QR health codes, Western democracies can less likely legally mandate these and would have to rely greatly on trust.

Third, privacy safeguards should be in place, especially as QR codes are vulnerable to security attacks, fraud, and malicious actors, who can either replace the entire QR code or modify individual QR code modules. While the countries with existing QR health codes generally secure and encrypt the data collected, and public venue posters containing QR codes are not readily replaceable by malignant actors,  anonymized data can still be traced back to users via a few identifiers linked to other publicly available databases. There is always room for more caution and privacy-by-design.

Ultimately, transferability determines whether China’s QR health code can be exported to other nations. Although China is singular in several respects, as the world’s biggest smartphone market with a powerful one-party state and a lack of mandatory privacy laws, Australia, Singapore, and the U.K. have illustrated that the QR health code model can thrive abroad as a powerful tool to combat COVID-19.

Overall, the QR health code has the potential to satisfy the legality, necessity, proportionality, accuracy, transparency, privacy, and transferability criteria. Although imperfect in the original form launched in China, the QR health code system offers a promising option for health certificates that may help the world return to pre-COVID-19 normalcy. As computer science and legal experts collaborate to explore further ways to enhance existing QR health codes for potentially broader international application, there is reason to hope that a version 2.0 of the QR health code system may better incorporate key criteria.


April Xiaoyi Xu is a Juris Doctor candidate at Harvard Law School.

The Petrie-Flom Center Staff

The Petrie-Flom Center staff often posts updates, announcements, and guests posts on behalf of others.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.