The challenges facing the EU’s new digital identity system
The abrupt shift to a more digital-centric life during the pandemic meant going online for everything from food shopping to doctor’s visits to renewing a passport.
The sharp rise in demand for digital services underscored the need for a convenient, widely accepted way for people to prove who they are online.
For the European Union’s 450 million citizens, that process is poised to get easier with the introduction of a pan-European Digital Identity wallet app that would let users access public and private services in their own countries and across the bloc. The digital wallet would serve as proof of identity to, for instance, open a bank account, enrol in a university, rent a car or file tax documents.
Already, 14 of the EU’s 27 countries, accounting for 60% of the total population, have some type of national digital system but not all can be used cross-border. And that still leaves millions without any form of digital identification.
“I think we will see an increase in demand for robust, secure and easy-to-use digital identity tools. Europe wants to be at the forefront of the development and use of the digital identity,” says Romana Jerkovic, a Croatian member of the European Parliament, who serves on its Committee on Industry, Research and Energy.
Indeed, last year’s rollout of the Covid-19 health certificate app – the so-called vaccination passport – helped to ease travel in the EU during the pandemic and provided a glimpse of what the European digital ID could be when launched, if as planned, in two years’ time.
But the ambitions here are on a grander scale, with daunting policy and operational challenges that will have to be tamed to have the safe, seamless digital ID system the plan envisions EU-wide.
Breaking down digital borders
The blueprint for a European Digital ID began in 2014, when the EU adopted legislation for electronic identification and trust services (eIDAS) among its member countries.
Prompted by the pandemic-fuelled surge in digital operations, in June 2021 the Commission unveiled an updated version of the eIDAS regulation. It requires member states to create (if none exists already) a national digital ID that would be linked to the European digital wallet, accessible via smartphone or other mobile device. The app itself would be opened using a PIN or biometric authentication.
The European digital wallet would host the information in a user’s national digital ID, rather than replace it. It’s also meant to give people full control of their data, allowing them to share specific information, such as age, without having to reveal other personal details. On top of this, it could store various forms of identification, including a driver’s licence, passport or professional credentials, to be retrieved as needed.
This approach highlights the growing move towards self-sovereign ID, as an alternative to authentication services provided by large platforms such as Facebook and Google, which enable easy access to third-party services online but aren’t necessarily accompanied by sufficient privacy or data protection.
To that end, the Commission’s proposal for the digital wallet promises high-level security, with member states required to meet strict privacy and data protection requirements in compliance with recently passed EU legislation, including the Cybersecurity Act and the General Data Protection Regulation (GDPR).
To streamline the building of the wallet app, the project also calls for EU countries and private-sector stakeholders to develop a ‘toolbox’, setting technical specifications and common standards for the project. That the timeline for publishing the toolbox has been delayed from October to the end of the year reveals some of the difficulties involved.
Once the technical framework is agreed, though, testing of the European wallet in large-scale pilot projects can begin next year, according to a Commission spokesperson.
Private and public concerns
On the legislative front, an initial vote on the revised eIDAS regulation in the ITRE Committee is also expected before the end of the year, after which informal negotiations can begin among representatives of the Commission, the Parliament and the Council of the European Union on the proposal.
Jerkovic projects the legislative process could be completed by next spring, setting the stage for the wallet to go live in 2024. Under the plan, EU member states will have 12 months to issue their wallets once the regulation is adopted.
But there may be more bumps along the way. While the pan-European ID initiative has general support across the public and private sectors, companies, industry groups and digital rights advocates have all raised concerns.
Browser providers, such as Google and Mozilla, have taken issue with the mandate that browsers include additional trust certificates, which provide a certified guarantee of who’s behind a website. They argue these digital certificates would be far less secure than their existing means of authenticating websites and require significant web infrastructure work to accommodate the proposed changes in vetting websites.
Companies and trade groups have also pushed back against the eIDAS regulation’s requirement for private-sector parties in key industries like banking and financial services, transportation, telecommunications and health to accept the EU Digital Identity wallets. That provision also extends to “very large online platforms”.
In public comments filed in response to the European ID plan Apple, for instance, suggested having to integrate the wallet would impose significant costs and effort on private parties while putting smaller companies and startups with competing digital identity services at a disadvantage. (Apple has its digital wallet in its iPhone.)
There are also qualms on the public interest side. Among them is the proposed requirement for EU states to include unique identifiers – alphanumeric strings – in digital IDs. The digital rights umbrella group European Digital Rights (EDRi) maintains that such identifiers could be used as ‘super cookies’ to track users’ daily activities that require the ID wallet. The group also warns that the feature might be unconstitutional in Germany and run counter to administrative practices in the Netherlands and Austria.
But Thomas Lohninger, who serves on the EDRi board, says there are indications in the current Czech presidency of the Council of a shift towards record-matching as a less invasive method for authentication. He argues that the European ID system should embrace the same principles of unobservability and privacy by design – the concept of building data protection into technology design – which were successfully incorporated in the development of the EU’s Covid-19 certificate.
“We have proven that it can work,” says Lohninger, noting that the certificate was also developed at “lightning speed” compared with other big EU projects.
None of that is lost on Jerkovic who, as rapporteur for the Parliament’s ITRE Committee earlier this year, recommended changes to the European ID proposal such as for the wallet to ensure cybersecurity and privacy by design. It should reflect the “once-only principle”, she suggests, so that users don’t have to provide the same data twice to public authorities.
But she also points out the difference in scope and complexity between the two projects. “I think the Covid-19 certificate helped us lay the groundwork on both the regulatory and technical side of things but, of course, building a pan-European digital ID framework is much more complex as it targets a much wider number of possible use cases,” she says.
In short, maybe it would be wise not to expect lightning to strike twice.