.svg)
Members of the European Parliament (MEPs) have welcomed the EU’s proposal for electronic identification (eID), although concerns have been raised about the risks for data privacy and interoperability.
EU lawmakers sitting on the Parliament’s Industry, Research and Energy Committee have hosted a public hearing, looking at what the implications of the European Commission’s eID proposal may end up being for the internal market.
The European Commission unveiled plans in June last year for an EU digital identity wallet.
This would be designed to allow citizens to access public and private services across the bloc, both online and offline in a similar way to how private initiatives, such as the Apple wallet, work.
The European digital identity wallet that was proposed will be an app that citizens can install in their smartphone to store electronic identification forms and official documents, such as bank account details.
In its proposal, the European Commission stressed that the need for secure online platforms to carry out tasks such as transactions has rapidly increased.
The proposal is also another attempt by the EU’s policymakers to rein in bigtech, with the proposal suggesting that the likes of Facebook and Apple will need to accept the digital identity wallet on their platforms.
At the time it was launched, EU payments players were optimistic about the possibilities that it presented for the industry.
For example, sources suggested that it presents great opportunities for digitisation in the trading bloc. However, nobody was under any illusion about just how ambitious these plans are.
Much to be done
“Europe has gone a long way in building a leading, digital identity ecosystem, but more needs to be done to accelerate the pace of the process,” said Romana Jerkovic, a Croatian MEP.
The EU should be able to respond to technological changes and new market realities, but also to user demands and their expectations, the centre-left lawmaker said.
“There are many open issues which we need to address such as architecture of the services, certification, implementing the acts, terminology, cross-border usage, and the use of unique and personal identifiers,” she said.
The digital wallet needs to be at the highest level of security, and certification needs to be mandatory, she said.
This would be a change to the EU’s draft proposal. As it stands, Article 6a requires member states to issue a European Digital Identity Wallet solution under a notified eID scheme to common technical standards following a compulsory compliance assessment and voluntary certification within the European cybersecurity certification framework, as established by the EU’s Cybersecurity Act.
“There are a whole range of acts — the Digital Services Act, the Digital Markets Act, the Cybersecurity Act, the upcoming Data Act — which are currently being negotiated and that we will need to carefully consider in order to ensure legislative coherence to avoid overlaps and to minimise risks of possible exemptions for the big platforms,” she warned.
Meanwhile, centre-right MEP Pascal Arimont raised the question of whether digital identity wallets should be a public good in the EU, and whether the state should issue the wallet.
In addition, the Belgium MEP raised the topic of interoperability with his colleagues.
“Interoperability and cross-border interoperability is more and more important, otherwise EU legislation doesn’t make much sense,” he said.
For this reason, negotiations between co-legislators need to consider how eID in a Belgian wallet, for example, could be transferred to a German wallet.
“For many people in cross-border areas, for which there are many in Europe, that is absolutely critical when we are looking at whether to accept a wallet or not,” said Arimont.
Some work has already been done on this by individual member states. For example, in August, Germany and Spain signed a memorandum of understanding to collaborate on the subject of self-sovereign identity at the technical, operational and regulatory levels.
On the other hand, Alin Mituta, a centrist MEP praised the proposal as “a great opportunity for Europe, if implemented correctly”.
“This can allow EU citizens and businesses to access services easily while remaining in full control of their data.”
However, he questioned how private-sector stakeholders and member states would be able to work coherently in the development of the digital wallet and identity solution.
Moreover, he considered how the gap could be bridged between member states rolling out the wallet, and the EU’s framework, to ensure a high degree of harmonisation and interoperability.
What the experts have to say
This is a great opportunity for the EU in several dimensions, said one of the contributors, Kai Rannenberg, while presenting evidence to the Parliament.
The Goethe University academic continued that, at the same time, it is a great challenge. “We need to get it right. There is a lot of work to be done.”
“We have seen already the great opportunities that can come from digital identity for the market, as well as some of the advantages that can come to data protection by giving more control to users,” he said.
It is also a good exercise in strengthening European digital sovereignty and improving the security of digital identity management overall, Rannenberg argued.
“It is in our opinion one of the leading proposals of the EU institutions,” said Wojciech Wiewiórowski, European Data Protection Supervisor, endorsing the idea.
There are even data protection benefits associated with the project, he pointed out. “I’m always the optimist and I always see the glass half full.”
For example, the eID solution could help solve the problems with excessive data processing, as it would allow the subject to only reveal the data that is “strictly necessary” to achieve the purpose.
“If the purpose is identification in the banking or telecommunications sector, as is required by law, the user could reveal only those pieces of identity data that are mandated by law, and keep the other elements out of the knowledge of the users.”
If the EU implements this right, the digital identity wallet could be even more privacy-friendly than the solutions that exist at the moment, he said.
However, these functionalities do not necessarily come with the notion of a digital identity solution, he cautioned. “They may or may not be implemented in practice.”
“In this respect, I would have been happier with a proposal that would have given me more insight into what to expect from the implementation in the member states,” he said, adding that there is quite a lot of information that will only be able to be sourced from the implementation process.
If Europe does not implement data protection by default, then the digital experience will not differ from the analogue one, cautioned Wiewiórowski. “A service provider requests excessive data and the user is left to decide whether to release the data or not to use the services.”
Meanwhile, Thomas Lohninger, chair of the Digital Rights NGO, said that the proposal is not just a general-purpose infrastructure, it is also something that could be an important architecture for the identification and verification of users but also to recognise attributes about them — not just in the public sector, but also the private sector.
“The commission has made sure with several provisions that this will become a very widespread technology that we will see in almost all aspects of our daily lives,” he said.
This is why it is important that the European Parliament includes provisions that are currently missing in the proposal, he pleaded.
For example, the mandate for a "unique persistent identifier" that is located in Article 11 of the legislation. “Such an ID would be unlawful and unconstitutional in several countries and would offer many ways of limiting anonymity and tracking users.”
“Although it is only required for a situation in which identification is legally mandated, that also raises the question of how freely consent can be shared,” he said.
