|
[To Eurosmart members only]
eIDAS 2: LIBE draft opinion on the proposal
MEPs from the Committee on Civil Liberties, Justice and Home Affairs (LIBE) are in charge of drafting an opinion on the eIDAS 2 proposal. This opinion should inform the work of the leading Committee in the European Parliament (ITRE Committee). The LIBE Committee is competent on matters relating to data protection.
MEP Cristian Terheş (ECR, Romania) is responsible for this opinion within the LIBE Committee. He recently issued his draft opinion. It will serve as a basis for the work of LIBE. The rapporteur’s draft opinion recommends significantly amending the Commission’s proposal.
MEP Cristian Terheş drafted some general comments on the proposal. He states that “[unfortunately], the technical options for the implementation of the proposal are to be adopted by the Commission via subsequent, non-legislative acts. This is a dangerous approach, as one technical option might be more intrusive than another, at the expense of the fundamental rights of the citizens”. He mentions additional concerns such as the use of unique identifiers, the lack of openness and transparency in developing the Wallet security specifications, dependence on big tech companies and the weakening of browser security.
The rapporteur underlines that there are many loopholes in the proposal, many of them being outside the remit of the LIBE Committee. MEP Cristian Terheş concludes that “the entire proposal should be sent back to the Commission for a complete redesign. As this proposal is envisioned, it would lead to the Chinafication of Europe, allowing for the creation of a like social-credit system that would determine the mass surveillance and control of all Europeans, which must not be accepted.”
MEP Cristian Terheş also drafted the following amendments to the proposal:
Biometric data and cloud
MEP Cristian Terheş proposes amendments relating to biometrics. He modified Recital 11 to state that using biometrics should not be a precondition for using the Wallet. Furthermore, biometric data for the purpose of uniquely identifying a natural person in the context of this Regulation should not be stored in the cloud.
Pseudonyms and unique identifiers
MEP Cristian Terheş modified Article 5(1) of the proposal to stipulate that the use of pseudonyms shall always be an option to substitute a unique identifier or when authenticating with private relying parties.
Likewise, MEP Cristian Terheş brought significant changes to Article 6a(4). In his version of eIDAS 2, the person identification data is only shared pseudonymously so that it is different for the different relying parties in order to prevent the association or tracking of the user across relying parties and to make it impossible for the issuer of the Wallet, third-party services or Member States to receive any information about the use of the Wallet.
MEP Cristian Terheş decided to delete Article 11a on “Unique Identification”. He justifies his choice by stating that a unique persistent identifier for natural persons would be illegal or even unconstitutional in some Member States. He mentions the example of Germany.
Relying parties
MEP Cristian Terheş introduced a safeguard in Article 6a: relying parties shall be uniquely identified, and their information requests shall be limited on the basis of a Member State’s approval.
In addition, proxies that act intermediaries between relying parties and Wallets shall not obtain knowledge about the contents of the transaction.
GDPR additions
In the rapporteur’s draft opinion, users are entitled to receive a full transaction history.
MEP Cristian Terheş brought clarity on who should be the data Controller in the meaning of GDPR. The Wallet issuer shall be the Controller according to GDPR regarding the processing of personal data in the Wallet.
Trust service providers
MEP Cristian Terheş added that trust service providers of non-qualified attestations of attributes shall not receive any information about the use of these attributes. In the Commission’s proposal, this requirement only covers providers of qualified attestations.
MEP Cristian Terheş added a paragraph in Article 20 to give the right to (professional) users of qualified trust services to complain about the security or reliability of the qualified trust service. This complaint can be addressed to the supervisory authority.
|
