What’s behind the EU’s digitalisation push? Surveillance, control and exclusion

Locating EU’s Digital Welfare State push

To understand the EU’s current trajectory, we must locate it within the global rise of the ‘Digital Welfare State.’ As Philip Alston, the former UN Special Rapporteur on extreme poverty and human rights, warned in 2019, governments worldwide are increasingly using digital technologies to automate, predict, and ‘optimise’ the delivery of social protections.

From India’s Aadhaar enabled welfare system to the UK’s Universal Credit, and Toeslagenaffäre, the digitalisation of welfare often serves as a Trojan horse for austerity. By placing a digital interface between the claimant and the provider, states are able to distance themselves from their obligations, transforming the ‘safety net’ into a ‘digital dragnet’, that is, collection and analysis of data from people. This is done through governance architecture which reorients the act of establishing identity and trust as a top-down exercise designed to view beneficiaries with suspicion. The EU is not immune to these trends; it is, in many ways, seeking to become a global standard-setter.

Competence Creep and the Architecture of Soft Law

One of the most striking aspects of the EU’s push for digitalisation is its shaky legal foundation. Under the EU Treaties, the provision of essential public services—healthcare, social security, education—remains a primary competence of the Member States. The EU has no direct mandate to dictate how say, a resident in rural Romania accesses a doctor or how a worker in Lisbon claims unemployment benefits.

To circumvent this lack of explicit power, the European Commission has masterfully employed soft law and ‘competence creep.’ The Commission has framed digitalisation as an issue of the ‘Internal Market’ (Article 114 Treaty on the Functioning of the European Union) or ‘Cross-Border Interoperability’—a series of EU projects and regulations across sectors like justice systems and public service and administration with the aim of having easier and swifter communication and data exchange between governance systems across countries through uniform digitalisation. Thus, it has managed to insert itself into the heart of national social policy.

Initiatives like the ‘Once-Only Principle‘ or the ‘Single Digital Gateway‘ are presented as key technical conveniences for mobile Europeans. In reality, they have the potential to act as coercive frameworks that force national administrations to align their back-end infrastructures with Brussels-defined standards. Through funding mechanisms like the Recovery and Resilience Facility (RRF), the EU has effectively made ‘digital transformation’ a condition for financial support, bypassing the democratic debate that usually accompanies major shifts in social policy. This is reminiscent of Majority World trends around digitalisation in the last decade, where transnational actors have funded development projects conditional on digitalisation commitments such as integration of biometric digital identification in public sector schemes.

The Normalisation of “Emergency-Mode” Governance

This expansion of power was amplified during the COVID-19 pandemic. The rapid deployment of the EU Digital COVID Certificate was hailed as a success story of European coordination. However, from a rights perspective, it was a dangerous precedent. It established a continent-wide infrastructure for health-based surveillance and movement control, built in a state of exception with limited parliamentary oversight.

In the aftermath of the pandemic, this emergency-mode governance has become the new normal. The infrastructure of the COVID certificate did not disappear; instead it evolved. It provided the technical and political blueprint for the EU Digital Identity Wallet. What was justified as an emergency measure to prove vaccination status has been transmuted into a permanent tool that the EU intends to link to everything from driving licenses to prescriptions and bank accounts. The crisis provided the momentum to push through invasive identity infrastructures that would have faced years of resistance in peace-time legislative cycles.

The Sectoral Push: Infrastructures of Control

It is important to recognise that the EU’s digitalisation strategy is not a monolithic policy but a series of overlapping sectoral projects.

1. The European Health Data Space (EHDS): This initiative aims to create a massive, cross-border infrastructure for sharing medical records. While the promise is better care for tourists, the “secondary use” provisions allow for the sharing of pseudonymised health data with researchers and industry. It could enable treating the most intimate details of our lives as a resource for the Data Economy, increasingly seen as central to European competitiveness, often with opaque opt-out mechanisms that prioritise innovation over bodily and data autonomy.
2. ESSPASS (European Social Security Pass): By digitalising the verification of social security rights for mobile workers, the EU is moving toward a portable digital social identity. While this sounds convenient for the expat worker, it creates a centralised ledger of social rights that can be easily monitored by labour inspectors and border authorities, turning social support into a tool of migration control.
3. eIDAS 2.0 and the Wallet: The EUDI Wallet is at the centre of this digital architecture. It seeks to consolidate all digital credentials into a single mobile application. By mandating that private “gatekeepers” (like Google and Apple) and essential public services accept this wallet, the EU is effectively mandating a digital-by-default existence.

The Surveillance Trap: From Privacy to Pathologisation

The privacy harms of these programs are profound. We are moving from a world of ‘local and analog’ interactions—where your doctor knows your health and your local council knows your housing needs—to a world of ‘centralised and digital’ visibility.

When essential services are digitalised by default, every interaction generates a data point. The aggregation of these points creates a 360 degree map of an individual’s life. The risk are not limited to data breaches, but extend to intimate profiling. A digital ID used to access a pharmacy today can be linked to a transport pass tomorrow, allowing the state to reconstruct an individual’s movements and associations with granular precision.

Furthermore, these systems often rely on ‘privacy-by-design’ as a rhetorical shield. We are told that ‘zero-knowledge proofs’, protocols that allow user authentication without sharing additional information about them, will protect us. But privacy is not just about keeping information confidential; it is about the use of infrastructure to exercise power. Even if the data is encrypted, the requirement to use a state-sanctioned digital tool to exercise a fundamental right is, in itself, a form of surveillance. It creates a ‘chokepoint’ where the state can switch off access to essential service in one fell swoop.

Exclusion by Design: The New Digital Border

The most harmful by-product of the EU’s digitalisation push is its inherent potential for exclusion. The ‘Digital Decade’ targets aim for 100% online public services by 2030. But what happens to the thousands who face technological barriers?

Digitalisation frequently acts as a barrier for the most marginalised: the elderly, the homeless, migrants, and those experiencing poverty. When a physical office closes and is replaced by a web portal or a QR code, the service is not necessarily modernised but effectively withdrawn for a segment of the population. We are seeing the emergence of a ‘technological underclass’ who must rely on intermediaries (family, NGOs) to access their rights, stripping them of their dignity and privacy.

Moreover, the ‘once-only’ and ‘interoperability’ governance philosophy assume that all data held by the state is accurate and standardised. For a marginalised individual, a ‘once-only’ error in a database—a misfiled immigration status or a wrongly flagged fraud alert—can propagate across the entire European administrative machine instantly, with no clear path for redress.

Conclusion: Reclaiming the Analog Right

The EU’s push for the digitalisation of essential services is often framed as a technical inevitability. It is not, it is a political choice—one that prioritises market integration and administrative control over fundamental rights and social inclusion.

As we move toward 2030, there is a need to challenge the ‘digital-only’ consensus. We must demand a ‘right to analog’—a legally enforceable guarantee that every essential public service remains accessible through non-digital, human-centric channels without penalty. For this right to be meaningful, it is necessary the analog options are designed so as to not suffer in comparison to the digital ones, and that they constitute a real choice for everyone, especially communities which risk being systematically marginalised by digitalisation. We must insist that interoperability does not become a synonym for total visibility.

The European social contract was built on the values of solidarity and human rights. If we allow that contract to be rewritten in code, without transparency or a clear mandate, we risk waking up in a Europe where the state is no longer a provider of services, but a manager of digital credentials, and where the citizen is no longer a bearer of rights, but a user whose access has been ‘timed out.’

What is EDRi doing to resist the EU’s mindless digitalisation project?

EDRi is currently working to develop a European community of practice which includes civil society organisations, other citizen-led initiatives, and individuals with lived experience working to document, counter and champion alternatives to the harms caused by the unprecedented digitalisation of public and essential services. The aim of this community is to collaboratively design joint advocacy and campaign actions in service of affected communities, and to challenge the currently prevailing narratives on digitalisation with an alternative, rights-focused and human-centred vision.