|
Committee on Civil Liberties, Justice and Home Affairs (LIBE)
In the LIBE Committee, there is consensus across political groups that non-qualified providers of attestations should not be able to receive information about the use of these attributes. The Commission’s proposal foresees this protection only for qualified providers of attestations.
A few right-wing MEPs, including shadow rapporteur Tom Vandenkendelaere (EPP, Begium), brought amendments on security. The user shall be able to transfer and restore the Wallet’s data. The user shall also be able to block the access to the Wallet in case of security breach. The Wallet shall include the possibility for the user to consult the history of transactions.
MEP Tom Vandenkendelaere is keen on encryption, although he only mentions it in (non-binding) recitals. The content of the Wallet should be encrypted, and personal data should always be encrypted, whether they are stored locally or on cloud-based solutions.
A few socialist MEPs, including shadow rapporteur Marina Kaljurand (S&D, Estonia) introduced a provision mandating Member States to ensure that relevant information on the Wallet is publicly available, including privacy protective settings, technical architecture, security frameworks and where the processing of personal data is carried out. They also propose for the Wallet to embed a mechanism for the user to inform directly the supervisory body about any relying party that appears to request a disproportionate amount of data.
In the LIBE Committee, MEP Patrick Breyer (Greens/Pirate, Germany) and MEP Cornelia Ernst (The Left, Germany) proposed the highest number of amendments, often the same ones. They are in charge of the text for their respective political groups, Patrick Breyer for the Greens/Pirates, Cornelia Ernst for the Left.
Patrick Breyer and Cornelia Ernst both deleted Article 45 on QWACs. They also deleted all references and provisions relating to ledgers. They perceive ledgers in systematic conflict with data protection rules due to their immutable nature. They also deleted the unique and persistent identifier.
The pirate Patrick Breyer modified the definition of the Wallet. He defines it as ““a software product that allows the user, on a device, under their control, to store identity data, credentials and attributes […]”. He introduced a new article that describes some architectural features of the Wallet:
-it shall be decentralised
- it shall provide cryptographically verifiable, specific parts of the wallet and personal identity
-it shall enable self-certification and revocability of attributes and identifiers
-attributes and certificates shall be exclusively stores on devices, unless the user optionally consents to storage on third-party devices for the purpose of data recovery
-it shall allow peer-to-peer connections
-the technical architecture shall make impossible for the issuers of the Wallet or other parties to collect or obtain eID means, attributes and information about the use of the Wallet by the user.
Furthermore, the source code of the Wallet shall be open.
MEP Patric Breyer deleted all the provision on eArchiving, that he sees out of the scope of eIDAS.
MEP Cornelia Ernst favours local storage as well. In a new Recital, she indicates that Member States should offer at least one Wallet that does not require cloud service. Where the Wallet is provided on the smartphone, its cryptographic material should be stored in the secure elements of the device.
Committee on Internal Market and Consumer Protection (IMCO)
MEP Andrus Ansip (Renew, Estonia) is rapporteur for eIDAS in the IMCO Committee. He added a few amendments to complement his draft opinion. Among other things, he added that the Wallet shall ensure a secure, reliable, explicit, conscious and active user confirmation of its operation, including in case the data or features are distributed in several locations. This amendment is in line with Eurosmart's recommendations. He also introduced a provision to state that the Regulation does not prevent Member States from using physical eID means beside the Wallet.
The socialist MEPs, including shadow rapporteur Adriana Maldonado Lopez (S&D, Spain), introduced amendments favouring trust service providers. Thus, “only independent qualified trust service providers legally designated or recognised by a Member State” could issue a Wallet, on top of Member States themselves and mandated organisations. They deleted the obligation for providers of qualified electronic attestation of attributes’ services to provide such services under a separate legal entity. Moreover, they added in Article 24 (qualified trust service providers) that identification methods shall “in any case comply with the up-to-date standards of the ETSI on ID proofing”.
Right-wing MEPs, including MEP Pascal Arimont (EPP, Belgium) and MEP Tom Vandenkendelaere (EPP, Belgium) removed a significant part of Recital 21 on the Digital Markets Act, in a similar way to what Pascal Arimont did in his draft opinion for the JURI Committee. They expanded the Wallet features with the possibility for the user to request a list of actions that have been authorised. Interestingly, they inserted a new paragraph in Article 6a to state that Wallets shall be made available to citizens in a manner accessible from standard devices and not exclusively destined for the most advanced OS and the most up to date technologies.
MEP Andreas Schwab (EPP, Germany) addresses the specific case of electronic identification for public services with very high security requirements. In this case, additional real-time audio-visual controls of identity may supplement the electronic identification. For this purpose, a photo should be added in the minimum set of person identification data and/or in the list of attributes in Annex VI.
MEP Geoffroy Didier (EPP, France) introduced an amendment to Article 6a to state that “a delegated act shall determine the business model for European digital wallets”. His justification is that costs for companies and administrations will vary greatly, thus creating discrimination. The business model should be set at European level. He also introduced a provision foreseeing the death of the user. In this case, the assets (e.g. cryptocurrencies) shall be transferred to the heirs and successors.
The pirate MEP Marcel Kolaja (Greens/Pirates, Czech Republic), shadow rapporteur, is of the opinion that entities not established in a Member State cannot be a relying party. He also believes that the “EU Digital Identity Wallet Trust Mark” should be renamed the “EU Digital Identity Wallet Compliance Label”. In a similar way to what MEP Patrick Breyer did in the LIBE Committee he added the following features: decentralisation, peer-to-peer connections. Unsurprisingly, MEP Marcel Kolaja replaced the “unique identification” by “cryptographically verifiable identifiers” and removed the mandatory recognition of QWACs.
Likewise, the ECR and the Left shadow rapporteurs removed Article 45 on QWACs.
If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
