The Czech presidency of the EU Council circulated last week a new compromise text on the European Digital Identity (eIDs) proposal, a file that has so far seen limited progress due to its technical complexity.
The document will be discussed at the EU Council’s Telecom Working Party meetings on 5 and 8 September. National representatives will then be able to submit specific drafting suggestions until 12 September.
The compromise follows a discussion that took place in July where, with the significant exception of France and Germany, all member states pushed for the Digital Wallet to be an identification means in its own right, rather than just an ‘empty shell’.
The most significant change now is that the European Digital Identity Wallets have been added as an electronic identification means.
The compromise includes a definition of “unique and persistent identifier” as “an identifier which may consist of either single or multiple national or sectoral identification data, is associated with a single user within a given system and persistent in time”.
The article on unique identification has been changed to record matching, a more complex and privacy-friendly system that allows identifying a person by matching several segments of personal data. However, a unique identifier is still possible under national law and administrative practice, where the latter concept is left undefined.
Commission says single identifier in eIDAS reform ‘not necessary’
In its proposal for the amending regulation to establish a framework for a European Digital Identity, the Commission proposed a much-debated “unique and persistent electronic identifier”, from which it is now shying away.
Public and private services who intend to use the European wallet for identification purposes will have to register in the member states where they are established, a safeguard already included under the French EU presidency, as these services would be processing personal data.
New specifications have been included for these services to be able to register, but the Czechs also included an exception for registration in case the interaction occurs in ‘fully offline mode’.
For instance, if a user shows a QR code and the service provider scans it, it would qualify as fully offline if the information on the scanned code stays on the device and is not transmitted to a server.
“From a privacy perspective, it makes absolutely no sense,” said Thomas Lohninger, executive director at the Epicenter.works, a digital rights advocacy, stressing that a physical situation might in fact put the users even more under pressure to accept giving up more data than those strictly necessary.
For Lohninger, as eIDs systems might become ubiquitous in the next ten years, they need solid data protection safeguards whilst the Czechs are “sacrificing privacy for ease of business.”
For instance, the text does not cover further data processing that might happen after the interaction.
Leading MEP proposes changes on privacy, access, interoperability for European digital wallet
The European Parliament’s rapporteur put forth a number of proposals to improve the European Digital Identity Wallet as part of the new eIDAS Regulation, focusing on interoperability, data privacy and equal access.
One point for discussion is if the member states might provide, following national law, additional functionalities such as interoperability with existing electronic IDs.
Moreover, Prague proposed that verification of the user’s identity should be carried out by certified providers only at the highest assurance level rather than at the intermediate ‘substantial’ level as well.
The conformity of the European Digital Identity Wallets with the requirements laid out in the regulation will be certified by accredited public and private bodies. The Czech presidency deems this accreditation should last two years and include an assessment of the vulnerabilities that, if not addressed, may lead to the cancellation of the certification.
A reference to the Digital Markets Act has been added, stating that issuers of European Digital Identity Wallets shall be considered as business users when considering the thresholds that qualify companies as gatekeepers.
The provisions on cross-border reliance have been attributed only to digital wallets, with payment and e-money added to the list of sectors that are allowed to use the wallet without a legal basis, simply because of their terms of service.
In addition, the Czechs are putting up for discussion the issue of whether the Commission should be given the power to adopt secondary legislation and mandate the acceptance of the European Digital Identify Wallet by additional private services based on users’ demand.
The text provides two options for the deadline for qualified, trusted service providers to inform the relevant authorities about breaches or disruptions, either 24 or 72 hours.
Moreover, the national cybersecurity authorities under the revised Network and Information Security Directive (NIS2) will have to inform the supervisory authorities whether these services comply with the EU cybersecurity requirements within two months or justify the delay.
European Commission proposes 'digital identity wallet'
The European Commission has introduced a legislative proposal for an EU “digital identity wallet” that would allow numerous services like opening a bank account or filing tax returns to be done purely digitally.
For advanced electronic signatures and seals, the presidency left open the option for the Commission to have the opportunity or the obligation to establish reference numbers of standards.
References to the member states having to recognise such qualified electronic signatures and seals have been removed, whereas new articles have been added listing the requirements for their validation.
An article was introduced that mandates the mutual recognition of qualified electronic registered delivery services among all EU countries.
Regarding the implementation period, the presidency stated that the national representatives will be invited to an overall discussion “once the text is more stable.” The timing for the Commission to review the regulation has been moved from two to three years since the entry into application.
The presidency intends to organise a technical workshop to clarify the process of registration of organisations using the European Digital Identity Wallets and the certification process.
[Edited by Zoran Radosavljevic]
Source: euractiv.com
