European digital identity – a potential game changer?

The foundations for a Europe-wide digital identity system are just about to be laid. Will Europe get it right and lead on this important topic? Will the EU set a global standard for the protection of sensitive user information and digital identities?

By epicenter.works (guest author) · March 15, 2023

A Europe-wide digital identity

Unfortunately, in contrast to early promises, privacy groups had to issue a strong warning about the unprecedented risks and shortcomings of the new European digital identity system, in December last year.

This was because the member states with their position, represented by the Council of the European Union, failed to protect the sensitive health, financial and identity data of all European citizens. The Council’s proposal would thus make it impossible for anyone to use the digital ID safely.

There is however still hope for an inclusive, safe and secure digital ID system; and it lies with the European Parliament.

To achieve the protection of fundamental rights, the Parliament has to continue its strong stance on privacy safeguards in the regulation that civil society and academics have long called for. In order to emphasise the possibly huge negative impact of the digital ID – when done the wrong way – and thus the importance of these safeguards, 39 NGOs, academics and independent experts from all over the world have written an open letter to Members of the European Parliament.

In this letter they call for the EU to assume its responsibility for the proper protection of some of the most sensitive data of all Europeans.

Real Choice & Data Safety

First of all, it is essential that every potential user has a real choice about using or not using the new digital ID. Without strong non-discrimination protections in the law, those who don’t want or aren’t able to use the new digital ID will be left out. Nobody should be at a disadvantage for example just because they don’t have a smartphone. Those who choose to use the new ID, on the other hand, should be able to rest assured that nobody spies on which services they use and whatever information they share with this digital ID – neither governments nor private enterprises.

The NGOs and experts therefore call for the MEPs to respect the principles of privacy by design and by default. According to those principles it must be technically impossible for companies or authorities to observe when and where every single person is using their ID or what other information it contains; e.g. about their financial or educational life. Otherwise the new ID runs the risk of becoming an unprecedented panopticon for some of every citizens’ highly sensitive data.

A good example the EU should follow in this regard is the EU Digital COVID Certificate. This well-crafted service includes the necessary privacy safeguards to protect its users’ behaviour from being observed by anyone.

You don’t want Big Tech and governments to track everything you do with your new ID? Neither do we. This is why, besides and because of privacy by design, the new European Digital Identity Wallet must strictly prohibit the creation of a persistent and unique identifier for every user. Besides undermining privacy in very sensitive areas of daily life, such a universal identifier would also raise severe constitutional concerns in several EU countries. Only without this serious threat the new ID has the potential to provide for a secure and privacy-friendly alternative to the dominant log-in services of Big Tech companies for multiple websites.

Access Regulation & Web Safety

To prohibit excessive collection of data by companies or government entities, the Parliament must also stand up for a strong regulation of use cases and strict authorisation mechanisms – i.e. regulation of who may ask an individual to provide what information in their ID wallet. However not only lawful requests must be considered but also sufficient protection against illegal attacks on this massive collection of identity, financial and health information as well as effective redress mechanisms to handle possible fraud complaints.

The organisations and experts also warn against the high security risks of Qualified Website Authentication Certificates. These certificates have already failed in the past and will enable government surveillance of internet traffic on a large scale. Moreover they undermine the security architecture of the global world wide web.

The European Digital COVID Certificate shows that a privacy friendly proof of personal attributes like age is possible and civil society has made it crystal clear what is necessary for a European digital ID system to properly protect the highly sensitive user data it contains. We therefore urge the European Parliament to go for nothing less than a digital identity of which every European knows their personal data will not be misused and can hence genuinely embrace the ID as a safe and secure part of the modern digital life.

Agreement in ITRE Committee

Meanwhile, on 1st February, the lead ITRE committee has reached a conclusion on the big EU digital identity reform (#eIDAS regulation). Once this compromise passes ITRE, the plenary will vote in March. There is still room for improvement before Trialog begins later this year.

The article was first published by epicenter.works here, read the full article.

Contribution by: EDRi member, epicenter.works