"Every time an app or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality," said EU Commission President Ursula von der Leyen in September 2022. 22 March 2023
In June of 2021 the EU first unveiled plans to develop and roll out an e-ID across the entire bloc. Slightly less than two years later, and that process has just taken its next big step. Then, as now, privacy concerns are front and centre.
The project, initially called ‘Wallet’, has taken some time to progress. Originally intended to have member approval and be in trials by October 2022, the European Parliament just last Thursday, March 16, voted to hold interinstitutional negotiations in order to map out implementation. This follows a committee vote in February and a decision by the Council of Ministers in December 2022.
On Tuesday, the first of these ‘trilogues’ was held.
The goal of the digital ‘wallet’
The intention, as the name implies, was and still is to create a digital wallet that carries all important verifying documentation and information, from birth certificates to drivers licences — one that effectively competes with the big tech companies, to whom identification services are increasingly being deferred.
Not to replace the existing digital identification systems many European countries already have in place, the new system is designed to build on them and ensure interoperability for those moving around the continent.
This kind of widely accepted and accredited ‘e-ID’ system is exactly the kind of approach that many have called for — highlighting the current mess of verification processes involved in both public and private services.
Yet as eminently useful as it would be, there are concerns yet to be fully addressed around privacy, accessibility and the obligations of private entities to accept the ID.
E-ID privacy concerns
After the Council of Ministers’ decision last December, some groups raised red flags about privacy issues with the proposal as it was being considered.
Namely, there were potential problems with tracking citizen activity (i.e. when who used the e-ID for what purpose), whether or not the ID should be compulsory and the use of unique numbers given to every citizen as identifiers.
A group of 39 civil society organisations, academics and experts submitted an open letter to the European Parliament describing as much.
It seems that many of those concerns were shared.
In terms of tracking, the Parliament has taken a more hardline approach than the Council — introducing safeguards including a strict prevention against the wallet tracking user actions across different interactions. A similar principle is already in place with Covid-19 certificates.
Regarding the unique identifiers, this was confirmed to present constitutional issues in certain countries such as Germany and so the body has opted for record matching instead — comparing various bits of information about an individual in order to confirm an identity.
Unique identifiers would only be used in unique situations, such as emergency cross border scenarios, or when there is an otherwise legal requirement to do so.
Finally, in the more recent iteration, citizens would also be granted the ability to use pseudonyms in order to protect their data, when legal identification is not otherwise required. For example, when simply accessing it on their own, rather than supplying it to a public institution, or when there is only a need to supply individual details such as age or country of residence.
However there is still some debate on whether the ID should be obligatory when accessing public services.
Accessibility of e-ID
Deeply entwined with the debate over whether it should be obligatory is the conversation on accessibility. Digital technology might have an exponential curve of adoption, but it still alienates a portion of any given population.
Not everyone has a smart phone and not everyone should be compelled to go out and get one. There are also issues of accessibility for older generations and those with disabilities.
While most EU countries seem to have a preference for keeping the wallet as an optional measure, there is also support for making it mandatory under certain exceptional circumstances, such as when dealing with digital first private and public services.
Obligations and acceptance of e-ID
Beyond the obligations of individual citizens, there are also questions to answer around which of those public and private services have to accept it, and what information they should have access to when they do.
For example, if someone goes to book a hotel, sign up for a social media account or buy liquor — should each of those institutions be required to accept a digital ID? And perhaps more importantly — should they have access to the entire entry when they do?
The general consensus is no. Though there have been differences between the prescriptions coming out of the Council and the European Parliament, with the parliament being more prescriptive — saying that private companies should only have to adhere to existing ‘know-your-customer’ rules and that only the most specific relevant information should be shared.
Only in certain circumstances, similar to those described for accessibility, would a private entity be required to accept the new digital ID — most notably, when signing up for platforms identified under the ‘Digital Services Act’ (which covers obligations and liabilities regarding data, content and advertising) such as Google, Apple and Amazon, etc.
Further negotiations
Now that the process has moved into interinstitutional negotiations, the small details of implementation will need to be worked out. Specifically, how different states, jurisdictions and governing bodies will handle data and build interoperable systems.
There is also some discrepancy between the position of EU lawmakers and member states when it comes to how the whole process will be governed long term, particularly when it comes to authorising private sector entities to access and use the new system.
The EU Parliament would like to see the establishment of a European Digital Identity Framework Board which would play a coordination role and have the power to revoke authorisation in cases of fraudulent use — even in cases where the member states themselves have taken no action.
Clearly there is a bit more work to do.
Yet while it might be another year or two before we start seeing material outcomes, given the potential benefits of a robust digital ID, it’s not just important to get it done, but get it done right.
