EU institutions prepare to negotiate the European Digital Identity
The European Parliament on Thursday (16 March) adopted the mandate to enter inter-institutional negotiations for the European Digital Identity, with the first political meeting planned for next week.
The European Digital Identity is designed to provide the legal framework for establishing a system of national digital wallets interoperable across the EU where citizens can access all documents, from birth certificates to driving licenses.
The intention is to create a European digital wallet that could compete with the identification systems provided by Big Tech companies like Google and Apple.
Thursday’s plenary vote was just a formality, as the leading parliamentary committee adopted the report in February with a broad majority.
“Today’s plenary vote brings us one step closer to a trusted digital identity framework that gives the users of the Digital Wallet full control over their own data. The measure of trust in the new system by our citizens will be the ultimate measure of its success, and we will continue to work hard to earn that trust,” EU Parliament’s rapporteur Romana Jerkovic told EURACTIV.
As the EU Council of Ministers reached its position in December, the EU institutions will now enter inter-institutional negotiations, known as ‘trilogues’, with the first already planned for next Tuesday. The intent is to reach a political agreement under the Swedish presidency in the first part of the year.
EU countries endorse agreement on European digital identity
The EU Council formalised its position on the European digital identity at the Telecom Council meeting on Tuesday (6 December).
Privacy has been a primary concern for using this technology, as it provides an extensive view into people’s lives and ubiquitously track them, from their health status to shopping preferences.
The Parliament went much further than the Council in introducing privacy safeguards, introducing the principle, already used with the COVID-19 Certificate, that the wallet cannot track users’ behaviour across different interactions.
Another privacy-related issue relates to the unique and persistent identifier, a single number associated with a person that would allow the digital wallet of a country to talk to the systems of all the other EU members.
As the unique identifier created constitutional problems in countries like Germany, the EU Council limited its use and opted for the more privacy-friendly option of record-matching, which consists of comparing different pieces of information to confirm a person’s identity.
In turn, EU lawmakers limited the applications of these identifiers to strict scenarios, like when there is a legal requirement for businesses known as Know-your-Customer and in cross-border situations when the relying party is a public authority.
The MEPs also clarified the relationship with the EU General Data Protection Regulation. They included the right for users to use pseudonyms to protect their personal data when there is no legal requirement for identification.
Commission says single identifier in eIDAS reform ‘not necessary’
In its proposal for the amending regulation to establish a framework for a European Digital Identity, the Commission proposed a much-debated “unique and persistent electronic identifier”, from which it is now shying away.
A major difference between the two institutions is the obligations imposed on the relying parties, the organisations or individuals that want to use the wallet. Critical aspects include whether the national authorities should authorise the relying party to use the wallet.
For example, a liquor store should typically register for use cases such as verifying the person’s age and not request additional information like the home address, as these abuses would undermine the trust in the technology.
The Council’s approach has been to minimise the administrative burden, automating the notification process with specific requirements for sensitive data. By contrast, MEPs have followed a more prescriptive approach to address improper behaviour.
The only obligation for businesses to use the e-wallet is to comply with the Know-your-Customer requirement, for instance, a driving license for a rental car company.
However, very large online platforms identified under the Digital Services Act, like Google and Facebook, will have to support the wallet for logging into their service.
EU lawmakers are also far from the member states’ position on the governance, as they proposed establishing a European Digital Identity Framework Board that should play a coordination role, for instance, sharing best practices on dealing with cyber threats or peer reviewing the ID schemes.
Remarkably, the Parliament also wants to give the Board the capacity to revoke the authorisation to a relying party making illegal or fraudulent use of the wallet, overruling a national regulator that did not take appropriate actions.
However, under which circumstances the Board’s competence would kick in and the procedural safeguards to remedy cases of fraudulent uses of the wallet remains unclear in the Parliament’s mandate.
An important question regarding the use of the digital identity wallet is whether it should be made obligatory for accessing public services or one option among others. The question concerns accessibility since more senior citizens might lack the basic digital skills to use the wallet.
While EU countries would like to make the use of the wallet mandatory under some exceptional circumstances, in the EU Parliament, it was vital to make it mandatory for accessing both private and public services.