|
[To Eurosmart members only]
EIF event on the European Digital Identity Wallet: key takeaways
On 26 April, Eurosmart organised an event in the context of the European Internet Forum (EIF). The virtual event was named "European Digital Identity Wallet: What are the ingredients for success?". It featured European Commission's Director Lorena Boix Alonso, MEP Andrus Ansip, Dr Jens Bender and Alban Feraud, President of Eurosmart.
MEP Andrus Ansip was the host of the debate. He is the rapporteur for the eIDAS text in the Committee for Internal Market and Consumer Protection (IMCO). He introduced the discussion by saying that eIDAS works well but needs improvement. Not all countries have notified an eID. EU citizens want something that is 100% under their control.
Many people say that this Wallet needs to be based on secure elements in our mobile phones, but this Wallet needs to be technologically neutral. Both hardware and software solutions need to be accepted. For instance, the Splitkey solution works well in Estonia and Lithuania.
MEP Andrus Ansip also explained that there is a discussion around online verification vs offline verification. Both have advantages and flaws. Offline solutions are much quicker. However, with an offline solution, the validity of a certificate can be put into question (if there is no update).
European Commission's Director Lorena Boix Alonso mentioned the example of Ukraine. Ukraine has a powerful eID system, and it is a wallet. The wallet is being used to fix several issues with refugees welcomed into the EU.
In her view, there are four ingredients for success when it comes to the European Digital Identity Wallet:
-user-friendliness: this is the reason why some people use existing systems. This is why the European Commission proposes a Wallet where citizens can not only deal with eID data but also other types of electronic attributes.
-security and privacy: this is the difference from what exists on the market. The user is in control of the data.
-interoperability: all the systems must talk to each other. The European Commission was very much inspired by the COVID certificates, where you have common standards. However, it does not mean that there will be only one Wallet; there will be at least 27 Wallets.
-use cases beyond public services: this is why the proposal enshrines the mandatory recognition for big platforms and in some specific areas (e.g. transport).
Alban Feraud, President of Eurosmart, gave details on three "key ingredients for success": security, data protection, an open and transparent ecosystem. He insisted on the need to certify the Wallet level High with the Cybersecurity Act. He also suggested improving data protection by mandating the EU territoriality of data. He further questioned whether the proposal provides sufficient guarantees for protecting the data of legal persons. Finally, Alban Feraud stressed the importance of the Digital Markets Act (DMA) for the success of eIDAS 2. The European Commission must be vigilant in implementing the DMA in the field of digital identity.
Dr Jens Bender, Head of Division at the German data protection authority, explained that a wallet is also a challenge because everything is stored in one place. It is crucial to make it right because a problem could cause a disaster. The eIDAS 2 Regulation is based on user consent, but consent is not everything. There can be a power asymmetry between citizens and administrations or big platforms. In this case, it might not be free consent. Relying parties need to be securely identified and should not take too much data.
Dr Bender also gave his opinion on the unique identifier. The unique identifier is a bit of a problem from a data protection point of view. This identifier would be permanent over time and across sectors. This allows the tracking of users, which might lead to mistrust by citizens.
Dr Bender welcomed the proposal's reference to GDPR certification and CSA certification.
Further discussion:
Unique identifier: From the following discussion between the panellists, it appears that the unique identifier might ultimately not be the same across sectors. There could be a unique identifier per sector. However, in this case, why is the unique identifier part of the minimum dataset? This question has not been entirely clarified.
CSA certification: The problem here is that some certification schemes are missing, for instance, a scheme for secure software. This is also why mandatory CSA certification is not in the proposal. However, once the problem of scheme availability is solved, this might change.
Toolbox planning: The initial planning is maintained for now. In June, there will be the publication of technical architecture standards and reference guidelines for best practices. By September, the Member States will have reached an agreement on the actual toolbox.
|
