Civil Society Demands: European Commission Must Close e-ID Loopholes!

Citizens will only trust digital IDs if they are in control of their data

Health, finances, online behaviour: Digital IDs are poised to become an integral part of very sensitive aspects of our lives. An international coalition of 15 civil society organisations, including EDRi member epicenter.works, recently published an open letter to make it clear: Citizens will put no trust in the European Digital Identity Wallet without transparency and users being in control over their data.

The final technical design of the European Digital Identity Wallet is currently under negotiation. These blueprints will have a big impact on whether or not users will be sufficiently protected when using Europe’s upcoming digital identity system. In concrete terms, this is currently being negotiated in the eIDAS implementation acts between the EU member states and the European Commission.

The positive changes in the first batch of technical rules show: Civil society works! The coalition of 15 organisations extends their thanks to the negotiators and acknowledge these significant improvements for privacy and human rights safeguards. The most recent proposals, however, still have some severe privacy and transparency problems that we address in our open letter to the European Commission.

What is the problem?

The eIDAS regulation lays out concrete rules for those companies and government agencies who want to access personal information from citizens’ Wallets. This could be for example an online platform, a public transport company or your doctor. It obliges these so-called “relying parties” to register their intended use of the Wallet, that is which attributes they intend to request from users.

The regulation also prohibits them from asking information that goes beyond their registration. This could mean for example that, according to its registration, an online shop is only allowed to ask for your name and address but not your birth date or other information. A porn platform might use the Wallet to verify your age, but couldn’t obtain not any other information about you or use other means to track your behaviour.

To protect everyone from such illegal requests, the EU’s Digital Identity Wallet needs to know what personal information a relying party is actually allowed to access. The EU Commission, however, proposes a loophole which would leave it to the Member State that registered the relying party to decide whether the Wallet knows about the contents of the registration or not. This would allow Facebook Ireland to circumvent the protections and ask European users for everything. Furthermore, the public register of relying parties risks being useless without harmonised specifications on how to access it and what results to expect. Ultimately, the trust people will put in the Wallet will depend on the protections and transparency that they can rely on.

15 Organisations demand: The Commission’s Loopholes Must be Closed!

If these loopholes remain, this would have disastrous consequences. Any discrimination based on illegal access to attributes in the Wallet (health, gender, income, etc.) would be unchecked. Given the track record of lax data protection enforcement in countries like Ireland, companies like Facebook Ireland would likely have a wildcard certificate, virtually empowering them to request any data they want. Member States dedicated to protecting their users from illegal requests (e.g. Germany, the Netherlands, Spain or Austria), on the other hand, would be incapable of doing so.

The civil society coalition therefore asks the Commission to make relying party registration certificates mandatory for all relying parties and to issue a harmonized specification to access the relying party registry of each Member State.

Read the open letter (PDF)

This article was first published here by EDRi member, epicenter.works