Authors: Kristof De Vulder, Florian De Rouck, Emma Stockman
On 3 June 2021, the EU Commission proposed the long-awaited framework for a European Digital Identity (EUid). The proposal stems from the regulatory review of Regulation 910/2014/EU (eIDAS Regulation), and constitutes a complete overhaul of the European digital identification framework.
The EU Commissions plans to introduce a new EUid framework to enable all Europeans to access public and private services online via a secure “digital wallet” without using private identification methods or unnecessarily sharing personal data. This digital wallet may be provided by public authorities or private entities recognised by a Member State, and will link a citizen’s national digital identity to other personal attributes (eg driving license or bank account). By stating that each EU citizen will have the right to request the new EUid wallet, whereby such wallet is broadly recognized by private and public service providers, the implementation of the framework will undoubtedly mean a paradigm shift in the online identification market which is currently governed primarily by private initiatives.
The proposal is currently in the preparatory phase in the European Parliament following the ordinary legislative procedure and may still be amended.
The eIDAS Regulation was adopted on 23 July 2014 and introduced a cross-border framework for digital interactions between public authorities, businesses and individuals, with a main focus on electronic identification, authentication and trust services. In particular, the eIDAS Regulation enables individuals and businesses to use their own national electronic identification schemes to access public services in other EU Member States through the principle of mutual recognition of identification schemes between public-sector organisations in the EU. The Regulation also determines standards and requirements for standard electronic signature, advanced electronic signature, qualified electronic signature, qualified certificates and online trust services, thereby providing legal certainty as to the validity of electronic signatures and facilitating electronic transactions.
While the eIDAS Regulation was ground-breaking at the time, the Regulation also included important gaps and is generally considered to not have been fully exploited in its potential regarding electronic identification and trust services. As the Impact Assessment and the public consultation have shown, an important need for revision has been identified by stakeholders, particularly given the very limited coverage of the existing notified eID schemes (59% of the EU population) and the overt focus on cross-border public services (targeting only 3% of the EU population).
The rapidly changing digital and legal landscape and the specific issues which arose from the implementation of the eIDAS Regulation quickly demonstrated the need for revision, even more so during the current COVID-19 pandemic, which has led to increased digital activities of citizens and businesses in the EU. In the absence of an appropriate legal framework, a multitude of unregulated private online services has become commonplace in the digital identification market due to their user-friendliness – but without offering the same level of legal certainty, data protection and security as government eIDs.
In 2020, the initiative to revise the eIDAS Regulation was announced, driven by the need of citizens and businesses for “simple, trusted and secure ways to identify themselves online.” The aim was to target the improvement of access to cross-border digital services through the extension of the benefits of the electronic identification schemes to the private sector and through the creation of a more secure and interoperable European electronic identity, particularly in terms of data protection and identification fraud.
The most important aspects of the proposal of Regulation relating to the new European Digital Identity Wallets will be discussed below.
- European Digital Identity Wallets
Firstly, the proposal defines a European Digital Identity Wallet as “a product and service that allows the user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use them for authentication, online and offline, for a service in accordance with Article 6a; and to create qualified electronic signatures and seals.”
New Article 6a, as referred to in the definition, generally sets out the purpose and operating system of the new European Digital Identity Wallet. In general, the purpose of the new European Digital Identity Wallet is to ensure that all natural and legal persons in the Union have secure, trusted and seamless access to cross-border public and private services.
The European Digital Identity Wallets must enable the user to securely request, obtain, store, select, combine and share the necessary legal person identification data and electronic attestation of attributes to authenticate online and offline in order to use online public and private services. Moreover, it must enable the user to sign by means of qualified electronic signatures.
Member States must also provide validation mechanisms for the European Digital Identity Wallets to (i) ensure that their authenticity and validity can be verified, (ii) allow relying parties to verify that the attestations of the attributes are valid, and (iii) allow relying parties and qualified trust service providers to verify the authenticity and validity of attributed person identification data.
The article further provides that the European Digital Identity Wallet will be free of charge to natural persons and made accessible for persons with disabilities.
- Control over personal data
The proposal supports the implementation of the Regulation 2016/679 (GDPR) by putting the user in full control over how their personal data is used. The new Article 6a further states in this regard that the issuer of the European Digital Identity Wallets will not collect information about the use of the wallet that is not necessary for the provision of the wallet services. Nor will it combine person identification data and any other personal data stored or relating to the use of the European Digital Identity Wallet with personal data from any other services offered by the issuer or from third-party services that are not necessary for the provision of the wallet, unless the user has expressly requested it. Moreover, personal data relating to the provision of the European Digital Identity Wallets will be kept physically and logically separate from any other data held.
- Security breach
The proposal extends the consequences of a security breach of electronic identification schemes as already provided for under the eIDAS Regulation to a security breach of European Digital Identity Wallets. Thus, in the event that European Digital Identity Wallets are breached in a manner that affects their reliability, the issuing Member State will suspend and revoke the validity of wallets. If the breach is not remedied within three months of the suspension or revocation, the Member State concerned will withdraw the European Digital Wallet concerned. In the event the breach is remedied, the issuing Member State will re-establish the issuance and the use of the European Digital Identity Wallet.
- Certification and publication
The conformity of the European Digital Identity Wallets with the requirements set out in Article 6a will be certified by accredited public or private bodies designated by Member States. Member States must communicate to the Commission the names and addresses of these public or private bodies.
The Commission will establish, publish and maintain a list of all certified European Digital Identity Wallets.
- Assurance level and unique identification
As mentioned, the proposal of Regulation intends to combat identity theft and identity fraud by creating highly secure and trustworthy cross-border solutions. In this regard, the proposal determines that the European Digital Identity Wallets must meet the requirements of assurance level “high,” in particular as applied to the requirements for identity proofing and verification, and electronic identification means management and authentication.
Article 11a further states that all notified electronic identification means, as well as the European Digital Identity Wallets, must ensure unique identification by including in the minimum set of person identification data a unique and persistent identifier in conformity with Union law, to identify the user upon request where identification of the user is required by law. The measures to be taken in this regard will be specified by the Commission within six months of the entering into force of the Regulation.
- Pan-European acceptance
Where the mutual recognition of electronic identification means to access an online service provided by a public sector body was already regulated under eIDAS, the proposal of Regulation now introduces, in new Article 12b, the principle of Pan-European acceptance of the European Digital Identity Wallets in the public and in the private sector. The introduction of this provision is undoubtedly the most progressive one in this proposal.
As a first, Member States will be required to accept European Digital Identity Wallets issued in compliance with the new Regulation where it is required by national law to use electronic identification means and authentication to access online services provided by a public sector body.
This obligation will also be expanded to private bodies that are required by national law to strongly authenticate their users for online identification or where required by contractual obligation (eg in transport, banking or education).
Big tech such as Facebook, Google and Twitter are also being targeted, as the proposal of Regulation explicitly extends the principle of pan-European acceptance to “very large platforms”, as defined in the Digital Services Act as “online platforms which provide their services to a number of average monthly active recipients of the service in the Union equal to or higher than 45 million.”
With regard to other private sectors that are not subject to this obligation, the Commission strongly encourages the development of self-regulatory codes of conduct. Under such codes of conduct, these sectors would also be subject to the principle of pan-European acceptance and thus contribute to a wider availability and usability of the European Digital Identity Wallets. It will, however, be interesting to see whether and to what extent such codes of conduct are introduced.
- New qualified trust services
In addition to the introduction of the European Digital Identity Wallets and the related provisions, the proposal expands the current eIDAS list of trust services with three new qualified trust services: (i) electronic archiving services, (ii) electronic ledger services, and (iii) services for managing remote electronic signature and seal creation devices. The introduction of these new qualified trust services intends to respond to the dynamics of the market and the technological developments (eg the increasing use of electronic ledgers to support crypto assets) while harmonising some existing trust services which were previously organised on a national level (eg archiving services under Belgian law).
The main intention of new European Digital Identity Wallets is to put an end to the fragmentation which currently exists under the eIDAS Regulation. A single pan-European framework would provide citizens and businesses the means to efficiently identify themselves in a cross-border context and exchange personal identity attributes and credentials in a highly secure, trustworthy and GDPR-compliant manner.
Existing private and public electronic identification players need to start analysing this new EUid framework, not only to consider future certification and alignment under a national notified scheme via the framework, but also to weigh in on the upcoming design of the EUid system (whereby, among others, jointly set-up sandboxes are to be opened up to innovators, SMEs and researchers in due course). As the EU Commission’s proposal is a rather ambitious one, it remains to be seen how and to what extent the upcoming negotiations with the EU27 will affect the current proposal. The Commission has, in any event, already invited the Member States to establish a common toolbox – which should include the technical architecture, standards and guidelines for best practices – by September 2022 and to start the necessary preparatory work immediately.