“Europe’s digital identification opportunity”: new study from CEPS

On 17 June, the think tank CEPS published a study called “Europe’s digital identification opportunity”. This document was written by William Echikson, Head of CEPS Digital, formerly Head of Communications and Public Affairs at Google Brussels.

This study gives an overview of the obstacles to overcome to foster digital identification in Europe. Pierre-Jean Verrando, Director General of Eurosmart, is quoted a few times as a source.

The preparation of this study was supported by Deloitte, Mastercard, Stripe and Workday.

Please find below the link to the study and a summary of this document.

State of play in Europe

The study outlines the considerable diversity in Europe in terms of identification means. It mentions Pierre-Jean Verrando’s presentation on identity documents, stating that “[w]ithin the EU27, 86 different versions of ID cards and 181 type of residence documents exist”.

Some European identity and residence documents do not meet international document security standards. Eurosmart is also mentioned in relation to the security weakness of Estonia’s ID card, as a way to underline the importance of security.

3,2 billion people, mainly in Europe and developed countries, benefit from digital identities (eIDs). However, the study explains that the most complicated tasks cannot usually be performed through digital means. Identity verification in many cases still requires physical interaction.

The limits of eIDAS

The study points out that eIDAS had a limited success: only 14 out of the 27 European Union members have notified eIDs under eIDAS, and only 65% of the EU population is covered by qualified trust service providers.

In addition, according to William Echikson, “the gigantic opportunity of private sector pickup has been missed”.

The eIDAS peer review system is deemed complicated, and time consuming. When a Member State notifies a new eID, the eIDAS Cooperation Network needs to appoint a rapporteur, three to five experts, and an observer. An approval vote from this committee is required. The peer review sessions for approval can last an entire day or multiple days entailing word-by-word, line-by-line reviews. Some sessions can involve as many as 70 questions

The author calls for measures to simplify and speed up the adoption of eID schemes. For instance, a single European committee could review eID schemes.

Recommendations

1) Promote private pickup

The author argues that eIDAS-powered and GDPR-compliant identity checks should be the alternative to Facebook and Google’s identity systems. This alternative would be more secure and less invasive in terms of personal data.

According to the author, “the ultimate goal should be an attribute-based verification mechanism under which citizens and businesses own their own data”. A trusted authority, public or private, would provide verification. Users could share the requisite attributes.

2) Boost innovation, including the adoption of blockchain while being technology neutral

The study clearly stands in favour of decentralised systems, as centralised databases can be hacked, stolen or misused. Thus, blockchain is presented as a solution which offers the technical advantages of a decentralised identity model, and leaves individuals in control of their data.

However, the study points out that some uncertainty remains when it comes to blockchain. First, there is the time and cost needed for every signatory to obtain a certificate. Secondly, there is a lack of legal certainty.

The study concludes that “[b]lockchain should not be favoured over other technology solutions that promote simplicity, because data protection and user-centricity should be encouraged.” It mentions several projects, such as the work of Mastercard on a decentralised interoperable digital identity model, and Fido.

Biometric authentication is also deemed to be a useful technology for identification and authentication.

3) Clarify GDPR protection rules, for instance on the right to be forgotten, limitations on what data can be stored and for how long

4) Increase regulatory and financial incentives to accelerate digital verification

The author advocates for incentives to accelerate digital verification but warns against overregulation and protectionism. “The European Union should not oblige Google and Facebook and other tech giants to use eIDAS to verify the identity of their users, the EU should allow them to, and give them incentives to do so.” For instance, the European Union could promote an open European ID login standard in its upcoming Digital Services Act.

In the context of current discussions on technological sovereignty, the author highlights that this should not lead to protectionism: “[d]ebate on digital identity and verification should focus on the needs of European consumers and businesses rather than on the geopolitical considerations shaping other aspects of European tech policy. It should not be about escaping the grip of large US and Chinese tech companies, nor should it be mixed up with dreams of creating a European data cloud or other industrial initiatives. It should be kept apart from a new Digital Services Act and other upcoming regulations designed to compel digital giants to take on more responsibility for what they host on their platforms.” 

Examples of Belgian eID (pages 21-22), Nordic success story (pages 23-24), UK e-verification struggles (pages 25-26), international (pages 27-28).

For any questions on this issue, do not hesitate to contact Camille Dornier: camille.dornier@eurosmart.com