Rushed EU eID Wallet risks privacy and security: Calls for safeguards are getting ignored in hasty eIDAS implementation
From a visit to the doctor to public transport tickets , the European eID will handle our most sensitive personal data in a wide range of every-day applications. Yet, speed seems more important to the European Commission than a properly functioning eID system that is safe & secure to use.
Over the past three years, EDRi member epicenter.works has been warning about pitfalls in users’ safety, security and privacy when it comes to a Europe-wide digital identification system. The organisation has been calling for crucial privacy safeguards to be included in the “electronic Identification, Authentication and trust Services (eIDAS)” regulation and urging the European Commission to do full justice to the complexity of this system that will affect a large majority of Europeans in their daily lives.
As the implementation of the Wallet is getting closer, the European Commission is ignoring key privacy safeguards mandated by the eIDAS regulation which was finalised in April 2024 and upon which the whole eID system will be based. This is possible because in addition to the regulation itself, a range of implementing acts are foreseen which define the Wallet in more technical detail. However, these implementing acts drafted by the Commissionalmost seem to reflect the Commission’s original regulation proposal from June 2021, while turning a blind eye to core safeguards included by the European Parliament and Council.
Trading people’s privacy and escurity for a hasty, undemocratic implementation process
While the Commission is chasing an unrealistic deadline, the whole process is becoming more and more undemocratic. First of all, the implementing acts do not need to pass through the European Parliament, which excludes Members of the European Parliament (MEPs) from oversight over the details of the European eID’s implementation. This is especially problematicbecause the Commission is essentially ignoring the law that the implementing acts must abide by (i.e. the eIDAS regulation).
Secondly, the speed at which the Commission is pushing for the eID’s implementation does not even allow for a proper review process, let alone the time necessary to lay out the details of a safe and secure cross border eID system that citizens can trust. Nobody could review the feedback on even one, let alone five implementing acts in this extremely tight time frame. Consequently, there’s no use of even mentioning the lack ofactually integrating the crucial input of technical and fundamental rights experts from civil society and academia.
Tight deadline and serious gaps
It gets worse. There are also five implementing acts that are still completely missing from the public consultation. They are also scheduled to be adopted on 17 November and at least one of them concerns crucial safeguards against the risk of over-identification and over-sharing of personal information – that is, the regulation of who may ask which information from users. Without these safeguards, the Commission is repeating the “cookie banner situation” by which all burden is put on the users’ shoulders who have to constantly decide about their privacy without ever being given a meaningful choice.
Even the European Commission admits that the implementing acts governing the development of the European eID system will need to be reopened for adaption within one year’s time. This essentially means tax money will be spent on a large-scale software project in the middle of which fundamental requirements are going to change (for example, for interoperability of the Wallet between Member States). This will alter the whole course of the Wallet’s development half-way through the process and result in a large-scale waste of money, time and software development resources – all of this for the development of an eID system that IT and fundamental rights experts will have to warn the public about.
What we need: A major change of course
Since the success of the European Digital Identity Wallet highly depends on trust by citizens and robust protections against the misuse of personal information, the choices that have led to the Commission’s draft are not understandable. The European Commission has to do justice to this delicate project and not trade people’s safety and security for an unrealistically fast implementation of a tech tool that threatens our fundamental rights. Without a course correction, it would be better if Member States were to reject the draft implementing acts in their upcoming meeting in mid-October.
Contribution by: EDRi member, epicenter.works