What you need to know about the European Digital Identity Wallet
This post contain affiliate links. If you make a purchase through them, I may receive a small commission, all at no extra cost to you. Read the disclaimer for more info.
Todays blog post is about the forthcoming eIDAS (electronic identification, authentication, and trust services) 2.0 Regulation. A subject that piqued my interest as I was scrolling through LinkedIn here at my new home in Ryadh, Saudi Arabia (thanks to this post btw).
In June 2021, the EU Commission adopted a proposal for a regulation of the European Parliament and the Council that aims to amend Regulation (EU) No 910/2014 (eIDAS 1.0), establishing a framework for a European Digital Identity. This proposal seeks to make changes to the eIDAS (electronic identification, authentication, and trust services) Regulation of 2014.
The eIDAS 1.0 Regulation represented the only cross-border framework within the EU for trusted electronic identities (eIDs). However, according to the Commission it became apparent that the regulation fell short of addressing current societal demands and the evolving market circumstances since its adoption. Its usage remained limited, especially in the public sector, and private providers had difficulty connecting to the system. Concerns also arose regarding identity solutions offered by private entities, such as financial institutions, which fell outside the scope of the eIDAS Regulation. But perhaps it is also that Europe is lacking somewhat behind on other countries around the globe, when it comes to implementing the digital ID.
The new proposal aims to provide a harmonised cross-border secure public electronic identification, including interoperable digital signatures, and this within our ‘own control’. In the words of Ursula von Leyen “ Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how”.
Ambition is thus to replace the reliance on national identity solutions to a framework for a European Digital Identity. A framework that we can ‘trust’ according to Von der Leyen.
Some of the ambitions the new rules should achieve, are:
Member States must issue European Digital Identity Wallets within 12 months after the Regulation takes effect.
These wallets should be certified by designated public or private bodies in Member States.
Union citizens and other residents, as defined by national law, can obtain a European Digital Identity.
Users of the European Digital Identity Wallet can request, store, select, combine, and share data in a traceable manner.
The use of European Digital Wallets should be free for natural persons.
These wallets should be usable for both public and private services, including transport, energy, banking, and financial services.
Large online platforms are required to accept the use of European Identity Wallets upon voluntary user requests.
Identification is possible both online and offline for all wallet users.
The wallets should offer the possibility of qualified electronic signatures and seals.
Issuing parties must implement security measures.
There will also be security rules for website authentication services.
Joint sandboxes will be set up by Member States to test innovative solutions.
Where necessary, a mandatory minimum data set and the requirement of the use of a unique and persistent electronic identifier.
Sounds all very promising indeed, the world at our doorstep, or rather on our mobile.
Surely, there is ‘no need to fear’ our privacy or fundamental rights? As the proposed regulation secures us that we are in ‘ full control’. The Regulation is (of course) GDPR (EU Data privacy rules) proof. In addition, the proposed article 6a sub 7 intends to reassure us that the issuer of wallets shall a.o. not collect information about the use of the wallet which are not necessary for the provision of the wallet services and that personal data should be kept physically and logically separate from any other data that is held. With reference to the proposed article 45f this also applies if the EU digital identity wallet is provided by private parties.
But, how fool-proof is it?
While the Regulation should ensure convenience and security at the same time, the question of whether individuals can effectively control their data remains. According to Von der Leyen ”…..Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality”.
But, I wonder whether we will have more clue when we use the EU digital identity wallet. Governments maybe will be in more control, but the average simple user?
The technology behind the EU digital identity wallet and the current digital economy in general is so complex, that it is to be doubted that we will ever be in control. Looking at myself, most of the time, I’m rather clueless when it comes to the dangers of the services I use online or offline for that matter. For most people it is rather impossible to find out how it really all works. Thus, the question remains on how in control are we really in a digital economy and how much choice do we actually have for not using digital services?
Furthermore, one’s privacy and personal data will be basically concentrated by a ‘ virtual one stop shop’. Acces to ones whole life seems just a ‘hack-away’. Thus, concentration of our personal data in a single digital wallet seems to present a tempting target for hackers. While cybersecurity measures are in place, no system in essence is hack-proof.
I am not the only one having such concerns. Biometricupdate.com warned us for privacy and discrimination risks. Here are the red flags they have raised.
Danger of ‘over-identification’ and a ‘real name internet;
allowing Big Tech actors to track our behaviour by way of the introduction of a unique and persistent identifier;
susceptibility to system failures and cyber attacks;
and perhaps the worst of all is the lack of redress for those who are excluded from the system.
Digital systems like these are all-encompassing with limited alternatives. The fear is that we might end up eventually at a position that we have to be ‘in’ the system to be able to use basic services. And for those who are ‘out’ the system, well that is just not an option. In the worst case doom scenario one just ‘ cease to exist’ for the system (much like being a ‘stateless person’, having no rights and acces to crucial basic services). So, whether we can really fully ‘trust’ digital identities, the proof I’d say is in the eating of the pudding.
In this increasingly complex world, understanding the impact of regulations is challenging. While the new regulation seems promising, it is essential to examine all perspectives, including potential drawbacks.
Your thoughts and views on this upcoming regulation are welcome in the comments section below.
You can also explore more opinions and information on this topic through the provided links.
European Commission (on the benefits of eIDAS)
Additionally, this website provides a helpful chronological update on the progress of this regulation.
